Active Directory Migration Planning

Published on December 2016 | Categories: Documents | Downloads: 38 | Comments: 0 | Views: 239
of 18
Download PDF   Embed   Report

Comments

Content




Þrepared lor Cornell unlverslLy
Þage ll
©2010 ldea lnLegraLlon
kev|s|on and S|gnoff Sheet
Change kecord
Date Author Vers|on Change reference
06/14/11 uavld
1hompson
1Ŧ0 lnlLlal urafL
06/23/11 uavld
1hompson
1Ŧ1 lnLernal 8evlew
06/30/11 uavld
1hompson
1Ŧ2 llnal verslon




kev|ewers
Name Vers|on approved Þos|t|on Date
Chrls Lavelle 1Ŧ1 06/26/2010




Þrepared lor Cornell unlverslLy
Þage lll
©2010 ldea lnLegraLlon
@ab|e of Contents
1Ŧ Introduct|on ŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦ 4
1Ŧ1 LxecuLlve Summary ŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦ 4
2Ŧ Intended Aud|ence ŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦ S
3Ŧ M|grat|on Cverv|ew ŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦ 6
3Ŧ1 MlgraLlon Challenges ŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦ 6
3Ŧ2 key leaLures of CuesL MlgraLlon Manager for AcLlve ulrecLory ŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦ 7
3Ŧ3 MlgraLlon Þrocess Cvervlew ŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦ 9
3Ŧ4 1eam ComposlLlon ŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦ 9
4Ŧ Current Act|ve D|rectory Infrastructure ŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦ 11
4Ŧ1 CC8nLLLŦLuu ŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦ 11
4Ŧ2 AddlLlonal loresLs/uomalns ŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦ 11
4Ŧ3 uevelopmenL/Lab LnvlronmenL ŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦ 12
SŦ Areas of kemed|at|on ŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦ 13
3Ŧ1 Cngolng vlrLuallzaLlon and Lxchange MlgraLlon Þro[ecLs ŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦ 13
3Ŧ2 LxlsLlng MlcrosofL ShareÞolnL ueploymenLs ŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦ 13
3Ŧ3 LxlsLlng MlcrosofL SysLem CenLer ConflguraLlon Manager ueploymenLs ŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦ 13
3Ŧ4 LxlsLlng MlcrosofL SCL Server ueploymenLs ŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦ 13
3Ŧ3 LxlsLlng MlcrosofL Wlndows Server updaLe Servlce (WSuS) ŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦ 13
3Ŧ3 CerLlflcaLe Servlces ŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦ 14
3Ŧ6 CenLrallzed 8ackups Ŷ 1lvoll ConflguraLlon Manager ŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦ 14
3Ŧ7 Schema LxLenslons (8lomeLrlcs) ŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦ 14
3Ŧ8 WorksLaLlon 8ename 8equlremenL ŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦ 14
3Ŧ9 8AuluS Ŷ AuLhenLlcaLlon Þroxy Þollcy ŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦ 14
3Ŧ10 ueployed vÞn SoluLlons ŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦ 14
3Ŧ11 SLandŴAlone WorksLaLlon MlgraLlons ŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦ 14
6Ŧ Þ|ann|ng kecommendat|ons ŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦ 16
Append|x Ať Samp|e n|gh Leve| AD M|grat|on Þro[ect Þ|an ŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦ 17


Þrepared for Cornell unlverslLy
Þage 4
© 2010 ldea lnLegraLlon



ŵ. Introduction
Cornell unlverslLy ls movlng Loward esLabllshlng a raLlonallzed l1 archlLecLure whlch wlll provlde an
LnLerprlse Shared Servlces plaLform for common servlces such as auLhenLlcaLlonţ messaglng and
collaboraLlonŦ 1he AcLlve ulrecLory MlgraLlon Þro[ecL ls belng underLaken Lo provlde Lhe base
lnfrasLrucLure on whlch Lhese servlces wlll be provldedŦ ln addlLlonţ creaLlng a CenLrallzed uaLa
CenLer SupporL Model for a campusŴwlde vlrLuallzed Server lnfrasLrucLure ls a key cosLŴsavlng drlver
belng underLaken aL Lhe unlverslLy and ls dlrecLly llnked Lo Lhe AcLlve ulrecLory MlgraLlon Þro[ecLŦ

ŵ.ŵ Executive Summary
1he ob[ecLlves of Lhls engagemenLţ as lndlcaLed ln Lhe SLaLemenL of Workţ are Lo dellver soluLlon
recommendaLlons wlLh conslderaLlon for Lhe followlng lLems of scope and drlvers Lo Lhe buslnessť
O aLher and revlew Lhe exlsLlng AcLlve ulrecLory loresL and uomaln lmplemenLaLlon
and assoclaLed documenLaLlon provlded by Lhe cllenLŦ
O 8evlew Lhe varlous approaches for consolldaLlon and make recommendaLlons of rlsk
mlLlgaLlon sLraLegles and Lool selecLlonŦ
O eneraLe an execuLlve reporL ouLllnlng hlgh level consolldaLlon approachţ acLlvlLlesţ
and LoolseLsŦ
O eneraLe hlgh level work efforLţ Lasklngţ and Llmellne for domaln consolldaLlon
efforLŦ

As parL of Lhe unlverslLy's Server vlrLuallzaLlon Þro[ecLţ Lhe supporL model dlcLaLes all vlrLuallzed
servers be member servers of Lhe cornellŦedu AcLlve ulrecLory loresL/uomalnŦ Schedullng has
already begun for some of Lhe 70+ domaln across Lhe campus Lo vlrLuallze Lhelr server
lnfrasLrucLureŦ lL ls lmperaLlve LhaL a coordlnaLed AcLlve ulrecLory MlgraLlon Þro[ecL schedule be
prepared and lmplemenLed ln supporL of Lhls Server vlrLuallzaLlon Þro[ecLŦ 1he LranslLlon for
Cornell unlverslLy Lo funcLlon ln Lhls cenLrallzed envlronmenL wlll lnLroduce Lhe followlng challengesť
O Cperat|ona| Comp|ex|ty ’1he Cl1 ldenLlLy ManagemenL SLaff wlll now be responslble for all
Au admlnlsLraLlon of domaln conLrollers and all AcLlve ulrecLory funcLlonallLy (malnly
securlLy relaLed)Ŧ CrganlzaLlonal unlL (Cu) AdmlnlsLraLlon delegaLlon ls ln place Lo allow
lndlvldual l1 groups across Lhe unlverslLy Lo manage Lhelr own Cu lnfrasLrucLure relaLlng Lo
user/roup admlnlsLraLlon as well as rlghLs/permlsslons Lo resourcesŦ
O nterpr|se App||cat|onsŴ Schema LxLenslonsţ LuAÞ auLhenLlcaLlonţ eLcŦ wlll all occur under
Lhls cenLrallzed AcLlve ulrecLory envlronmenLŦ More deslgn and pollcy creaLlon may be
requlred Lo produce a unlform way of LnLerprlse AppllcaLlons exlsLence ln Lhls envlronmenLŦ
O Ag|||ty ŴrowLh and resLrucLurlng are parL of normal operaLlons for Cornell unlverslLyŦ 1he
l1 lnfrasLrucLure needs Lo handle Lhese evenLs as a more naLural parL of Lhe l1 ecosysLem
lnsLead of as a ma[or excepLlon Lo Lhe l1 operaLlonsŦ CrganlzaLlonal resLrucLurlng should
noL alLer Lhe sLrucLure of Lhe dlrecLory servlceŦ
Þrepared for Cornell unlverslLy
Þage 3
© 2010 ldea lnLegraLlon



Ŷ. Intended Audience
1hls documenL was wrlLLen for and lnLended for Cornell unlverslLy l1 sLaff and supporLlng
personnelŦ lL ls deslgned as a gulde and roadmap for Lhe developmenL of an AcLlve ulrecLory
MlgraLlon Þlan aL CornellŦ All Cornell unlverslLy l1 sLaff and supporLlng personnel should be
famlllar wlLh Lhe concepLs and Lermlnology LhaL follows ln Lhls documenLŦ



























Þrepared for Cornell unlverslLy
Þage 6
© 2010 ldea lnLegraLlon



ŷ. Migration Uverview
AcLlve ulrecLory mlgraLlons can be monumenLal LasksŦ 1hls ls especlally Lrue for large dlsLrlbuLed
and complex envlronmenLs as dlscovered aL Cornell unlverslLyŦ lL ls essenLlal LhaL a solld dlscovery
and analysls be compleLed on Lhe enLlre enLerprlse prlor Lo mlgraLlonŦ All LesLlng should be
performed ln an envlronmenL LhaL mlrrors Lhe producLlon envlronmenL as exacLly as posslbleŦ
Cornell unlverslLy's lab envlronmenL wlll be a key asseL ln Lhls LesLlngŦ AlLhough no Lwo mlgraLlon
pro[ecLs are exacLly Lhe sameţ uLlllzlng lndusLrles besL pracLlces and parLnerlng wlLh an experlenced
soluLlons provlder wlll greaLly enhance Lhe chances of compleLlng a successful mlgraLlonŦ
ŷ.ŵ Migration Cballenges
O S|ze and comp|ex|ty ’A resLrucLurlng pro[ecL requlres you Lo manage change Lo a large
number of users and resourcesŦ Cornell unlverslLy has 70+ domalns Lo consolldaLe ranglng
from several Lhousand users and dozens of servers Lo domalns wlLh only a few dozen users
and a handful of serversŦ
O Impact on users Ŷ ldeallyţ changes Lo your dlrecLory should occur wlLhouL dlsrupLlng user
producLlvlLy or requlrlng calls Lo Lhe varlous help desk for supporLŦ users should noL need Lo
log offţ and Lhey should conLlnue Lo be able Lo access all approprlaLe resources durlng and
afLer Lhe resLrucLurlng pro[ecLŦ Schedullng offŴhours worksLaLlon mlgraLlons aL Cornell could
furLher reduce Lhe lmpacL on faculLy and sLaffŦ
O Doub|e adm|n|strat|on dur|ng the trans|t|on per|od Ŷ When execuLlng lnLerŴforesL
mlgraLlonsţ Lhere's lnevlLably a perlod of Llme when boLh old and new envlronmenLs are
lnLacLŦ lor some of Lhe larger Servlce Areas/Collegesţ lL mlghL Lake a conslderable amounL of
Llme before everyone ls mlgraLed and Lhe old envlronmenL can be decommlsslonedŦ uurlng
LhaL Llmeţ any changes made ln one dlrecLory have Lo be made ln Lhe oLher as wellŦ
O L|m|ted I@ resources Ŷ A resLrucLurlng pro[ecL can sLreLch your overworked l1 deparLmenLŦ
AdmlnlsLraLors mlghL need Lo work nlghLs or weekendsŦ CverLlme mlghL be neededţ and Lhe
resLrucLurlng pro[ecL could drag on for many monLhsŦ
O Lack of too|s Ŷ naLlve Lools and mosL LhlrdŴparLy Lools do noL handle all aspecLs of AcLlve
ulrecLory resLrucLurlngŦ AcLlve ulrecLory does noL lnclude Lools Lo auLomaLlcally merge Lwo
or more domalnsţ spllL domalnsţ move ob[ecLs beLween domalns and foresLsţ or perform
oLher AcLlve ulrecLory reconflguraLlon proceduresŦ ln addlLlonţ naLlve Lools and mosL LhlrdŴ
parLy Lools do noL mlgraLe all Lypes of AcLlve ulrecLory ob[ecLs and aLLrlbuLesŦ nor do Lhey
updaLe permlsslons across all plaLforms such as Lxchangeţ SCLţ and AcLlve ulrecLoryŦ ?ou
mlghL face several resLrucLurlng lssues LhaL cannoL be addressed wlLh your exlsLlng LoolsŦ
O k|sk Ŷ Changes made dlrecLly Lo your producLlon CornellŦedu envlronmenL can be rlskyŦ ?ou
need a way Lo resLrucLure your dlrecLory LhaL also allows you Lo prevlew and LesL your
changes before applylng Lhem Lo your neLworkŦ ?ou also need a way Lo selecLlvely roll back
changes lf someLhlng unexpecLed occursŦ
O Secur|ty concerns Ŷ uurlng resLrucLurlngţ exlsLlng securlLy measuresţ such as passwords and
permlsslonsţ musL be preservedŦ 1o malnLaln a secure envlronmenLţ you need Lo clean up
SluPlsLory and Lrack and deleLe source ob[ecLs LhaL have been mlgraLedŦ 1hese Lasks are noL
easlly accompllshed wlLh naLlve LoolsŦ

Þrepared for Cornell unlverslLy
Þage 7
© 2010 ldea lnLegraLlon




ŷ.Ŷ Key Features of Quest Migration Manager for Active Directory
O eroIMÞAC@ on Users Ŷ MlgraLlon Manager for AcLlve ulrecLory provldes AcLlve ulrecLory
resLrucLurlng wlLh no dlsrupLlon Lo users or your neLworkŦ MlgraLlon Manager for AcLlve
ulrecLory performs resLrucLurlng acLlvlLles whlle allowlng users Lo malnLaln unlnLerrupLed
access Lo all Lhelr resourcesţ regardless of wheLher Lhe resources are belng movedŦ users
can be mlgraLed whlle Lhey are onllneţ and Lhey don'L have Lo rebooL Lhelr compuLers or log
ln and ouL of Lhelr accounLs afLer Lhe moveŦ
O D|rectory Synchron|zat|on Ŷ MlgraLlon Manager for AcLlve ulrecLory has bullLŴln
synchronlzaLlon capablllLles Lo ease Lhe burden of coexlsLenceŦ lL can synchronlze accounL
properLlesţ group membershlpţ and even passwords (even Lhough Lhls ls noL requlred ln your
envlronmenL)ţ so admlnlsLraLors can slmply make necessary changes ln one envlronmenL
and have Lhose changes auLomaLlcally repllcaLed Lo Lhe oLher envlronmenLŦ 1hls reduces
Lhe admlnlsLraLlve burden and lmproves securlLy by keeplng Lhe envlronmenLs conslsLenLŦ
O @est Mode Ŷ A mlgraLlon sesslon can be execuLed ln LesL modeŦ ln LesL modeţ MlgraLlon
Manager for AcLlve ulrecLory aLLempLs Lo acLually perform Lhe mlgraLlon buL does noL
creaLe/merge Lhe accounLs ln Lhe CornellŦedu LargeL envlronmenLŦ uurlng Lhls LesLţ Lhe Lool
deLecLs mosL of Lhe posslble lssues wlLh Lhe mlgraLlonţ lncludlng lack of permlsslonsţ
maLchlng confllcLsţ and mlsslng llnked ob[ecLs (such as group members)Ŧ 1hls leLs you safely
experlmenL wlLh mlgraLlons and resolve lssues so Lhey do noL arlse ln your real mlgraLlonŦ
O Centra||zed Þro[ect Management Ŷ MlgraLlon Manager for AcLlve ulrecLory glves
admlnlsLraLors conLrol of Lhe mlgraLlon pro[ecLŦ leaLures lncludeť
4 De|egat|on of perm|ss|ons over the m|grat|on pro[ectŦ lor exampleţ a local
admlnlsLraLor mlghL geL readŴonly access Lo Lhe pro[ecL buL full conLrol over a Lask Lo
mlgraLe a seL of CusŦ 1hls ls noL normally usedţ buL wanLed Lo menLlon lL ln case durlng
Lhe plannlng of Lhe mlgraLlons lL becomes an opLlon we wanL Lo lmplemenLŦ
4 Cn||ne queues for errorsţ match|ng conf||ctsţ and m|ss|ng ||nked ob[ects (eŦgŦţ m|ss|ng
group members)Ŧ MlgraLlon Lnglneers can check Lhe queues and Lake correcLlve acLlons
for problemsŦ Cne opLlon ls for MlgraLlon Manager for AcLlve ulrecLory keeps Lrylng Lo
perform Lhe synchronlzaLlonŦ Cnce Lhe lssue geLs resolvedţ MlgraLlon Manager for AcLlve
ulrecLory auLomaLlcally synchronlzes Lhe ob[ecLsŦ
4 Stat|st|cs porta|Ŧ MlgraLlon Manager for AcLlve ulrecLory shlps wlLh SLaLlsLlcs ÞorLalţ
whlch provldes WebŴbased reporLlng and monlLorlng of Lhe mlgraLlon pro[ecLŦ lL
provldes boLh hlghŴlevel sLaLlsLlcs lnformaLlon and lowŴlevel mlgraLlon deLallsŦ WlLh Lhls
Lool lL ls easy Lo glve readŴonly access Lo Lhe mlgraLlon lnformaLlon Lo anyone lnvolved ln
Lhe pro[ecLŦ 1hls Lool requlres addlLlonal seLup requlremenLs lf lL ls deemed LhaL Lhls
level of reporLlng ls neededŦ
O @ask De|egat|on Ŷ MlgraLlon Manager for AcLlve ulrecLory was creaLed wlLh largeŴscale
mlgraLlon pro[ecLs ln mlndŦ leaLures lncludeť
4 ko|eŴbased adm|n|strat|onŦ MlgraLlon Lasks have permlsslons assoclaLed wlLh LhemŦ As
we dlscussed a posslble mulLlŴLeam approach aL Cornellţ mlgraLlon pro[ecLs can be spllL
beLween mlgraLlon Leams wlLhouL rlsk of lnLerferlng wlLh each oLher's pro[ecL LasksŦ
Þrepared for Cornell unlverslLy
Þage 8
© 2010 ldea lnLegraLlon



4 kep||cated pro[ect databaseŦ MlgraLlon Manager for AcLlve ulrecLory uses MlcrosofL
AcLlve ulrecLory ln AppllcaLlon Mode (AuAM) as lLs backend daLabaseŦ 8ecause AuAM
has bullLŴln repllcaLlon and supporL for AcLlve ulrecLory securlLy modelţ you can now seL
up MlgraLlon Manager for AcLlve ulrecLory ln mulLlple locaLlonsţ glve each Leam
permlsslons for Lhelr parLs of Lhe pro[ecLţ and seL repllcaLlon so LhaL all Lhese mlgraLlon
Lasks are sLlll accompllshed wlLhln Lhe same common pro[ecLŦ
O Integrated Þroduct Set Ŷ Slnce MlgraLlon Manager for AcLlve ulrecLory was deslgned
speclflcally for AcLlve ulrecLory resLrucLurlngţ you can mlgraLe any Lype of ob[ecL lncludlng
slLes and subneLsţ conLacLsţ prlnLer queues and volume ob[ecLsŦ ?ou can mlgraLe all ob[ecL
aLLrlbuLesţ lncludlng passwordsţ securlLy descrlpLorsţ and llnked aLLrlbuLesŦ SynchronlzaLlon
and schedullng ls lnLegraLed lnLo Lhe Lool so you don'L have Lo use Lhe command llne or seL
up Wlndows Scheduled 1asksŦ Also lncluded ls a resource klL wlLh uLlllLles LhaL asslsL wlLh
resLrucLurlng Lasks and furLher mlnlmlze Lhe lmpacL Lo usersŦ 1he ÞC mlgraLlon Lool ls one
example of a provlded uLlllLy LhaL would asslsL ln Lhe consolldaLlon of Lhe domalns lnLo Lhelr
respecLlve Cus wlLhln CornellŦeduŦ
O Comprehens|ve kesource Update Ŷ 1o ensure LhaL users reLaln access Lo neLwork resources
durlng and afLer resLrucLurlngţ MlgraLlon Manager for AcLlve ulrecLory provldes
comprehenslve resource updaLlngŦ AfLer mlgraLlonţ you musL updaLe neLwork resources Lo
apply Lhe permlsslons from source ob[ecLs Lo LargeL ob[ecLsŦ MlgraLlon Manager for AcLlve
ulrecLory can process all flles and folders regardless of Lhe permlsslons or ownershlpŦ lL can
updaLe all resourcesţ lncludlngť
4 ulsLrlbuLed resources such as fllesţ foldersţ servlces and user proflles
4 SecurlLy descrlpLors of AcLlve ulrecLory ob[ecLs
4 MlcrosofL SCL Server verslon 7Ŧ0ţ 2000ţ 2003ţ and 2008 permlsslons
4 MlcrosofL lnLerneL lnformaLlon Servlces (llS) Server verslon 4ţ 3ţ and 6 permlsslons
4 MlcrosofL SysLems ManagemenL Server 2003 and SysLem CenLer CperaLlons Manager
2007 permlsslons
MlgraLlon Manager for AcLlve ulrecLory updaLes resources qulckly and efflclenLly by
performlng resource updaLe locallyŦ ln addlLlonţ lL updaLes permlsslons for all mlgraLed users
and compuLers aL Lhe same Llmeţ even lf Lhey were mlgraLed from dlfferenL source domalnsŦ
MlgraLlon Manager for AcLlve ulrecLory also allows you Lo schedule resource updaLlng for
offŴpeak hours and Lo reLry aL speclfled lnLervals lf a compuLer ls offllneŦ
O ranu|ar Undo Capab|||t|es Ŷ MlgraLlon Manager for AcLlve ulrecLory offers several undo
opLlons so LhaL you can qulckly roll back changes should someLhlng unexpecLed occur as a
resulL of resLrucLurlngŦ ?ou can roll back any change you've madeţ from changes made ln
several sesslons Lo a slngle operaLlon on a slngle ob[ecLŦ As you mlgraLe ob[ecLsţ a pro[ecL
daLabase capLures all Lhe changes made ln Lhe LargeL CornellŦedu domaln by any mlgraLlon
sesslonţ and Lhe source domaln remalns unLouched unLll dlsabled or deleLedŦ All resource
updaLe Lools have reverL modeţ ln whlch Lhey resLore source permlsslons ln resource ACLsŦ
O ÞostŴM|grat|on C|eanup Ŷ MlgraLlon Manager for AcLlve ulrecLory provldes several opLlons
and Lools Lo ensure maxlmum securlLyţ lnLegrlLyţ and performance of your resLrucLured
envlronmenLŦ 1o make sure LhaL resources are accessed properly afLer resLrucLurlngţ
MlgraLlon Manager for AcLlve ulrecLory allows you Lo deleLe SluPlsLory enLrles for mlgraLed
accounLs and remove references Lo source accounLs from ACLsŦ MlgraLlon Manager for
Þrepared for Cornell unlverslLy
Þage 9
© 2010 ldea lnLegraLlon



AcLlve ulrecLory also provldes opLlons Lo dlsable or deleLe source accounLs and clean your
neLwork of any unused ob[ecLs LhaL could affecL Lhe securlLy and sLablllLy of your
envlronmenLŦ

ŷ.ŷ Migration Process Uverview
1he sLeps ouLllned below are meanL as a hlgh level overvlew of Lhe mlgraLlon processŦ Þlannlngţ
ulscoveryţ and ÞreŴmlgraLlon Lasks (servlce accounL creaLlonţ esLabllshlng LwoŴway LrusLsţ dlsabllng
SluPlsLory fllLerlngţ eLcŦ) are also crlLlcal componenLs of a successful mlgraLlon LhaL wlll be llsLed ln
greaLer deLall when a mlgraLlon plan ls puL ln place for Lhe mlgraLlon of a source domaln Lo Lhe
LargeL CornellŦedu domalnŦ
O Account M|grat|on Ŷ SelecLed accounLs are merged (Lhrough Lhe use of a mapplng flle) from
selecLed source domalns Lo Lhe LargeL CornellŦedu domalnŦ
O Cngo|ng D|rectory Synchron|zat|on Ŷ lor all or selecLed mlgraLed accounLsţ synchronlzaLlon
can be esLabllshed so Lhe accounL properLlesţ lncludlng group membershlp are kepL ln sync
for Lhe coexlsLence perlodŦ 1hls ls a requlremenL lf CMM ls belng used for an Lxchange
mlgraLlon as wellŦ ln Cornell's envlronmenL lL may noL be necessary for dlrecLory
synchronlzaLlon Lo be usedŦ More deLall on Lhls wlll appear durlng dlscusslons of an acLual
mlgraLlon plannlng sesslonŦ
O kesource Þrocess|ng Ŷ Access permlsslons Lo fllesţ sharesţ prlnLersţ and oLher securable
ob[ecLs are updaLedŦ 1hls can run mulLlple Llmes lf neededŦ We wlll need Lo follow up on
Lhe LesLlng of Lhe 1SM 8ackup agenL Lo deLermlne besL approachŦ
O Sw|tch|ng to the New Doma|n Ŷ Source accounLs are dlsabledţ lf posslble Lo prevenL users
from conLlnulng Lo log lnLo Lhe source domalnŦ users begln uslng Lhelr CornellŦedu (neLlu)
accounLs and passwords Lo log lnLo Lhe CornellŦedu domalnŦ
O ÞostŴM|grat|on C|eanup Ŷ Source accounLs are cleaned up and deleLed and SluPlsLory ls
removed for all LargeL accounLs Lo ensure maxlmum securlLyţ lnLegrlLyţ and performance of
Lhe LargeL envlronmenLŦ
ŷ.Ÿ Team Composition
1he Leam member descrlpLlons ouLllned below ldenLlfles crlLlcal sklllseLs requlred for a successful
AcLlve ulrecLory MlgraLlon Þro[ecLť
O Þro[ect Manager Ŷ As wlLh any ma[or pro[ecLţ havlng Lhe rlghL person(s) ln Lhe Þro[ecL
Manager role ls a ma[or reason for Lhe success or fallure of a pro[ecLŦ uslng proven pro[ecL
managemenL framework (l1lLţ MSlţ eLcŦ) wlll asslsL ln Lhe successful Lracklng of asslgned
Lasks and deadllnesţ as well asţ rlsk managemenL and slgnŴoff when exlLlng ma[or
mllesLonesŦ Þrovldlng Llmely sLaLus reporLs wlll alerL managemenL Lo any crlLlcal lssuesţ
resource consLralnLsţ or budgeLlng/burn raLe concernsŦ ÞasL mlgraLlon experlence ls helpful
buL noL a requlremenLŦ Worklng closely wlLh Lhe 1echnlcal Þro[ecL Lead can overcome lack
of mlgraLlon experlenceŦ
O @echn|ca| Þro[ect Lead Ŷ 1hls person acLs as Lhe Sub[ecL MaLLer LxperL (SML) for Lhe enLlre
mlgraLlon pro[ecLŦ Works closely wlLh Lhe Þro[ecL Manager for asslgnmenL and schedullng of
LasksŦ ALLends Lechnlcalţ as well asţ nonŴLechnlcal meeLlngsŦ AcLs as Lhe llalson beLween l1
Þrepared for Cornell unlverslLy
Þage 10
© 2010 ldea lnLegraLlon



managemenL and Lhe mlgraLlon englneersŦ AsslsL Lhe Þro[ecL Manager ln Lhe klckŴoff
meeLlngs by glvlng a mlgraLlon overvlew presenLaLlonţ addresslng deparLmenLal concernsţ
and beglns Lhe dlscovery process for each source domaln scheduled for mlgraLlonŦ
O M|grat|on ng|neer Ŷ 1hls person(s) acLs as Lhe Lechnlcal englneerŦ Lxperlence wlLh Lhe
mlgraLlon Lools and havlng compleLed large scale mlgraLlon pro[ecLs ls a musLŦ 8esponslble
for Lhe lnsLallaLlon and conflguraLlon of Lhe mlgraLlon LoolsŦ Works wlLh l1 sLaff Lo compleLe
all necessary seLup (producLlon and lab envlronmenL lf posslble)ţ LesLlngţ and successful LesL
case compleLlonŦ Wlll ralse any concerns Lo Lhe 1echnlcal Þro[ecL Lead for resoluLlon and
LracklngŦ Wlll be responslble for Lhe compleLlon of Lhe acLual mlgraLlon sLeps as relaLed Lo
Lhe LoolseLŦ Wlll ensure Lhe healLh of Lhe mlgraLlon LoolseL and lLs relaLed daLabaseŦ
O Corne|| I@ Staff Member Ŷ 1hls person(s) wlll work wlLh Lhe mlgraLlon englneer durlng Lhe
enLlre processŦ Wlll need Lo have exLenslve knowledge of Lhe currenL producLlon
envlronmenLţ as well asţ knowledge of Lhe source domalns LargeLed for mlgraLlonsŦ Wlll
work wlLh mlgraLlon englneer and source domaln l1 sLaff ln Lhe compleLlon of Lhe preŴ
mlgraLlon LasksŦ 8esolves any lssues relaLed Lo Lhe LargeL domaln (permlsslonsţ rlghLsţ
avallablllLyţ eLcŦ)Ŧ



Þrepared for Cornell unlverslLy
Þage 11
© 2010 ldea lnLegraLlon



Ÿ. Current Active Directory Infrastructure
uurlng luLA lnLegraLlon's onslLe vlslLţ a brlef overvlew of Lhe currenL LargeL domaln (cornellŦedu) was
provldedŦ MeeLlngs were held wlLh a sampllng of oLher colleges/servlce areas LhaL may become
some of Lhe flrsL source domalns Lo be mlgraLedŦ Agalnţ brlef overvlews of Lhese source domalns
were provlded durlng our meeLlngsŦ A Lhorough dlscovery process would occur for each of Lhese
source domalns when scheduled for an acLual mlgraLlon pro[ecLŦ
Ÿ.ŵ CURNELL.EDU
O 1hls ls Lhe currenL campusŴwlde foresL/domaln conLalnlng nearly 400k user accounLsŦ
O lL ls currenLly runnlng ln naLlve 2008 domaln and foresL funcLlonal levelsŦ
O 1here ls one chlld domaln (clLsLaffŦcornellŦedu) LhaL ls ln Lhe process of belng
decommlsslonedŦ
O All usersţ campusŴwldeţ have an accounL (neLlu) ln Lhls domaln provlsloned by lLMŦ An
lnsLance of Ml1 kerberos ls ln place for provlslonlng of Lhe neLlu accounL and malnLalns
password synchronlzaLlon wlLh Lhe cornellŦedu domalnŦ
O 1he neLlu accounL also serves as Lhe auLhenLlcaLlon meLhod for CuWebLogln (access Lo
mosL campus web appllcaLlons)Ŧ
O uesLs (users wlLhouL a neLlu) are provlsloned ln Lhe cornellŦedu domaln uslng a guesL lu
namlng convenLlonŦ
O Campus wlde MlcrosofL Lxchange 2007 envlronmenL ls conLalned ln Lhe cornellŦedu foresL as
wellŦ Þlans Lo upgrade Lo Lxchange 2010 are ln placeŦ
O Cu AdmlnlsLraLlon uelegaLlon has been seL up uslng CuLS1 AcLlve 8ole Server (A8S) Lo granL
College/Servlce Area l1 sLaff rlghLs Lo admlnlsLer Lhelr asslgned Cu upon compleLlon of Lhe
consolldaLlon efforLŦ
O All uomaln ConLrollers are locaLed wlLhln Lhe campuses Lwo daLa cenLersŦ A posslble Lhlrd
daLa cenLer wlll be sLood up for dlsasLer recovery proLecLlon and would conLaln addlLlonal
uomaln ConLrollersŦ
Ÿ.Ŷ Additional ForestsJDomains
As parL of Lhls engagemenLţ ldea meL wlLh Lhe followlng sampllng of source domalns and supporL
sLaff durlng onslLe vlslLť
O ac|||t|es
O S Ǝ C
O A Ǝ L|fe Serv|ces
O Campus L|fe ] Adm|n Serv|ces
O Nanosca|e ] Iohnson Schoo| of Management ] Law Schoo|
O xchange Adm|n|strat|on

1he lnformaLlon obLalned durlng Lhese producLlve meeLlngs has asslsLed greaLly wlLh Lhe conLenL
and recommendaLlons llsLed ln Lhls documenLŦ

Þrepared for Cornell unlverslLy
Þage 12
© 2010 ldea lnLegraLlon



Ÿ.ŷ DevelopmentJLab Environment
1here ls a vlrLuallzed lab envlronmenL for Lhe CornellŦedu domaln bullL on vMware LechnologyŦ 1he
CMM Console and uaLabase are fully supporLed ln a vlrLual envlronmenL and as sLaLed prevlouslyţ
Lhe avallablllLy of Lhls LesL envlronmenL could prove cruclal Lo a successful mlgraLlon experlenceŦ
1esLlng of Lhe mlgraLlon process and compleLlng Lhe LesL cases and poLenLlally more lmporLanLţ Lhe
LesLlng and slgnŴoff of Lhe source domaln appllcaLlons deemed crlLlcal or hlghŴrlskţ wlll bulld
confldence ln Lhe mlgraLlon process and greaLly asslsL ln sLaylng on Lrack wlLh Lhe schedullng of
LasksŦ



Þrepared for Cornell unlverslLy
Þage 13
© 2010 ldea lnLegraLlon



Ź. Areas of Remediation
A ma[or componenL Lo Lhe overall plan of a pro[ecL ls 8lsk ManagemenLŦ 8lsk ManagemenL ls Lhe
ldenLlflcaLlonţ assessmenLţ and prlorlLlzaLlon of rlsks followed by a sLraLegy Lo manage Lhe ldenLlfled
rlsksŦ Avoldlng Lhe rlskţ reduclng Lhe rlskţ or even accepLlng some or all of Lhe consequences of a
parLlcular rlsk are all examples of managlng rlsksŦ 1he ldenLlfled areas below are some of Lhe rlsks
dlscovered durlng Lhe onslLe vlslL LhaL wlll requlre some Lype of remedlaLlonŦ A more compleLe 8lsk
AssessmenL would be parL of Lhe acLual pro[ecL plan for Lhe AcLlve ulrecLory MlgraLlon Þro[ecLŦ
Ź.ŵ Ungoing Virtualization and Excbange Migration Pro|ects
1here are several ongolng and planned pro[ecLs aL CornellŦ 1he lnLroducLlon of more Lhan
'one' change aL a Llme durlng a mlgraLlon pro[ecL ls noL deslrable and can lead Lo an
unsaLlsfacLory user experlenceŦ Careful collaboraLlon wlLh Lhe vlrLuallzaLlon and Lxchange
MlgraLlon pro[ecLs ls lmperaLlveŦ Lach separaLe pro[ecL should have lLs own 'freeze' perlod
by whlch no oLher changes are belng made whlle Lhe currenL pro[ecL ls progresslngŦ A sLrong
pro[ecL managemenL presence ls requlred Lo ensure communlcaLlons and Lasks schedullng
are compleLed and documenLedŦ
Ź.Ŷ Existing Microsoft SbarePoint Deployments
Whlle a coŴexlsLence perlod wlll be kepL Lo a mlnlmumţ user experlence can be affecLed
durlng Lhls LlmeframeŦ ShareÞolnL ls a webŴbased appllcaLlon and as such does noL beneflL
from Lhe use of SldPlsLory for granLlng access Lo a parLlcular workspaceŦ new accounL
access wlll need Lo be granLed prlor Lo a user's mlgraLlon or Lhe user wlll be prompLed for lLs
username/password from Lhe source domaln unLll Lhe ShareÞolnL deploymenL has been
'moved' lnLo Lhe LargeL domaln (cornellŦedu)Ŧ 1here have been some prellmlnary
dlscusslons abouL deploylng a campusŴwlde ShareÞolnLŦ
Ź.ŷ Existing Microsoft System Center Configuration Manager Deployments
uurlng coŴexlsLenceţ worksLaLlons LhaL have [olned Lhe LargeL domaln buL are sLlll belng
managed by a SCCM deploymenL ln Lhe source domaln wlll lose some funcLlonallLyŦ 1he
ablllLy Lo deploy by Cu ls a key llmlLaLlonŦ A campusŴwlde SCCM deploymenL pro[ecL has
sLarLed and would be Lhe flnal soluLlon aL some polnLŦ
Ź.Ÿ Existing Microsoft SQL Server Deployments
8lghLs Lo daLabases on SCL servers LhaL are asslgned vla domaln accounLs wlll need Lo be
updaLed durlng mlgraLlon of Lhe SCL servers when Lhey are [olned Lo Lhe LargeL domalnŦ
1hls can be done vla scrlpLlng or lf an auLomaLe LoolseL (CMM for Au) ls belng leveraged for
Lhe mlgraLlonŤ Lhe LoolseL should be able Lo auLomaLe Lhls process Lhrough Lhe SCL resource
updaLe processŦ
Ź.Ź Existing Microsoft Windows Server Update Service {WSUS]
1hls ls a mlnlmal lssue normally durlng a mlgraLlonŦ lf a campusŴwlde WSuS server ls
avallable for use when Lhe mlgraLed worksLaLlons are [olned Lo Lhe LargeL domalnţ a slmple
updaLe on Lhe worksLaLlon Lo polnL Lo Lhe new WSuS server wlll be requlredŦ 1hls can be
done vla roup Þollcy Cb[ecL (ÞC)Ŧ
Þrepared for Cornell unlverslLy
Þage 14
© 2010 ldea lnLegraLlon



Ź.Ź Certificate Services
uurlng Lhe dlscovery process of Lhe pro[ecLţ any deployed cerLlflcaLe servlces wlll need Lo be
addressedŦ CerLaln deploymenLs (lŦeŦ Wlreless AuLhenLlcaLlon) can be mlLlgaLed by Lhe
deploymenL of addlLlonal CornellŦedu domaln cerLlflcaLesŦ lf an acLual CerLlflcaLe AuLhorlLy
has been deployed ln a source domalnţ coordlnaLlon ln Lhe pro[ecL plan wlll need Lo be
Lracked Lo ensure a smooLh LranslLlon Lo a deployed CA ln Lhe CornellŦedu domaln as well as
any appllcaLlon uLlllzlng cerLlflcaLes from Lhe source CAŦ
Ź.ź Centralized Backups - Tivoli Configuration Manager
CoordlnaLlon (or posslble halLlng) of Lhe worksLaLlon backup agenL wlll need Lo occur Lo
ensure no lnLerrupLlon of Lhe mlgraLlon processŦ AddlLlonal LesLlng ls Laklng place currenLly
Lo deLermlne behavlor of a newly [olned worksLaLlon Lo Lhe LargeL domaln and/or
permlsslon changes of flles and folders Lo documenL behavlor of Lhe backup posL mlgraLlon
(full backup vsŦ lncremenLal)Ŧ
Ź.Ż Scbema Extensions {Biometrics]
A declslon paper and Lhen evenLually a campusŴwlde pollcy needs Lo be ln effecL regardlng
Lhe handllng of Schema LxLenslons ln Lhe CornellŦedu domalnŦ lor Lhls parLlcular exLenslonţ
Lhe use of oLher LwoŴfacLor auLhenLlcaLlon opLlons could posslbly allow Lhe use of 8lomeLrlcs
Lo be dlsconLlnued ln Lhe CornellŦedu domalnŦ
Ź.8 Workstation Rename Requirement
All worksLaLlons [olnlng Lhe LargeL domaln wlll need Lo comply wlLh Lhe campusŴwlde
namlng sLandardŦ 1hls addlLlonal sLep can be performed prlor Loţ durlngţ or posL mlgraLlonŦ
1he requlremenL durlng Lhe dlscovery phase of Lhe mlgraLlon pro[ecL Lo produce an accuraLe
worksLaLlon lnvenLory for each source domaln usually means renamlng worksLaLlons prlor Lo
mlgraLlon works mosL efflclenLlyŦ AnoLher facLor ln Lhe Cornell envlronmenL Lo Lake lnLo
conslderaLlon ls worksLaLlons LhaL uLlllze Lhe 1SM 8ackup agenL and Lhe need Lo
reload/updaLe Lhe machlne names upon belng renamed wlLhln 1lvollŦ
Ź.9 RADIUS - Autbentication Proxy Policy
lf source domaln accounLs are belng used Lo auLhenLlcaLe users vla a 8AuluS deploymenLţ
sLeps need Lo be ln place on Lhe 8AuluS server Lo ensure LargeL domaln accounLs are also
searchable for auLhenLlcaLlonŦ lf unlversal neLlu accounLs are belng used no furLher sLeps
should be requlredŦ
Ź.ŵŴ Deployed VPN Solutions
A declslon paper and an evenLual campusŴwlde pollcy should be ln place regardlng Lhe use of
a campusŴwlde vÞn soluLlon or conLlnue Lo allow each college/servlce area Lo malnLaln Lhelr
own vÞn soluLlonŦ lnpuL from SecurlLy would be requlred Lo ensure lLs pollcles are belng
meLŦ
Ź.ŵŵ Stand-Alone Workstation Migrations
WorksLaLlons LhaL are noL currenLly [olned Lo a domaln would requlre a slmple [oln Lo Lhe
LargeL domalnŦ updaLlng Lhelr proflles on Lhe worksLaLlon would requlre some Lype of scrlpL
or program deslgned for Lhls purposeŦ 1hls would be a subseL of Lasks ln Lhe mlgraLlon
Þrepared for Cornell unlverslLy
Þage 13
© 2010 ldea lnLegraLlon



pro[ecL plan ouLslde of normal mlgraLlon acLlvlLlesŦ ldea would work wlLh Cornell l1 sLaff ln
Lhe developmenL of Lhls process and evaluaLe scrlpLs/Lools LhaL would provlde Lhe maxlmum
beneflL Lo compleLlng Lhls requlred LaskŦ

Þrepared for Cornell unlverslLy
Þage 16
© 2010 ldea lnLegraLlon



ź. Planning Recommendations
1he followlng recommendaLlons are proposed for revlew and dlscusslonť
O Use of Çuest M|grat|on Manager (ÇMM) for Act|ve D|rectory Ŷ 8ased on Lhe slzeţ duraLlonţ
and complexlLy of Lhls pro[ecLţ ldea sLrongly recommends Lhe use of a compleLe endŴLoŴend
mlgraLlon soluLlon lncluslve of Lhe CuesL mlgraLlon LoolsŦ key feaLures and beneflLs of uslng
CMM are noLed ln secLlon 3Ŧ2 of Lhls documenL and address Lhe mlgraLlon concerns noLed ln
secLlon 3Ŧ1Ŧ use of Lhls LoolseL wlll allow for a repeaLable mlgraLlon process for each source
domaln LargeLed for mlgraLlon LhaL can conLlnually be reflned durlng Lhe enLlre AcLlve
ulrecLory MlgraLlon pro[ecLŦ
O Comm|tment to Þro[ect Management (ÞM) Ŷ As noLed earller ln Lhe documenLţ ldea would
recommend (requlre) dedlcaLed ÞM(s) Lo Lhe mlgraLlon pro[ecLŦ 1hls ls essenLlal Lo a
successful mlgraLlonŦ
O Cne M|grat|on @eam vsŦ Mu|t|p|e M|grat|on @eams Ŷ 1hls ls normally dlcLaLed by balanclng
cosL versus pro[ecL deadllnesŦ A mlgraLlon Leam (composlLlon llsLed prevlously ln documenL)
can handle up Lo Lhree source domaln mlgraLlons ln dlfferenL phases of Lhe mlgraLlon
process (one ln preŴmlgraLlonţ one ln acLlve mlgraLlonţ and one ln posLŴmlgraLlon)Ŧ lf Lwo
mlgraLlon Leams are uLlllzed a poLenLlal of slx source domaln mlgraLlons could be managedŦ
WlLh over 70+ domalns Lo consolldaLe by a poLenLlal deadllne of !uly 2012ţ ldea
recommends sLrong conslderaLlon should be glven Lo uLlllzlng Lhls mulLlple mlgraLlon Leam
scenarloŦ
O Coord|nated Schedu||ng w|th other ongo|ng pro[ects Ŷ Þer onslLe dlscusslonsţ AcLlve
ulrecLory mlgraLlons on a parLlcular source domaln should occur prlor Lo LhaL college/servlce
area's vlrLuallzaLlon Þro[ecLŦ 1hls would ellmlnaLe Lhe need for mulLlple sLeps focused
around permlsslons/admlnlsLraLlon and make for a more smooLh LranslLlon Lo a vlrLuallzed
envlronmenLŦ ln addlLlonţ Lhere are ongolng emall/Lxchange mlgraLlons occurrlng LhaL wlll
need Lo be Laken lnLo accounL when schedullng college/servlce areas for AcLlve ulrecLory
mlgraLlons Lo ensure no confllcLs or undeslrable endŴuser experlencesŦ ldea recommends
Lhe merglng of Lhe Au mlgraLlon pro[ecL plan Lo a slngle consolldaLed pro[ecL plan for each
College/Servlce Area scheduled for consolldaLlonŦ 1hls consolldaLed pro[ecL plan would noL
only Lrack Lhe Au mlgraLlon porLlon of Lhe pro[ecL buL also ensure LhaL Lhe addlLlonal
pro[ecLs (vlrLuallzaLlon and emall mlgraLlons) for each source domaln are scheduled
efflclenLly and wlLhouL confllcL of one anoLherŦ
O koadmaps and Þr|or|t|zat|on for CampusŴW|de Serv|ces Ŷ An area of concern LhaL mosL
people expressed durlng our meeLlngs was around Llmellnes for SCCM and ShareÞolnLŦ
Addresslng Lhese concerns wlLh some valld Llmellnes would asslsL ln Lhe rlsk mlLlgaLlon
plannlng durlng Lhe dlscovery phase of Lhe pro[ecLŦ ldea recommends Lhe developmenL and
creaLlon of a Lask force or sLeerlng commlLLee LhaL conslsLs of Lhe sponsor and aL leasL one
Leam member of each relaLed pro[ecL (Auţ Lxchangeţ vlrLuallzaLlonţ SCCMţ and ShareÞolnL
deploymenL) so LhaL each group has vlslblllLy lnLo Lhe schedullng and rlsk mlLlgaLlon
acLlvlLles supporLlng Lhe Au pro[ecLs and undersLand poLenLlal lmpacLs Lo Lhelr pro[ecLsŦ

Þrepared for Cornell unlverslLy
Þage 17
© 2010 ldea lnLegraLlon



Appendix A: Sample Higb Level AD Migration Pro|ect Plan

Task Name
High LeveI AD Migration Project PIan ExampIe
Envisioning
Project Kickoff
High Level Project Plan
Set-up Project Management Office
Vision\Scope definition
Communication Plan
Envisioning closeout
PIanning
Capture - Current State Analysis
Architecture/Design
Deployment Scheduling
Detailed Project Plan
Planning closeout
DeveIoping
Lab BuiId Out
Design Lab Architecture
Design physical layout
Design logical layout
Determine hardware requirements
Finalize lab architecture
Infrastructure Servers BuiId
Ìmplement Network Topology
Load base server OS
Lab Environments
BuiId out Infrastructure
Ìnstall Active Directory Environment
Ìnstall and Configure Quest Migration Tools
Migration Testing
User Synchronization
Workstation Migration
Resource Update Manager
Member Server Migration
Other Services (DNS, DHCP, Linux, Etc.)
Test PIans
Develop test plans
Verify test plans
Execute test plans with QA
Develop Migration Plans
Build Migration Documents
Pre-production Tasks
Provision required Hardware in Production
Disable SÌDHistory Filtering
Verify Quest Account Permissions
Ìnstall Quest tools into Production
Finalize Pilot Group
AD Synchronization
Development closeout
StabiIization
PiIot RoIIout/Testing
Coordinate/Execute ScheduIe for User/Workstation Migration
Execute Migration
Validate results
Migration ScheduIing
Develop Migration Sessions
Approve/Finalize Session Schedule
HeIpdesk Coordination
Þrepared for Cornell unlverslLy
Þage 18
© 2010 ldea lnLegraLlon



Knowledge Transfer
Coordinate Migration Activities
Go - No Go meeting
Stabilization closeout
Pre-DepIoyment Tasks
Coordinate Change Control
Agent Ìnstalls
DepIoyment
User/Groups Migration
Workstation Migration
Resource/Profile Updating
User Switch (Workstation Move)
Member Server Migration
Coordinate with Server/Application Owner
Submit Change Control
Post Migration Activities
Deployment Closeout

Sponsor Documents

Or use your account on DocShare.tips

Hide

Forgot your password?

Or register your new account on DocShare.tips

Hide

Lost your password? Please enter your email address. You will receive a link to create a new password.

Back to log-in

Close