ŵ. Introduction
Cornell unlverslLy ls movlng Loward esLabllshlng a raLlonallzed l1 archlLecLure whlch wlll provlde an
LnLerprlse Shared Servlces plaLform for common servlces such as auLhenLlcaLlonţ messaglng and
collaboraLlonŦ 1he AcLlve ulrecLory MlgraLlon Þro[ecL ls belng underLaken Lo provlde Lhe base
lnfrasLrucLure on whlch Lhese servlces wlll be provldedŦ ln addlLlonţ creaLlng a CenLrallzed uaLa
CenLer SupporL Model for a campusŴwlde vlrLuallzed Server lnfrasLrucLure ls a key cosLŴsavlng drlver
belng underLaken aL Lhe unlverslLy and ls dlrecLly llnked Lo Lhe AcLlve ulrecLory MlgraLlon Þro[ecLŦ
ŵ.ŵ Executive Summary
1he ob[ecLlves of Lhls engagemenLţ as lndlcaLed ln Lhe SLaLemenL of Workţ are Lo dellver soluLlon
recommendaLlons wlLh conslderaLlon for Lhe followlng lLems of scope and drlvers Lo Lhe buslnessť
O aLher and revlew Lhe exlsLlng AcLlve ulrecLory loresL and uomaln lmplemenLaLlon
and assoclaLed documenLaLlon provlded by Lhe cllenLŦ
O 8evlew Lhe varlous approaches for consolldaLlon and make recommendaLlons of rlsk
mlLlgaLlon sLraLegles and Lool selecLlonŦ
O eneraLe an execuLlve reporL ouLllnlng hlgh level consolldaLlon approachţ acLlvlLlesţ
and LoolseLsŦ
O eneraLe hlgh level work efforLţ Lasklngţ and Llmellne for domaln consolldaLlon
efforLŦ
Ŷ. Intended Audience
1hls documenL was wrlLLen for and lnLended for Cornell unlverslLy l1 sLaff and supporLlng
personnelŦ lL ls deslgned as a gulde and roadmap for Lhe developmenL of an AcLlve ulrecLory
MlgraLlon Þlan aL CornellŦ All Cornell unlverslLy l1 sLaff and supporLlng personnel should be
famlllar wlLh Lhe concepLs and Lermlnology LhaL follows ln Lhls documenLŦ
ŷ. Migration Uverview
AcLlve ulrecLory mlgraLlons can be monumenLal LasksŦ 1hls ls especlally Lrue for large dlsLrlbuLed
and complex envlronmenLs as dlscovered aL Cornell unlverslLyŦ lL ls essenLlal LhaL a solld dlscovery
and analysls be compleLed on Lhe enLlre enLerprlse prlor Lo mlgraLlonŦ All LesLlng should be
performed ln an envlronmenL LhaL mlrrors Lhe producLlon envlronmenL as exacLly as posslbleŦ
Cornell unlverslLy's lab envlronmenL wlll be a key asseL ln Lhls LesLlngŦ AlLhough no Lwo mlgraLlon
pro[ecLs are exacLly Lhe sameţ uLlllzlng lndusLrles besL pracLlces and parLnerlng wlLh an experlenced
soluLlons provlder wlll greaLly enhance Lhe chances of compleLlng a successful mlgraLlonŦ
ŷ.ŵ Migration Cballenges
O S|ze and comp|ex|ty A resLrucLurlng pro[ecL requlres you Lo manage change Lo a large
number of users and resourcesŦ Cornell unlverslLy has 70+ domalns Lo consolldaLe ranglng
from several Lhousand users and dozens of servers Lo domalns wlLh only a few dozen users
and a handful of serversŦ
O Impact on users Ŷ ldeallyţ changes Lo your dlrecLory should occur wlLhouL dlsrupLlng user
producLlvlLy or requlrlng calls Lo Lhe varlous help desk for supporLŦ users should noL need Lo
log offţ and Lhey should conLlnue Lo be able Lo access all approprlaLe resources durlng and
afLer Lhe resLrucLurlng pro[ecLŦ Schedullng offŴhours worksLaLlon mlgraLlons aL Cornell could
furLher reduce Lhe lmpacL on faculLy and sLaffŦ
O Doub|e adm|n|strat|on dur|ng the trans|t|on per|od Ŷ When execuLlng lnLerŴforesL
mlgraLlonsţ Lhere's lnevlLably a perlod of Llme when boLh old and new envlronmenLs are
lnLacLŦ lor some of Lhe larger Servlce Areas/Collegesţ lL mlghL Lake a conslderable amounL of
Llme before everyone ls mlgraLed and Lhe old envlronmenL can be decommlsslonedŦ uurlng
LhaL Llmeţ any changes made ln one dlrecLory have Lo be made ln Lhe oLher as wellŦ
O L|m|ted I@ resources Ŷ A resLrucLurlng pro[ecL can sLreLch your overworked l1 deparLmenLŦ
AdmlnlsLraLors mlghL need Lo work nlghLs or weekendsŦ CverLlme mlghL be neededţ and Lhe
resLrucLurlng pro[ecL could drag on for many monLhsŦ
O Lack of too|s Ŷ naLlve Lools and mosL LhlrdŴparLy Lools do noL handle all aspecLs of AcLlve
ulrecLory resLrucLurlngŦ AcLlve ulrecLory does noL lnclude Lools Lo auLomaLlcally merge Lwo
or more domalnsţ spllL domalnsţ move ob[ecLs beLween domalns and foresLsţ or perform
oLher AcLlve ulrecLory reconflguraLlon proceduresŦ ln addlLlonţ naLlve Lools and mosL LhlrdŴ
parLy Lools do noL mlgraLe all Lypes of AcLlve ulrecLory ob[ecLs and aLLrlbuLesŦ nor do Lhey
updaLe permlsslons across all plaLforms such as Lxchangeţ SCLţ and AcLlve ulrecLoryŦ ?ou
mlghL face several resLrucLurlng lssues LhaL cannoL be addressed wlLh your exlsLlng LoolsŦ
O k|sk Ŷ Changes made dlrecLly Lo your producLlon CornellŦedu envlronmenL can be rlskyŦ ?ou
need a way Lo resLrucLure your dlrecLory LhaL also allows you Lo prevlew and LesL your
changes before applylng Lhem Lo your neLworkŦ ?ou also need a way Lo selecLlvely roll back
changes lf someLhlng unexpecLed occursŦ
O Secur|ty concerns Ŷ uurlng resLrucLurlngţ exlsLlng securlLy measuresţ such as passwords and
permlsslonsţ musL be preservedŦ 1o malnLaln a secure envlronmenLţ you need Lo clean up
SluPlsLory and Lrack and deleLe source ob[ecLs LhaL have been mlgraLedŦ 1hese Lasks are noL
easlly accompllshed wlLh naLlve LoolsŦ
AcLlve ulrecLory also provldes opLlons Lo dlsable or deleLe source accounLs and clean your
neLwork of any unused ob[ecLs LhaL could affecL Lhe securlLy and sLablllLy of your
envlronmenLŦ
managemenL and Lhe mlgraLlon englneersŦ AsslsL Lhe Þro[ecL Manager ln Lhe klckŴoff
meeLlngs by glvlng a mlgraLlon overvlew presenLaLlonţ addresslng deparLmenLal concernsţ
and beglns Lhe dlscovery process for each source domaln scheduled for mlgraLlonŦ
O M|grat|on ng|neer Ŷ 1hls person(s) acLs as Lhe Lechnlcal englneerŦ Lxperlence wlLh Lhe
mlgraLlon Lools and havlng compleLed large scale mlgraLlon pro[ecLs ls a musLŦ 8esponslble
for Lhe lnsLallaLlon and conflguraLlon of Lhe mlgraLlon LoolsŦ Works wlLh l1 sLaff Lo compleLe
all necessary seLup (producLlon and lab envlronmenL lf posslble)ţ LesLlngţ and successful LesL
case compleLlonŦ Wlll ralse any concerns Lo Lhe 1echnlcal Þro[ecL Lead for resoluLlon and
LracklngŦ Wlll be responslble for Lhe compleLlon of Lhe acLual mlgraLlon sLeps as relaLed Lo
Lhe LoolseLŦ Wlll ensure Lhe healLh of Lhe mlgraLlon LoolseL and lLs relaLed daLabaseŦ
O Corne|| I@ Staff Member Ŷ 1hls person(s) wlll work wlLh Lhe mlgraLlon englneer durlng Lhe
enLlre processŦ Wlll need Lo have exLenslve knowledge of Lhe currenL producLlon
envlronmenLţ as well asţ knowledge of Lhe source domalns LargeLed for mlgraLlonsŦ Wlll
work wlLh mlgraLlon englneer and source domaln l1 sLaff ln Lhe compleLlon of Lhe preŴ
mlgraLlon LasksŦ 8esolves any lssues relaLed Lo Lhe LargeL domaln (permlsslonsţ rlghLsţ
avallablllLyţ eLcŦ)Ŧ
Ÿ. Current Active Directory Infrastructure
uurlng luLA lnLegraLlon's onslLe vlslLţ a brlef overvlew of Lhe currenL LargeL domaln (cornellŦedu) was
provldedŦ MeeLlngs were held wlLh a sampllng of oLher colleges/servlce areas LhaL may become
some of Lhe flrsL source domalns Lo be mlgraLedŦ Agalnţ brlef overvlews of Lhese source domalns
were provlded durlng our meeLlngsŦ A Lhorough dlscovery process would occur for each of Lhese
source domalns when scheduled for an acLual mlgraLlon pro[ecLŦ
Ÿ.ŵ CURNELL.EDU
O 1hls ls Lhe currenL campusŴwlde foresL/domaln conLalnlng nearly 400k user accounLsŦ
O lL ls currenLly runnlng ln naLlve 2008 domaln and foresL funcLlonal levelsŦ
O 1here ls one chlld domaln (clLsLaffŦcornellŦedu) LhaL ls ln Lhe process of belng
decommlsslonedŦ
O All usersţ campusŴwldeţ have an accounL (neLlu) ln Lhls domaln provlsloned by lLMŦ An
lnsLance of Ml1 kerberos ls ln place for provlslonlng of Lhe neLlu accounL and malnLalns
password synchronlzaLlon wlLh Lhe cornellŦedu domalnŦ
O 1he neLlu accounL also serves as Lhe auLhenLlcaLlon meLhod for CuWebLogln (access Lo
mosL campus web appllcaLlons)Ŧ
O uesLs (users wlLhouL a neLlu) are provlsloned ln Lhe cornellŦedu domaln uslng a guesL lu
namlng convenLlonŦ
O Campus wlde MlcrosofL Lxchange 2007 envlronmenL ls conLalned ln Lhe cornellŦedu foresL as
wellŦ Þlans Lo upgrade Lo Lxchange 2010 are ln placeŦ
O Cu AdmlnlsLraLlon uelegaLlon has been seL up uslng CuLS1 AcLlve 8ole Server (A8S) Lo granL
College/Servlce Area l1 sLaff rlghLs Lo admlnlsLer Lhelr asslgned Cu upon compleLlon of Lhe
consolldaLlon efforLŦ
O All uomaln ConLrollers are locaLed wlLhln Lhe campuses Lwo daLa cenLersŦ A posslble Lhlrd
daLa cenLer wlll be sLood up for dlsasLer recovery proLecLlon and would conLaln addlLlonal
uomaln ConLrollersŦ
Ÿ.Ŷ Additional ForestsJDomains
As parL of Lhls engagemenLţ ldea meL wlLh Lhe followlng sampllng of source domalns and supporL
sLaff durlng onslLe vlslLť
O ac|||t|es
O S Ǝ C
O A Ǝ L|fe Serv|ces
O Campus L|fe ] Adm|n Serv|ces
O Nanosca|e ] Iohnson Schoo| of Management ] Law Schoo|
O xchange Adm|n|strat|on
1he lnformaLlon obLalned durlng Lhese producLlve meeLlngs has asslsLed greaLly wlLh Lhe conLenL
and recommendaLlons llsLed ln Lhls documenLŦ
Ÿ.ŷ DevelopmentJLab Environment
1here ls a vlrLuallzed lab envlronmenL for Lhe CornellŦedu domaln bullL on vMware LechnologyŦ 1he
CMM Console and uaLabase are fully supporLed ln a vlrLual envlronmenL and as sLaLed prevlouslyţ
Lhe avallablllLy of Lhls LesL envlronmenL could prove cruclal Lo a successful mlgraLlon experlenceŦ
1esLlng of Lhe mlgraLlon process and compleLlng Lhe LesL cases and poLenLlally more lmporLanLţ Lhe
LesLlng and slgnŴoff of Lhe source domaln appllcaLlons deemed crlLlcal or hlghŴrlskţ wlll bulld
confldence ln Lhe mlgraLlon process and greaLly asslsL ln sLaylng on Lrack wlLh Lhe schedullng of
LasksŦ
pro[ecL plan ouLslde of normal mlgraLlon acLlvlLlesŦ ldea would work wlLh Cornell l1 sLaff ln
Lhe developmenL of Lhls process and evaluaLe scrlpLs/Lools LhaL would provlde Lhe maxlmum
beneflL Lo compleLlng Lhls requlred LaskŦ
ź. Planning Recommendations
1he followlng recommendaLlons are proposed for revlew and dlscusslonť
O Use of Çuest M|grat|on Manager (ÇMM) for Act|ve D|rectory Ŷ 8ased on Lhe slzeţ duraLlonţ
and complexlLy of Lhls pro[ecLţ ldea sLrongly recommends Lhe use of a compleLe endŴLoŴend
mlgraLlon soluLlon lncluslve of Lhe CuesL mlgraLlon LoolsŦ key feaLures and beneflLs of uslng
CMM are noLed ln secLlon 3Ŧ2 of Lhls documenL and address Lhe mlgraLlon concerns noLed ln
secLlon 3Ŧ1Ŧ use of Lhls LoolseL wlll allow for a repeaLable mlgraLlon process for each source
domaln LargeLed for mlgraLlon LhaL can conLlnually be reflned durlng Lhe enLlre AcLlve
ulrecLory MlgraLlon pro[ecLŦ
O Comm|tment to Þro[ect Management (ÞM) Ŷ As noLed earller ln Lhe documenLţ ldea would
recommend (requlre) dedlcaLed ÞM(s) Lo Lhe mlgraLlon pro[ecLŦ 1hls ls essenLlal Lo a
successful mlgraLlonŦ
O Cne M|grat|on @eam vsŦ Mu|t|p|e M|grat|on @eams Ŷ 1hls ls normally dlcLaLed by balanclng
cosL versus pro[ecL deadllnesŦ A mlgraLlon Leam (composlLlon llsLed prevlously ln documenL)
can handle up Lo Lhree source domaln mlgraLlons ln dlfferenL phases of Lhe mlgraLlon
process (one ln preŴmlgraLlonţ one ln acLlve mlgraLlonţ and one ln posLŴmlgraLlon)Ŧ lf Lwo
mlgraLlon Leams are uLlllzed a poLenLlal of slx source domaln mlgraLlons could be managedŦ
WlLh over 70+ domalns Lo consolldaLe by a poLenLlal deadllne of !uly 2012ţ ldea
recommends sLrong conslderaLlon should be glven Lo uLlllzlng Lhls mulLlple mlgraLlon Leam
scenarloŦ
O Coord|nated Schedu||ng w|th other ongo|ng pro[ects Ŷ Þer onslLe dlscusslonsţ AcLlve
ulrecLory mlgraLlons on a parLlcular source domaln should occur prlor Lo LhaL college/servlce
area's vlrLuallzaLlon Þro[ecLŦ 1hls would ellmlnaLe Lhe need for mulLlple sLeps focused
around permlsslons/admlnlsLraLlon and make for a more smooLh LranslLlon Lo a vlrLuallzed
envlronmenLŦ ln addlLlonţ Lhere are ongolng emall/Lxchange mlgraLlons occurrlng LhaL wlll
need Lo be Laken lnLo accounL when schedullng college/servlce areas for AcLlve ulrecLory
mlgraLlons Lo ensure no confllcLs or undeslrable endŴuser experlencesŦ ldea recommends
Lhe merglng of Lhe Au mlgraLlon pro[ecL plan Lo a slngle consolldaLed pro[ecL plan for each
College/Servlce Area scheduled for consolldaLlonŦ 1hls consolldaLed pro[ecL plan would noL
only Lrack Lhe Au mlgraLlon porLlon of Lhe pro[ecL buL also ensure LhaL Lhe addlLlonal
pro[ecLs (vlrLuallzaLlon and emall mlgraLlons) for each source domaln are scheduled
efflclenLly and wlLhouL confllcL of one anoLherŦ
O koadmaps and Þr|or|t|zat|on for CampusŴW|de Serv|ces Ŷ An area of concern LhaL mosL
people expressed durlng our meeLlngs was around Llmellnes for SCCM and ShareÞolnLŦ
Addresslng Lhese concerns wlLh some valld Llmellnes would asslsL ln Lhe rlsk mlLlgaLlon
plannlng durlng Lhe dlscovery phase of Lhe pro[ecLŦ ldea recommends Lhe developmenL and
creaLlon of a Lask force or sLeerlng commlLLee LhaL conslsLs of Lhe sponsor and aL leasL one
Leam member of each relaLed pro[ecL (Auţ Lxchangeţ vlrLuallzaLlonţ SCCMţ and ShareÞolnL
deploymenL) so LhaL each group has vlslblllLy lnLo Lhe schedullng and rlsk mlLlgaLlon
acLlvlLles supporLlng Lhe Au pro[ecLs and undersLand poLenLlal lmpacLs Lo Lhelr pro[ecLsŦ
Knowledge Transfer
Coordinate Migration Activities
Go - No Go meeting
Stabilization closeout
Pre-DepIoyment Tasks
Coordinate Change Control
Agent Ìnstalls
DepIoyment
User/Groups Migration
Workstation Migration
Resource/Profile Updating
User Switch (Workstation Move)
Member Server Migration
Coordinate with Server/Application Owner
Submit Change Control
Post Migration Activities
Deployment Closeout