Professional Documents
Culture Documents
Migration Planning Final
Migration Planning Final
Migration Planning Final
Planning
Prepared for
Cornell University
Tuesday June 23, 2011
Version 1.2
Final
Prepared by
David Thompson
Infrastructure Consultant
David.Thompson5555@idea.com
Author
Version
Change reference
06/14/1
1
David
Thompson
1.0
Initial Draft
06/23/1
1
David
Thompson
1.1
Internal Review
06/30/1
1
David
Thompson
1.2
Final Version
Reviewers
Name
Version
approved
Chris
Lavelle
1.1
Position
Date
06/26/2010
Page iii
Table of Contents
1.
Introduction....................................................................5
2.
Intended Audience...........................................................6
3.
Migration Overview.........................................................7
4.
4.1 CORNELL.EDU......................................................................................... 12
4.2 Additional Forests/Domains....................................................................12
4.3 Development/Lab Environment..............................................................13
5.
Areas of Remediation.....................................................14
6.
Planning Recommendations............................................17
Page iv
1.
Introduction
1.1
Executive Summary
Gather and review the existing Active Directory Forest and Domain
implementation and associated documentation provided by the
client.
Generate high level work effort, tasking, and timeline for domain
consolidation effort.
Page 5
2010 Idea
Integration
2.
Intended Audience
This document was written for and intended for Cornell University IT staff
and supporting personnel. It is designed as a guide and roadmap for the
development of an Active Directory Migration Plan at Cornell. All Cornell
University IT staff and supporting personnel should be familiar with the
concepts and terminology that follows in this document.
Page 6
2010 Idea
Integration
Page 7
2010 Idea
Integration
3.
Migration Overview
Active Directory migrations can be monumental tasks. This is especially true for
large distributed and complex environments as discovered at Cornell University.
It is essential that a solid discovery and analysis be completed on the entire
enterprise prior to migration. All testing should be performed in an environment
that mirrors the production environment as exactly as possible. Cornell
Universitys lab environment will be a key asset in this testing. Although no two
migration projects are exactly the same, utilizing industries best practices and
partnering with an experienced solutions provider will greatly enhance the
chances of completing a successful migration.
3.1
Migration Challenges
Size and complexity A restructuring project requires you to manage
change to a large number of users and resources. Cornell University has
70+ domains to consolidate ranging from several thousand users and
dozens of servers to domains with only a few dozen users and a handful of
servers.
Impact on users Ideally, changes to your directory should occur
without disrupting user productivity or requiring calls to the various help
desk for support. Users should not need to log off, and they should
continue to be able to access all appropriate resources during and after
the restructuring project. Scheduling off-hours workstation migrations at
Cornell could further reduce the impact on faculty and staff.
Double administration during the transition period When
executing inter-forest migrations, theres inevitably a period of time when
both old and new environments are intact. For some of the larger Service
Areas/Colleges, it might take a considerable amount of time before
everyone is migrated and the old environment can be decommissioned.
During that time, any changes made in one directory have to be made in
the other as well.
Limited IT resources A restructuring project can stretch your
overworked IT department. Administrators might need to work nights or
weekends. Overtime might be needed, and the restructuring project could
drag on for many months.
Lack of tools Native tools and most third-party tools do not handle all
aspects of Active Directory restructuring. Active Directory does not include
tools to automatically merge two or more domains, split domains, move
objects between domains and forests, or perform other Active Directory
reconfiguration procedures. In addition, native tools and most third-party
tools do not migrate all types of Active Directory objects and attributes.
Nor do they update permissions across all platforms such as Exchange,
SQL, and Active Directory. You might face several restructuring issues that
cannot be addressed with your existing tools.
Risk Changes made directly to your production Cornell.edu environment
can be risky. You need a way to restructure your directory that also allows
you to preview and test your changes before applying them to your
Page 8
2010 Idea
Integration
network. You also need a way to selectively roll back changes if something
unexpected occurs.
Security concerns During restructuring, existing security measures,
such as passwords and permissions, must be preserved. To maintain a
secure environment, you need to clean up SIDHistory and track and delete
source objects that have been migrated. These tasks are not easily
accomplished with native tools.
2010 Idea
Integration
Engineers can check the queues and take corrective actions for
problems. One option is for Migration Manager for Active Directory
keeps trying to perform the synchronization. Once the issue gets
resolved, Migration Manager for Active Directory automatically
synchronizes the objects.
o
Statistics portal. Migration Manager for Active Directory ships
with Statistics Portal, which provides Web-based reporting and
monitoring of the migration project. It provides both high-level
statistics information and low-level migration details. With this tool it is
easy to give read-only access to the migration information to anyone
involved in the project. This tool requires additional setup
requirements if it is deemed that this level of reporting is needed.
Task Delegation Migration Manager for Active Directory was created
with large-scale migration projects in mind. Features include:
o
Role-based administration. Migration tasks have permissions
associated with them. As we discussed a possible multi-team approach
at Cornell, migration projects can be split between migration teams
without risk of interfering with each others project tasks.
o
Replicated project database. Migration Manager for Active
Directory uses Microsoft Active Directory in Application Mode (ADAM) as
its backend database. Because ADAM has built-in replication and
support for Active Directory security model, you can now set up
Migration Manager for Active Directory in multiple locations, give each
team permissions for their parts of the project, and set replication so
that all these migration tasks are still accomplished within the same
common project.
Integrated Product Set Since Migration Manager for Active Directory
was designed specifically for Active Directory restructuring, you can
migrate any type of object including sites and subnets, contacts, printer
queues and volume objects. You can migrate all object attributes,
including passwords, security descriptors, and linked attributes.
Synchronization and scheduling is integrated into the tool so you dont
have to use the command line or set up Windows Scheduled Tasks. Also
included is a resource kit with utilities that assist with restructuring tasks
and further minimize the impact to users. The GPO migration tool is one
example of a provided utility that would assist in the consolidation of the
domains into their respective OUs within Cornell.edu.
Comprehensive Resource Update To ensure that users retain access
to network resources during and after restructuring, Migration Manager for
Active Directory provides comprehensive resource updating. After
migration, you must update network resources to apply the permissions
from source objects to target objects. Migration Manager for Active
Directory can process all files and folders regardless of the permissions or
ownership. It can update all resources, including:
o
Distributed resources such as files, folders, services and user
profiles
Page 10
2010 Idea
Integration
o
o
3.3
The steps outlined below are meant as a high level overview of the migration
process. Planning, Discovery, and Pre-migration tasks (service account creation,
establishing two-way trusts, disabling SIDHistory filtering, etc.) are also critical
components of a successful migration that will be listed in greater detail when a
migration plan is put in place for the migration of a source domain to the target
Cornell.edu domain.
2010 Idea
Integration
3.4
Team Composition
The team member descriptions outlined below identifies critical skillsets required
for a successful Active Directory Migration Project:
Project Manager As with any major project, having the right person(s)
in the Project Manager role is a major reason for the success or failure of a
project. Using proven project management framework (ITIL, MSF, etc.) will
assist in the successful tracking of assigned tasks and deadlines, as well
as, risk management and sign-off when exiting major milestones.
Providing timely status reports will alert management to any critical
issues, resource constraints, or budgeting/burn rate concerns. Past
migration experience is helpful but not a requirement. Working closely
with the Technical Project Lead can overcome lack of migration
experience.
Technical Project Lead This person acts as the Subject Matter Expert
(SME) for the entire migration project. Works closely with the Project
Manager for assignment and scheduling of tasks. Attends technical, as
well as, non-technical meetings. Acts as the liaison between IT
management and the migration engineers. Assist the Project Manager in
the kick-off meetings by giving a migration overview presentation,
addressing departmental concerns, and begins the discovery process for
each source domain scheduled for migration.
Migration Engineer This person(s) acts as the technical engineer.
Experience with the migration tools and having completed large scale
migration projects is a must. Responsible for the installation and
configuration of the migration tools. Works with IT staff to complete all
necessary setup (production and lab environment if possible), testing, and
successful test case completion. Will raise any concerns to the Technical
Project Lead for resolution and tracking. Will be responsible for the
Page 12
2010 Idea
Integration
Page 13
2010 Idea
Integration
4.
During IDEA Integrations onsite visit, a brief overview of the current target
domain (cornell.edu) was provided. Meetings were held with a sampling of other
colleges/service areas that may become some of the first source domains to be
migrated. Again, brief overviews of these source domains were provided during
our meetings. A thorough discovery process would occur for each of these
source domains when scheduled for an actual migration project.
4.1
4.2
CORNELL.EDU
This is the current campus-wide forest/domain containing nearly 400k user
accounts.
It is currently running in native 2008 domain and forest functional levels.
There is one child domain (citstaff.cornell.edu) that is in the process of
being decommissioned.
All users, campus-wide, have an account (NetID) in this domain
provisioned by ILM. An instance of MIT Kerberos is in place for provisioning
of the NetID account and maintains password synchronization with the
cornell.edu domain.
The NetID account also serves as the authentication method for
CUWebLogin (access to most campus web applications).
Guests (users without a NetID) are provisioned in the cornell.edu domain
using a guest ID naming convention.
Campus wide Microsoft Exchange 2007 environment is contained in the
cornell.edu forest as well. Plans to upgrade to Exchange 2010 are in
place.
OU Administration Delegation has been set up using QUEST Active Role
Server (ARS) to grant College/Service Area IT staff rights to administer
their assigned OU upon completion of the consolidation effort.
All Domain Controllers are located within the campuses two data centers.
A possible third data center will be stood up for disaster recovery
protection and would contain additional Domain Controllers.
Additional Forests/Domains
As part of this engagement, Idea met with the following sampling of source
domains and support staff during onsite visit:
Facilities
S&O
AG & Life Services
Campus Life / Admin Services
Nanoscale / Johnson School of Management / Law School
Exchange Administration
Page 14
2010 Idea
Integration
The information obtained during these productive meetings has assisted greatly
with the content and recommendations listed in this document.
4.3
Development/Lab Environment
Page 15
2010 Idea
Integration
5.
Areas of Remediation
5.1
5.2
5.4
2010 Idea
Integration
toolset should be able to automate this process through the SQL resource
update process.
5.5
Certificate Services
During the discovery process of the project, any deployed certificate
services will need to be addressed. Certain deployments (i.e. Wireless
Authentication) can be mitigated by the deployment of additional
Cornell.edu domain certificates. If an actual Certificate Authority has been
deployed in a source domain, coordination in the project plan will need to
be tracked to ensure a smooth transition to a deployed CA in the
Cornell.edu domain as well as any application utilizing certificates from the
source CA.
5.6
5.7
5.8
2010 Idea
Integration
5.9
5.10
5.11
Page 18
2010 Idea
Integration
6.
Planning Recommendations
2010 Idea
Integration
and at least one team member of each related project (AD, Exchange,
virtualization, SCCM, and SharePoint deployment) so that each group has
visibility into the scheduling and risk mitigation activities supporting the
AD projects and understand potential impacts to their projects.
Page 20
2010 Idea
Integration
2010 Idea
Integration
Validate results
Migration Scheduling
Develop Migration Sessions
Approve/Finalize Session Schedule
Helpdesk Coordination
Knowledge Transfer
Coordinate Migration Activities
Go - No Go meeting
Stabilization closeout
Pre-Deployment Tasks
Coordinate Change Control
Agent Installs
Deployment
User/Groups Migration
Workstation Migration
Resource/Profile Updating
User Switch (Workstation Move)
Member Server Migration
Coordinate with Server/Application Owner
Submit Change Control
Post Migration Activities
Deployment Closeout
Page 22
2010 Idea
Integration