It’s no secret that over the past decade, Active Directory has grown out of control across many organizations. It’s partly due to organizational mergers or disparate Active Directory domains that sprouted up over time, but you may find yourself looking at dozens or even hundreds of Active Directory domains and realize that it's time to consolidate. And it probably feels overpowering. But despite the effort in front of you, there’s an easy way and a right way.
Domain consolidation is not a simple task. Whether you're moving from one platform to another, trying to implement a new security model, or just consolidating domains for improved management and reduced cost, there are numerous steps, lots of unknowns and an overwhelming feeling that you might be missing something. Sound familiar?
According to Gartner analyst Andrew Walls:
“The allure of a single AD forest with a simple domain design is not fool’s gold. There are real benefits to be found in a consolidated AD environment. A shared AD infrastructure enables user mobility, common user provisioning processes, consolidated reporting, unified management of machines, etc.”
Walls goes on to discuss the politics, cost justification, and complexity of these projects noting that:
“An AD consolidation has to unite and rationalize the ID formats, password policy objects, user groups, group policy objects, schema designs and application integration methods that have grown and spread through all of the existing AD environments. At times, this can feel like spring cleaning at the Aegean stables. Of course, if you miss something, users will not be able to log in, or find their file shares, or access applications. No pressure.”
Walls offers advice on how to avoid some of the pain:
“You fight proliferation of AD at every turn and realize that consolidation is not a onetime event. The optimal design for AD is a single domain within a single forest. Any deviation from this approach should be justified on the basis of operational requirements that a unified model cannot possibly support.”
What does this mean for you? Well, the most significant take-away from Walls’ advise is that it’s not a onetime event. AD Unification is an ongoing effort. You don’t simply move objects from point-A to point-B and then pack it in for the day. The easy way fails to meet the core objectives of the following:
- improved security model
- simplified management
- reduced cost
- common provisioning process
If take everything from three source domains and simply move it all to a target domain, you haven’t achieved any of the objectives other than now having a single Active Directory. There’s a good chance that your security model will remain fragmented, management will become more difficult, and your user provisioning processes will require additional logic to accommodate for the new mess. On a positive note, if this model is your intent, there are numerous solutions on the market that will help.
STEALTHbits, of course, embraces the right way. “Control through Visibility” is about improving your security posture and your ability to manage IT by increasing your visibility into the critical infrastructure.
Offering a multi-step strategy toward a CLEAN domain consolidation, STEALTHbits’ Active Directory Unification solutions assess which objects should or shouldn't be consolidated, how the source environments map to the target environment (especially in terms of the security model), and automate the transformation in a way that eliminates the need for SID history, doesn't break user access, and improves manageability. This applies primarily to servers, GPOs, AD schema, naming conventions, and security groups. (User accounts and workstations can generally be moved as-is once the appropriate group memberships and GPO policies have been evaluated.)
STEALTHbits’ Active Directory Unification doesn't eliminate the need for some form of migration tool to do the Point-A to Point-B moves, but it provides an invaluable ability to streamline what gets moved and how those objects are transformed to meet the target domain security model and related requirements. Throughout the process and moving into the future, the solution identifies and eliminates high-risk and toxic conditions across the Active Directory environments and can evaluate needs and suggest improvements over time – such as security group permission changes or new security groups that enforce a least privilege model or eliminate Segregation of Duties issues based on actual activity in the environment. These intelligence features simply aren't available in migration tools. This type of analysis requires an enterprise class data collection and analysis platform such as the StealthAUDIT Management Platform (SMP).
Please let us know if you’d like more information on how the STEALTHbits’ Active Directory Unification can help with your Active Directory consolidation effort.