"Enabling our clients with a decisive, high quality, technology advantage..."

Thorough planning is key to the successful integration of just about any IT project. An AD migration is certainly no exception. Comprehensive planning is also necessary if you are undertaking the major restructuring of your existing AD design. Successful planning allows you to identify all the tasks you need to perform as part of the migration and to create a design that best meets your needs. Planning also helps to ensure that you avoid many of the potential pitfalls associated with AD deployments.

The following considerations should be carefully taken into account when planning an AD migration:

1. Available Resources
When planning an AD migration, the number one thing to take into consideration is whether or not you have the sufficient knowledge and expertise available to your organization internally to handle a deployment. The proper resources are necessary for each phase of the migration, from planning a successful migration to implementing and testing the final deployment. Qualified resources will be able to identify potential pitfalls and execute tasks that are unique to your organization and ultimately ensure that your migration is a success. Therefore, it is absolutely critical that the proper resources are available and utilized during the planning phase.

Lacking the proper resources during the planning phase can lead to the following:

• Inability to gauge the full scope of the migration.
• Lack of information about potential issues involved in a migration.
• Unrealistic or inaccurate project deadlines and milestones.
• Additional expense in the form of downtime and wasted resources.

If you do not have the requisite resources internally, it is imperative that you identify and contract with external resources before initiating the migration. Identifying these resources as you plan and execute the migration will save you time and money and prevent future problems.

2. Current Directory Structure
When planning an AD migration, the number one thing to take into consideration is whether or not you have the sufficient knowledge and expertise available to your organization internally to handle a deployment. The proper resources are necessary for each phase of the migration, from planning a successful migration to implementing and testing the final deployment. Qualified resources will be able to identify potential pitfalls and execute tasks that are unique to your organization and ultimately ensure that your migration is a success. Therefore, it is absolutely critical that the proper resources are available and utilized during the planning phase.

Some questions to ask of your organization are as follows:

• Do policies require that certain groups have restricted access to resources?
• Are there groups of users with special administrative rights?
• Are certain groups or users linked to critical services?
• Are there multiple domains to take into account?

As you plan the new directory structure, it is a good idea to look at the entire directory structure to ensure that there are no duplicates or potential security flaws, and to ensure that you’re taking full advantage of AD features.

3. User Impact
User impact is one of the most important considerations to take into account during the planning phase of any major IT project, including an AD migration. If anything unexpected occurs and results in unplanned downtime, the time and resources required to recover from that event can be significant. Therefore, it is important to account for several key factors during planning.

Areas of concern should include the following:

• Systems access during the outage.
• User profile settings.
• User and system links to resources once they are moved.

The entire process should be monitored closely and a thorough rollback/mitigation plan that includes testing and disaster recovery procedures should be in place, beforehand, to minimize user impact in the case of an unforeseen occurrence. Any deviation from the original plan should be documented as a formal step in the lessons learned process.

4. Links to Services
As you plan your AD migration, you must take into consideration any services that are currently running on network resources and linked to AD accounts. Changes to your network structure, or changes to the OS, can affect these services.

The following information about services should be identified:

• Service name.
• Account used to run each service.
• Network device running the service.

Services, such as Exchange, that are running under specific user accounts will need to be propagated to the new AD structure before the former accounts are disabled. Once the user account that is being used by a service is migrated to the new structure, the service should then be reassigned to the related user account in the new domain.

Knowing the services running in your network can help to prevent unexpected problems during your migration. A careful audit of the existing services and the user accounts they’re pointing to will help to eliminate unnecessary downtime due to an overlooked service account relationship.

5. Security Considerations
After the migration has begun you should regularly review AD permission assignments, including the use of groups and group policies, to help promote network security. During a migration, the movement of users and groups at different times and by different administrators can cause unintentional rights assignments to network resources. You will need to identify any migrated users who received inappropriate rights. After the migration is complete, it is a good idea to continue to analyze AD permissions and confirm compliance with your organization’s security policies as a part of due diligence.

You can use membership lists to ensure that only users who need certain permissions are granted access to a particular group or service. In addition, you need to be aware of which users have been given administrative rights to network resources. With detailed lists of groups, you can analyze the purpose of each group and refine access permission assignments in AD. After the migration has been completed, similar groups might be consolidated. With information about group membership, you can determine if any users or groups should have their membership revoked.

Summary
By auditing your available resources and performing a complete inventory of your current AD structure, both before and after migration, you will gain valuable information for planning your migration and planning your new AD structure, while avoiding major pitfalls that can occur as a result of poor or insufficient planning.