What Begins to Happen After Day One
by Vadim Gringolts, CTO, Binary Tree
As it relates to corporate email systems, Day One is focused on enabling the employees of the merging organizations to transparently send and receive email internally and externally, as well as schedule meetings, with everyone in both organizations. My prior article covered the four key elements of achieving these Day One goals.
In this article, we will focus on what starts to happen after Day One. This is when the focus shifts to consolidating the infrastructure of the two organizations into one seamless IT infrastructure. The first component to consolidate is a foundational part of the infrastructure: Active Directory.
Active Directory (AD) environments must be synchronized, integrated and migrated into a new evolved infrastructure. What are the best practices of doing so? Well, we're going to define three basic and all-important steps.
1. Integrate the Active Directory Environments
The first step is to integrate the separate Active Directory instances so that the users in each environment can interoperate as one organization. You may have already completed this action preparing for Day One, in which case, you can skip over this section and go directly to step 2 below. However, it’s more likely that you have just gotten the email directories synchronized, so there is more work to do, and here’s how to proceed.
First, it’s important to understand that each of the merging Active Directory environments need to continue serving their own constituents. Each AD has its own set of users, groups, computers, and other objects that it continues to support (as well as new ones to be added), and everything about these objects is defined in the AD environment. Continuously synchronizing the two AD instances is the first step in their integration. It also means that both environments will contain two sets of objects going forward, not just one.
Very often, trust must be established between the two AD environments so that they may now support new objects. This means enabling the users of each organization to access servers, workstations, printers and other devices from the other AD. The users may also need to access data in the other environment, and data can be located on different file shares, or perhaps SharePoint sites in a different AD instance.
By combining two organizations, you also now have two separate sets of systems administrators. Very often, these administrators will be asked, and may actually be required, to manage objects in the AD environment to which they previously had no access.
When we talk about establishing trust between AD instances, this is a lot more than just a pure technical form of trust. It is also matter of human trust; trusting that administrators from the new group will not undermine the efforts and the policies of the administrators in the old group. Policies and procedures, especially certain established ones that have been founded and refined over the years, have to be amended so they can serve the needs of a combined organization.
As a result of all these activities, you will end up with an integrated Active Directory environment. But that's just the first step.
Figure 1. Establish a trust and synchronize the directories to integrate the
Active Directory environments of merging organizations.
2. Build a New Active Directory Environment to Support the Newly Merged Organization
Now that you have the two separate AD instances integrated, you need to determine the ideal AD design for the combined organization. Can one of the existing Active Directory instances satisfy those needs? Perhaps. Most often, you will need to build a new Active Directory infrastructure.
Building a new AD environment will ensure that you can satisfy the combined needs and requirements of the new organization and that you can scale to meet those needs and requirements as the organization grows in the future. After all, the new organization likely has higher aspirations than either of the formerly separate organizations.
To start down this path, you will first have to assess the needs of the new organization as it relates to AD. You will need to find answers to the following questions and more:
- What should you do about the existing objects, groups, devices, data, security, operations, policies and procedures?
- How does your new organization view all of these components? And what needs to happen with them in the future?
- What do you need to build in order to satisfy these views and needs?
- How can you make your new AD infrastructure scalable for future growth?
Figure 2. Build a new Active Directory environment for the newly merged organization.
3. Migrate the Legacy Active Directories into the New One
Here, we make the assumption that neither of the existing AD infrastructures met the objectives of the new organization, and you have decided to create the brand new one for the new company. First, you obviously have to design and deploy the new AD environment, and only then begin the transition. But before you begin the transition, you have to establish integration between legacy Active Directories and the new one. Remember, we started this article by saying that the old Active Directories have to be integrated so they can interoperate. Well, if the new Active Directory structure is yet a third separate instance, you have to establish the coexistence/interoperability triangle, so that you have an integration from both legacy AD environments into the new one.
Next, you have to establish the cut-off point. It’s that point where you tell your administrators, “Okay enough, we're no longer putting new objects into the legacy Active Directories. We're going to start using the new Active Directory for all newly created objects, be they users, groups, servers, printers, workstations, or whatever else is managed by the Active Directory.” And once you've established that policy, administrators will start gradually transitioning old legacy objects and applications into the new AD.
The process isn't going to take place overnight. More often than not, it's going to take some time. And that's why interoperability is so critical. At some point, you will complete this process and be ready to retire the legacy AD environments. By the way, retiring legacy AD isn't just removing machines that house domain controllers, it's also removing any traces of the old naming structures and old AD attributes from the new infrastructure. So the actual process of retirement is not just retirement; it's also one of cleansing the new infrastructure from any references to the old one.
Figure 3. Migrate the legacy AD objects to the new combined AD environment.
Obviously, this was a very high level representation of the Active Directory transformation. There are a lot of details and nuances that I did not cover because they're outside of scope of this article, but once you've completed this three-step process, you will have your Active Directory transformed to meet the needs of your new organization.