I’ve been lucky (or unlucky) enough to have worked with Active Directory since Windows 2000 Server, and this has given me some understanding of how fraught with difficulty Active Directory restructuring, consolidation, and migration projects can become, especially in large enterprise environments. And just when I thought I’d finally gotten a handle on how Active Directory works and how it can be deployed and managed, along comes Azure Active Directory (Azure AD), which blows everything up — supposedly to make Active Directory simpler, but in actuality necessitating a whole new way of thinking about identity management. What is the best approach to setting up a corporate Active Directory environment nowadays? To help me gain insight into current best practices for Active Directory modernization so I could share this with our TechGenix readers, I asked Ian Lindsay to bring me up to speed on the subject. Ian has been in the IT industry for over 30 years and is the strategic systems consultant for Quest Software, where he is responsible for providing solutions and architectural guidance to core customers in the Central and East regions. His experiences range from software development on UNIX to designing enterprise network infrastructures using the latest technologies. Prior to joining Quest, Ian was a senior technology strategist with Microsoft for almost 14 years and was responsible for the health-care customers in Microsoft’s Pittsburgh account team. You can learn more about Ian from his blog, and you can find him on Twitter at @ilindsay760. Let’s listen to Ian now as he describes a practical framework for hybrid Active Directory modernization that many companies will be able to follow. Let’s turn the floor over to Ian.
Understanding the need for Active Directory modernization
Active Directory modernization has been a common industry topic for several years now, but it has always meant something different for each customer. The simplest way I can define Active Directory modernization is to optimize your Active Directory to support the evolving demands of your business. Previously, customers would ask me about Active Directory modernization when they needed help with AD migration, consolidation, or restructuring. Today, with all the high-profile data breaches in the news, the push for AD modernization is converging with the need for strong cybersecurity.
AD is still the backbone of your IT environment because it’s the single point of authentication and authorization. It controls access to all critical resources, and it is the linchpin for any major project or initiative. This is the case even today as more companies leverage the cloud and support their employees’ mobile-first approach to work. In fact, the drive for digital transformation is making AD more important than ever. Many AD infrastructures are 10 to 15 years old and have grown significantly over time. Those relying on AD have learned that these early deployments are often ill-equipped to meet the needs of today’s technologies and business demands. This is especially true in the case of large organizations with complex infrastructures. Without proper cleanup and consolidation, organizations could face security and compliance risks once they get to the cloud.
Most customers I work with have an AD environment that is hybrid. Their on-premises AD remains the primary source of authentication and authorization, and they synchronize that on-premises AD to Azure AD using Azure AD Connect. On-premises credentials authenticate users to Office 365, custom cloud applications, and common SaaS apps like Dropbox, Google apps, and AWS, as illustrated in the figure below:
As cloud footprints expand, the risk and complexity of securing, managing, and ensuring compliance for your hybrid AD environment increases, leaving businesses vulnerable and exposed. With so many systems and users relying on AD, even a minor breach or downtime can affect the entire enterprise. That’s why it’s so important to consider modernizing your AD environment so you can better address these needs.
To do this, you need an end-to-end modernization solution that can cut the time, cost, and risk of managing your hybrid AD, while also increasing the productivity, flexibility, and security of your mission-critical infrastructure. So, what should you consider?
AD migration, consolidation, and restructuring
In the early days of Active Directory, a decision had to be made as to whether you were going to do an in-place upgrade of your existing Windows NT 4.0 environment, or if you were going to do a “greenfield” migration. Some organizations had multiple domains and did a combination of both. As AD grew in popularity, there were fewer greenfield migrations and more AD forest-level consolidations (especially with mergers and acquisitions increasing rapidly). In today’s world, there are now AD migrations occurring with the intent to bring all users into one centralized domain so IT can establish and maintain one set of security policies for the entire organization. That enables stronger protection of sensitive data and also addresses important systems management and compliance challenges.
Regardless of your intended business outcome, an AD migration can be very complex and time-consuming. To simplify your migration and ensure that users maintain secure access to workstations, you need to keep in mind the following tips:
- Know your data prior to starting the migration — As Annette E. Reikow, IT director at Adient U.S. shared with Quest: “Know your data prior to starting the migration. Who are the users, which servers/workstations will migrate, and which applications will migrate? The cleaner your data the easier the migration will be.”
- Test your migration plan — Mirror your AD production environment to a test environment to test the impact of your manual and automated migration processes. If the test migration is a success, then you know the live ones will be successful also. If you encounter problems during testing, you can develop a process to work around them or recover from them should they occur during the real migration.
- Take special care of legacy apps and data — Most Windows apps will continue to work just fine. Where more time needs to be spent is on non-Windows applications that use AD as an LDAP directory. We need to find them, and how they are calling into the directory. Next, we need to mitigate these applications by either fixing the app directly or by implementing a virtual directory server that will capture the calls to AD and redirect them automatically to the new directory.
- Be prepared for the unexpected — As Curtis Mavity, systems engineer from Avera Health told us, “Always be ready for the unexpected. There are scenarios in our AD migrations that have caught us off-guard. Have a plan ready to deal with these and remember the handy undo option.”
Hybrid AD recovery
Comprehensive AD backup-and-recovery capabilities are essential for every organization today. After all, objects get improperly modified or deleted all the time, either maliciously or accidentally. Attributes get overwritten by faulty scripts. Hard drives fail. Databases become corrupted. And natural disasters strike. To ensure business continuity, you need to be able to restore individual objects or attributes — or an entire Active Directory domain or forest — quickly and effectively. In addition, to meet many compliance regulations, you need to be able to demonstrate the efficacy of your backup procedures and disaster recovery plans. Finally, what about migration or consolidation? We are about to move a lot of objects around. Collapse and remove potentially multiple domains. We plan and plan but things still go wrong. So let’s make sure, in case of some unforeseen event, we can get back to a good state easily. Now I am not talking about a standard server backup. We want a backup for the hybrid Active Directory that will allow us to recover objects down to the attribute level.
Having a solid on-premises solution is necessary but not sufficient today because organizations are making greater use of cloud-only attributes, Office 365 groups, Azure AD groups, B2B/B2C accounts, and other features of the hybrid AD environment to improve user experience. Since the Azure AD Connect synchronization is in most cases one-way, from on-premises AD to Azure AD, those cloud-only objects are not covered by your on-premises backup and recovery tools. The Azure AD Recycle Bin is a convenient way to restore certain recently deleted objects, but it was never intended to be an enterprise backup and recovery solution.
It is imperative for security and compliance purposes to ensure the availability and integrity of both on-premises AD and Azure AD. And because the two directories are closely intertwined, you need an integrated solution.
Hybrid AD security
Because AD is the primary authentication and authorization directory for over 90 percent of the world’s enterprises, it is a common target for cyberattacks. And as Microsoft Office 365 adoption continues to grow, the complexity of securing AD increases.
Hardening external security is no guarantee of AD security, because the biggest threats to AD security are internal, and more than half of insider misuse involves abuse of privileges. A disgruntled or avaricious employee, especially one with an administrative account -- or an attacker who compromises such a user account — can exploit technical vulnerabilities and human factors to launch data breaches from the inside out.
Monitoring AD and Azure AD event logs is a start, but many insider threats take advantage of events that are not logged. Moreover, the list of things to look for in order to spot suspicious actions is long, and there is no native way to automate either detection or remediation. The fact is, users need access to resources to do their jobs, and sometimes they need privileged access permissions. The key to AD security is balancing the need to streamline user access to maximize productivity against the need to protect sensitive data and systems from both accidental and deliberate privilege abuse. Ultimately, you need to find solutions that help you assess permissions continuously to identify vulnerabilities; detect and alert on suspicious activity; automate security management tasks; and investigate and recover from security breaches
Active Directory modernization: Begin the journey
Active Directory modernization is a journey, not a destination. The phases outlined above can be done in any order, and there is no requirement to do them all. However, if you do go down this path there are many advantages including reduced costs, tighter security, and happier users. Feel free to contact me for more details.
Photo credit: Shutterstock