Active Directory Migration Considerations (Part 2)

If you would like to read the other parts in this article series please go to:

The cost factor

A key factor to consider when thinking about restructuring or consolidating domains is the potential cost involved of doing so. Yes you may be able to greatly simplify Active Directory administration within your organization by consolidating all of your various domains into a single new domain. However, the cost of doing this may be so high as to be an unacceptable investment for your company.

The reason for this is because Active Directory consolidation/restructuring can be disruptive in many ways to your organization’s daily IT operations. Some examples of ways domain consolidation/restructuring can disrupt operations include the time and effort needed to test the effects of domain consolidation/restructuring upon:

  • Administration of users, groups, computers, and printers
  • Client computer deployment, management and maintenance
  • Authentication, authorization and access to shared folders, shared printers, and other network resources
  • Authentication, authorization and access to server applications and services
  • Delegation of authority to perform Active Directory administration
  • The amount of WAN traffic used for Active Directory replication between sites in the same domain
  • Many other factors

Of course, having only a single domain in your forest has its own list of compelling cost benefits including:

  • More centralized management and monitoring of Active Directory and server applications
  • Fewer domain controllers to manage and maintain in your environment
  • Easier troubleshooting of Active Directory replication problems and trust issues
  • Fewer problems with inconsistencies in how Group Policy is configured and applied
  • Simplified implementation and management of bring your own device (BYOD)
  • Simplified authentication and access control when provisioning and using cloud services
  • Easier to integrate on-premises infrastructure with public or hosted clouds to form hybrid cloud solutions
  • Simpler auditing and compliance to meet industry sector or governmental requirements
  • Easier forest/domain consolidation going forward should corporate mergers or acquisitions occur.

However, the road to getting there (to having only a single domain in your forest) can be so costly in terms of time and effort (and therefore money) that it just might not be worth it for your organization to restructure/consolidate all of its existing Active Directory domains.

The bottom line is that you should carefully count the cost before you embark on such a project–especially if you are going to be paying outside consultants to do the work. After all, if you succeed in consolidating 100 domains that contain 100,000 users and 100,000 computers into a single domain, your IT staff will still end up having to administer 100,000 users and 100,000 computers. They might have an easier time doing so with only one domain involved, but will the time and effort saved afterwards really offset the enormous time and effort needed to perform the consolidation?

Mitigating the cost factor

One way of mitigating the cost involved in Active Directory restructuring/consolidation projects is to include them as part of a larger infrastructure modernization project. For example, let’s say you’re IT infrastructure is still mostly traditional/conventional with physical servers in your datacenters. You’ve dipped your toes in the pond of virtualization a few times, and you’ve tasted some of the fruit that comes from cloud computing. Now you want to thoroughly modernize your infrastructure by virtualizing server workloads on-premises and moving some of your workloads into the cloud. You want to do this because you can clearly see some of the benefits your organization can gain through hybrid computing such as resource pooling, the perception of infinite capacity (elasticity), the perception of continuous availability, multi-tenancy, resource metering and chargeback, and so on. If you’ve made the decision that you’re going to modernize your infrastructure like this, then now is probably the time to include domain restructuring/consolidation as part of your overall infrastructure improvement project.

Another good way to mitigate the cost involved in Active Directory restructuring/consolidation is to perform such tasks when you are going to roll out a new server operating system in your organization. For example, if you’re going to migrate from Windows Server 2003 to Windows Server 2012 R2 then you may want to include domain restructuring/consolidation as one component of your overall server migration plan.

Another cost-effective reason for performing Active Directory restructuring/consolidation is when you plan on modernizing your overall business processes in order to future-proof your business so it can continue to be competitive in the marketplace. If you’re already going to be spending tens of millions of dollars to modernize your facilities and business processes, then tacking on a few more million to make your Active Directory infrastructure more amenable to implementing cloud solutions might be very attractive from a cost/benefit point of view.

Migrating servers and applications

Migrating servers and the applications running on them can be especially problematic when restructuring or consolidating Active Directory domains in your environment. That’s because virtually any server application (either Microsoft or third-party) that depends on Active Directory in any way may be difficult or even impossible to move from one domain to another. With some server applications such a change may even be undocumented by the vendor, leaving it up to you to try it on your own in a test environment to see whether it’s even feasible to do such a move.

This challenge tends to have an interesting effect when it comes to real-world domain consolidations/restructurings. I’ve often heard of companies who embark on a huge domain (or forest) consolidation project and start off by migrating all of their low-hanging fruit (users, groups and client computers) from the old domain to the new domain. Then once this has been completed, the challenges posed by migrating servers and applications to the new domain are suddenly realized to be much more than had been anticipated by the migration team. The frequent result is that the migration project stalls at this point, and the domain restructuring stays only half-complete.

The result of hitting the pause button on your migration project is to create something even worse than what you started out with- because you now have your users and client computers in one domain, and your servers and applications in a different domain. Active Directory management now becomes even more complicated than before (more domains, separation of resources) instead of easier as had been promised by those who were driving the migration project forward.

Slow retirement

On the other hand, there’s no reason that Active Directory consolidations/restructurings need to have a fixed endpoint in time. One path your organization might consider is to perform a “slow migration” from your current multiple domain (or multiple forest) infrastructure towards a single domain (or single forest) solution. In other words, you could start your domain or forest migration with no particular end date in mind, moving different types of resources and services one at a time from one domain to another as they become useful to move to the new domain or forest. The key here however is that you need to spend a lot of time up front thinking through the final design of your future Active Directory infrastructure, because you don’t want to spend years trying to hit a constantly shifting target.

In the next article we’ll continue discussing what you need to know before consolidating or restructuring your Active Directory domains.

If you would like to read the other parts in this article series please go to:

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top