Active Directory Migration - Cisco

Active DirectoryMigrationHow Cisco IT Migrated toMicrosoft Active DirectoryA Cisco on Cisco Case Study: Inside Cisco ITPresentation ID 2007 Cisco Systems, Inc. All rights reserved.Cisco Public1

Overview ChallengeDeploy a single directory solution for all NOS directories as wellas an enterprise directory SolutionMigrate to Microsoft Active Directory, automating the migrationand provisioning processes as much as possible ResultsROI in 16 months: anticipated 48-month savings of 5.8 to 8.1million Next StepsMigrate MeetingMaker and POP email server directoriesPresentation ID 2007 Cisco Systems, Inc. All rights reserved.Cisco Public2

Challenge: Consolidate MultipleDirectories Cisco IT maintained separate NOS and LightweightDirectory Access Protocol (LDAP) directories for eachapplicationMail servers, MeetingMaker calendar servers, various Oracleapplications, Windows, UNIX, and Macintosh desktops50 directories in lab environment alone! Users had to keep track of multiple user accounts andpasswords Administrators had to be trained on different systemsand update multiple directories as employees joined orleft Cisco Cisco developers had to write different code for everydirectory their applications would accessPresentation ID 2007 Cisco Systems, Inc. All rights reserved.Cisco Public3

Challenge: Reduce Directory Costs andMaintenance RequirementsIT faced its own set of problems relating to maintainingmultiple directories: High costsTraining to support each directoryLicensing fees Complicated compliance with Sarbanes-Oxley ActThe more directory environments, the harder to enforceappropriate for each individual AccountabilityIf a problem emerges, which directory group is in charge?Presentation ID 2007 Cisco Systems, Inc. All rights reserved.Cisco Public4

Solution: Microsoft Active Directory Active Directory provides all functions that Cisco ITneeds, in one product:Enterprise directoryNOS directoryLDAPv3Public Key Infrastructure (PKI) and Kerberos security servicesNetwork device management capabilities No separate license fee because it’s built into Windowsoperating systemPresentation ID 2007 Cisco Systems, Inc. All rights reserved.Cisco Public5

Solution: Consolidate to ActiveDirectoryPresentation ID 2007 Cisco Systems, Inc. All rights reserved.Cisco Public6

Solution: Architecture Deployed in 12location on Ciscoall-packet network(CAPnet) High bandwidthenables fastresponse forCisco usersworldwide as theyauthenticatePresentation ID 2007 Cisco Systems, Inc. All rights reserved.CHMLONAMSBEIRTPBRUSJCSINRCHBGLSYDCisco Public7

Solution: Geography-Based Domains Five domain controllers at each deployment site:Root domainThree child domains based on geographyRedundant domain for local geography Cisco employees who travel can be authenticatedlocallyPresentation ID 2007 Cisco Systems, Inc. All rights reserved.Cisco Public8

Solution: Geography-Based Domains(Contd.) Authentication time reduced from minutes to seconds insome casesCisco.comAsiaPac.cisco.comGroupsUsers(Active / Inactive)Americas.cisco.comComputers(Workstations / Servers)EMEA.cisco.comActive Directory DomainOrganizational UnitPrintersApplicationsPresentation ID 2007 Cisco Systems, Inc. All rights reserved.Cisco Public9

Solution: Automated Migration Automating migration reduces business risk Cisco IT developed automated utility to migrate fromprevious Windows NT 4 NOS directoriesPopulates user accounts in Active DirectoryMigrates group accounts from Windows NT4 to Active DirectoryMigrates security identifiers (SIDs)Presentation ID 2007 Cisco Systems, Inc. All rights reserved.Cisco Public10

Solution: Automated Migration Script launcheswhen user logs into Windows NT4Enables ActiveDirectory useraccountSets passwordMore 99% of Cisco usersmigrated to ActiveDirectory with nohuman interventionPresentation ID 2007 Cisco Systems, Inc. All rights reserved.Cisco Public11

Solution: Automated Provisioning Motto: “Provision as much data as possible, master aslittle data as possible in Active Directory” 100 batch-provisioning scripts run at daily intervalsfrom 15 minutes to 24 hoursEmployees (feed from PeopleSoft HR system)GroupsSID historyMailboxesMail aliasesPrintersSite topologySchema extensionsOrganizational unitsPresentation ID 2007 Cisco Systems, Inc. All rights reserved.Cisco Public12

Solution: Automated Updates toNetwork Topology Directory services provide network topologyIT staff refer to topology to find the fastest connection tonetwork resourcesIncorrectly-configured site topology can affect availability ofdirectory-enabled applications Active Directory requires manual topology updatesBut the Cisco network changes daily, making manual updatesimpractical A challenge begging for automation Presentation ID 2007 Cisco Systems, Inc. All rights reserved.Cisco Public13

Solution: Automated Updates toNetwork Topology Cisco IT wrote a script that automatically updatestopology each dayThe script pulls config files from Cisco routers and theninjects this information into Active DirectoryPresentation ID 2007 Cisco Systems, Inc. All rights reserved.Cisco Public14

Solution: Replication Multi-master replication feature in Active Directoryreplicates a change made at any of Cisco’s 12 ActiveDirectory sites High bandwidth of CAPnet sites avoids bandwidthclogging during replication To ensure rapid recovery during disasters, Cisco ITmasters data in a separate database, not ActiveDirectoryReduces riskImproves auditingProvides IT with greater control over which systemadministrators can make changes, and how oftenPresentation ID 2007 Cisco Systems, Inc. All rights reserved.Cisco Public15

Solution: Web-Based ProxyManagement Local changes todomain controllerresult in inconsistentserver configurations,which complicatemaintenance Cisco IT developed aWeb-based proxyservice Now localconfiguration changeson server; ActiveDirectory dataremains unchangedPresentation ID 2007 Cisco Systems, Inc. All rights reserved.Cisco Public16

Results: ROI in 16 Months! Migration accomplished for 630 per Windows desktop,a result of automated migration utilityCompares to 2,100 to 3000 industry average (source:Gartner) One-time migration cost savings: 1.5 million 48-month operational cost savings for Windowsservices: 2.3 millionPresentation ID 2007 Cisco Systems, Inc. All rights reserved.Cisco Public17

Results: ROI in 16 Months! (Contd.) 48-month operational cost savings for UNIX services: 2million compared to Sun One or 4.3 million compared to SunNetwork Information Services (NIS ) 4,000,000Cumulativecost withoutautomation 3,500,000BreakevenAt 16 months 3,000,000CumulativeSavings to Ciscoafter 48 months: 2.3 M 2,500,000CumulativeCost 2,000,000 1,500,000Cumulativecost withautomation 1,000,000 500,000 01713192531374349Time (Months)Presentation ID 2007 Cisco Systems, Inc. All rights reserved.Cisco Public18

Next Steps: Migrate Other Directories MeetingMaker directories POP mail server directoriesPresentation ID 2007 Cisco Systems, Inc. All rights reserved.Cisco Public19

To read the entire case study, or for additional Cisco IT case studies on avariety of business solutions, visit Cisco on Cisco: Inside Cisco ITwww.cisco.com/go/ciscoitPresentation ID 2007 Cisco Systems, Inc. All rights reserved.Cisco Public20

Migrate to Microsoft Active Directory, automating the migration and provisioning processes as much as possible Results ROI in 16 months: anticipated 48-month savings of 5.8 to 8.1 million . Active Directory provides all functions that Cisco IT needs, in one product: Enterprise directory NOS directory