Chemicals manufacturer Johnson Matthey has used tools from Dell to simplify a complex, multinational Active Directory...
The company has evolved from autonomous business units. The organisation used to run Novell servers with Novell directory services across 120 sites, all of which were administered by separate IT teams.
As part of a re-organisation of IT – from regional organisation to a centralised structure – Johnson Matthey found it had over 30 Active Directories. Stephen Way, divisional IT director of Johnson Matthey, said: "We had a very devolved structure with every site using its own Active Directory. We recognised we needed a single directory."
There was no incentive for Johnson Matthey to simplify its Active Directory infrastructure, but Way said: "We had plans to move off Novell and we wanted to deploy SharePoint across the company."
More articles on Windows Server
He also wanted to prepare Johnson Matthey for using cloud service. The company was also considering cloud email. A single Active Directory was a prerequisite to these intentions.
Way looked at the native Microsoft Active Directory migration manager tool, along with identity management software, but found the tools had a heavy overhead. "We did not want to impose extra administration on the network."
Johnson Matthey selected Dell Migration Manager for Active Directory to move the regional Active Directories into a single Active Directory and used Dell's Active Role Server to support devolved administration rights.
Dell Active Directory migration tools
Dell Migration Manager for Active Directory was used to enable migration of the multiple Active Directories across Johnson Matthey into a single Active Directory forest. Through the acquisition Johnson Matthey was able to migrate 100% of email access for users without major data loss or business disruption.
Dell ActiveRoles Server was used to provide user and group account management. The admin tool enforces role-based security, day-to-day identity administration, and built-in auditing and reporting. It is used within Johnson Matthey to regulate administrative privileges through security policies and protect critical Active Directory data by preventing unregulated access to resources.
Johnson Matthey has also implemented Dell’s ChangeAuditor for Active Directory. This is used to track and alert on configuration changes in real time. It is used to allow each local office to tailor their security and access rights to local requirements.
Way explained: "We chose this solution as the benefits were threefold. It allowed us to deliver the Active Directory migration within our tight deadline without data loss and disruption to the majority of users; improve security levels and comply with industry regulations; and provide ongoing management. Because it manages some of the administration, ActiveRoles Server has also delivered significant time savings for IT staff, giving them more time to focus on value-added activities. Support calls have dropped by 98%."
The consolidation of Active Directories was relatively straightforward. He said: “We needed to set two-way traffic between host and target Active Directory forests with full rights. We asked sites to clean up their Active Directory to remove users who had left the company."
The migration team needed to visit each site to change the login domain of each PC and server, so the user would use the new Active Directory domain when they next logged in.
"The project took eight and a half months and a lot of air miles, because we had to touch every machine," Way added.
"A site would have a long list of machines on its Active Directory. Some of these machines were not being used and some needed different configurations. In a well-run site we would need to visit 15% of the machines, but in a less well-run site we would have to check 99% of the machines."
In parallel to the Active Directory project, the company upgraded its network to MPLS and deployed network acceleration appliances.
The project took eight and a half months and a lot of air miles, because we had to touch every machine
Stephen Way, divisional IT director, Johnson Matthey
He said the biggest problem was with users who noticed their domain had changed, and who would alter the settings to attempt to log into the old domain and then call the helpdesk to say they could no longer login. All the work on the servers was done in the background but each one needed rebooting to access the new Active Directory.
The team also needed to ensure that domain name services (DNS) for each site had the correct entries, he added. "Active Directory is very reliant on a clean DNS to work. We had 30 domains and around over 100 DNS servers which needed to be cleaned up."
As in any major project, preparation was key. Way said the biggest part of preparation was in winning the hearts and minds of the administrators in the other Johnson Way office, who had previously managed their own domains. "We did not impose global naming standards for user names and device naming, but the Dell tool enabled us bring in everything." Any duplications or discrepancies were cleared up, he said.