Alt image text Retirement and succession planning for Active Directory admins

With the retirement of Microsoft’s traditional on-premises Active Directory (AD) certifications back in June of 2020, many on-premises Active Directory admins started leaving the field during the COVID-19 pandemic. Many others will be reaching retirement age in the next 5-10 years. This is stirring up fear from upper management leaders as they ask themselves where organizations will be when this skilled group leaves the workforce, and who will manage the continuing legacy of on-premises Active Directory?

If the newest team members are trained on Azure only, then how can organizations count on them maintaining and securing their on-premises Active Directory environments?

In this post, we will discuss what the succession plan should look like for future and current Active Directory admins and IT teams responsible for the management and security of both Active Directory and Azure Active Directory environments.

Approaching succession planning

Succession planning is a critical part of business continuity planning (BCP), and the framework was created by an organization called ISACA. COBIT (Control Objectives for Information and Related Technologies) is the framework that defines succession planning. An area that will soon (if not already) require succession planning is the governance of Active Directory. IT departments will need to be prepared to address the existential question of: What happens if I lose all my Microsoft Certified System Engineers (MCSE) and I am left with an untrained staff to manage our on-premises Active Directory environment?

You may have heard of the saying “all executive level staff can’t be on the same plane” as it pertains to corporate travel needs, to avoid losing all key members needed to run the company. The truth is, no company should ever have to worry about this scenario if it is properly prepared.

However, when speaking to many customers, the lack of succession planning has been a concern and these same people are rushing to figure out how to better approach this.

It’s important to note, you can build a custom plan using the COBIT – RACI (responsible, accountable, consulted, and informed) by role spreadsheet found here via the spreadsheet in the toolkit download provided.

Creating a succession plan for Active Directory

There are several key areas to iron out when it comes to properly developing a succession plan for Active Directory admins. Here are a few ways to get started.

Review enterprise objectives and identify mission-critical operations

Ensure you have a complete listing of each system and how it works so that team members are aware of what you currently have in place and how your critical systems are configured.

Identify the positions that are critical to your enterprise operations

Mapping the responsible parties to the applications that keep the business running makes it easier to hire a replacement with the same skillset. Be sure to spend the time to identify, document and verify these roles.

Identify the candidates who have the required skills, knowledge and expertise

Once the Active Directory admins have been mapped to their product responsibilities – make sure your team cross trains. If your organization fails to share knowledge with other team members, there will be no backups to these critical systems.

Develop a training plan for new team members

It’s important to understand who manages your on-premises Active Directory currently – and start a mentoring program with the newer Azure trained admin staff. Even the traditional on-premises Active Directory admins need to learn and understand Azure AD management as well. Each team member should be experienced in both Azure AD and on-premises Active Directory.

Mentorships should also be started when new hires join the team. This should include having the most senior members teamed up with the newest/junior members. Without training, the next generation of workers will leave those systems without a pilot when older members retire.

Provide development opportunities

Incentivize merit increases and growth opportunities not only with project deployments – but based on the successful training of less senior staff. This will also alleviate the problems around sick days and vacation. Without this, motivated workers may believe they are irreplaceable. Break that culture before it starts or progresses.

Perform a trial run of the succession plan, see if those teammates can backstop

During yearly disaster testing, have newer mentees step in on certain processes to see that they are learning and understanding the concepts they are being trained on.

Maintain a skills inventory of all IT staff

Have subject matter experts list all of the products they are responsible for to ensure faster replacement should an employee leave the organization or be out on vacation. Many times, when Active Directory admins take off, a “skills” fire drill will ensue. Then suddenly your team is left fixing something they are unfamiliar with. This can lead to system misconfigurations that will make the business more vulnerable to malicious attacks.

Prioritize security tooling

Next in line is future-proofing your Active Directory software security buying decisions. Make sure when searching out Active Directory security tools that those security tools will augment knowledge gaps. The tools chosen will need to account for the breadth and depth of Active Directory and Azure AD, as well as help Active Directory admins understand risks with both environments. Having the built-in analytics to see changes with Active Directory or Azure AD will warn the team of a potential threat as it develops. Built-in predictions in tools will backstop the loss of a team member who might have decades of knowledge with traditional on-premises AD. This will hopefully make for a smoother transition as well.

Reduce your AD attack surface

Reduce your AD attack surface.

See where you’re exposed and how to remediate it.

Root out trouble

Some employees close to retirement may entrench themselves in jobs to protect themselves from being let go before retirement. A perfect reason to incentivize them with training others is to tie this work to their bonus potential or pay increases. If the colleagues that back them up aren’t learning how to do their job, this will reflect on their job performance as well. It’s important to empower them by putting them in charge of the training. Start to combine the organization’s on-premises and cloud teams and be sure not to silo your teams’ roles. The group rises when all members succeed. To put it in the simplest of terms, make everyone responsible for all roles regarding changes to AD and Azure AD. Too often members hyperfocus on what they know. Mentoring will help to ease these nerves.

Conclusion

With any challenge, succession planning can have roadblocks including personalities, as well as political and general resistance to change. When defining what success means to you, ensure it can be attained by all team members, otherwise you will set unrealistic expectations.

Lead by example, and make sure you invest in reliable Active Directory and Azure Active Directory security solutions that can help fill gaps. Backstop knowledge gaps by providing more training of team members. Provide time in the week for IT staff to train one another other and share roles when people are on vacation or take time off. Lastly, follow the outline that COBIT provides. Filling in the spreadsheet will allow you and your team to clearly understand what happens when a resource leaves.

This process doesn’t have to be scary – there is still plenty of time to gather your resources, sit with other management and share the vision. Speak with your teams and make sure they understand the goals that lie ahead. Just be sure to manage your teams and other stakeholder’s expectations so that the message is understood by all.

Seven steps to surviving the Active Directory retirement crisis

Ready to learn more? View this infographic for seven valuable tips to help your organization prepare for the AD retirement crisis.

Learn More

About the Author

Jason Morano

Jason Morano is a pre-sales engineer at Quest Software serving Quest's commercial accounts and has a history serving Federal and G500 customers. With over twenty years in the field working with Active Directory and spending ten of those years working as a Windows security analyst for the financial industry, he has received many certifications from Microsoft and SANS. Jason works with customers and guides their businesses on implementing more secure active directory infrastructures.

Related Articles