As you probably know, modernizing Active Directory offers a wealth of benefits — simpler management, higher business productivity, reduced costs, stronger security and cyber resilience, and more. But the process of getting there can seem quite daunting. What are the key stumbling blocks, both technical and non-technical? How will you demonstrate success? Should you consolidate to an existing directory, stand up a new forest or jump to the cloud?
This article addresses all those questions and more, providing the foundation you need to begin modernizing Active Directory with confidence.
Technical considerations
The first step in any Active Directory modernization project is to carefully and thoroughly assess the existing directory. While every environment is unique, there are common stumbling blocks. Paying particular attention to the concerns detailed below will help ensure that your project is successful.
Note that these considerations are equally applicable to small organizations and large enterprises — when it comes to Active Directory modernization, the challenges are tied far more closely to AD complexity than to organization size.
Forest and domain structure
Over time, IT environments in general and Active Directory in particular tend to grow increasingly complex. Indeed, a key driver for modernizing Active Directory is to tame an unwieldy AD architecture and associated clutter that make strong governance and security very difficult. Here are the key elements to pay attention to:
- Forests — Company reorgs and merger and acquisition (M&A) deals often result in multiple Active Directory forests that lack coherent governance and oversight. Consolidating these forests can be an important part of modernizing Active Directory.
- Domains — AD domains are often modeled after the organization’s structure; for example, you might establish one domain for your Chicago office and another for your Seattle office. But when a reorg or downsizing comes along, your carefully planned structure is rendered outdated in a heartbeat.
- Organizational units (OUs) — Objects in a given domain are often grouped into OUs, which often mirror the organization’s structure at a more detailed level; for instance, the domain for each office might have an OU for each department. Organizational changes like reorgs and M&As can upset the OU structure, but there is another cause of OU disarray: Organizations often create OUs that are meant to be temporary but that are never removed when the associated project or other purpose has run its course.
- Schema — The AD schema contains formal definitions of every object class that can be created and every attribute that an AD object can have. Today’s rapid technological advancements can mean that the most carefully planned schema needs to be updated. But making changes to your schema can cause serious business disruptions, so IT teams can resort to workarounds instead. Be sure to actively look for them when modernizing Active Directory.
Identity and access management
Moving down a layer, we come to the AD database for each domain. These databases are often also in dire need of cleanup. Indeed, as workers come and go, applications and data repositories are deployed and retired, and business needs change over time, AD databases can become cluttered with stale user and computer accounts, overprovisioned users, unneeded security groups, and so on. Cleaning up all identities and access rights is vital as you plan for modernizing Active Directory.
Of particular concern are highly privileged accounts, including business users with access to sensitive information and administrators with membership in powerful groups like Domain Admins and Enterprise Admins. Be sure to also take a hard look at all service accounts, which are often granted far more rights than they actually require.
It’s also essential to root out attack paths — chains of abusable privileges and actions that could enable an attacker who compromises a regular user account to gain administrative privileges in a handful of steps. With the right attack path management tool, you can visualize these attack paths and pinpoint the choke points they share; by mitigating them, you can dramatically improve security moving forward.
Group Policy
Group Policy is a powerful capability of Active Directory that empowers administrators to centrally manage users and computers across a domain. Organizations often have hundreds or thousands of Group Policy objects (GPOs) that they use to enforce password policies, deploy software, prevent users from installing applications on their machines, and much more.
The GPO infrastructure gets complex quickly. In particular, GPOs can have conflicting settings and organizations often have nested OUs. As a result, to determine exactly which settings are applied to which OUs, admins need to work through GPO precedence, override options and blocking of inheritance.
If you’re considering migrating to the cloud, there’s another hitch: There are no GPOs in Entra ID. After you gain a clear understanding of the current effective Group Policy, you’ll need to analyze how well it suits your future needs and develop appropriate policies in Microsoft Intune. There is no simple GPO-to-Intune migration path; the two are like apples and oranges.
Trusts
Organizations often establish trust relationships between their Active Directory domains and forests. They have a good reason to do so: Trusts help provide a seamless authentication and authorization experience for users, enabling them to access resources they need to do their jobs. However, an AD forest is meant to be a clear security boundary, and trusts are essentially bridges over those boundaries. Those bridges can not only be used by legitimate employees but abused by malicious insiders and adversaries keen to move laterally through the environment.
Unfortunately, like user objects and GPOs, trusts can outlive their usefulness. But without clear and detailed insight into what trusts exist and how they are being used, administrators can be extremely reluctant to remove them. Accordingly, it’s vital to understand and clean up your trusts before modernizing Active Directory.
Legacy applications and technologies
Another key consideration in modernizing Active Directory is your application estate. Many organizations have legacy software solutions that are critical to operations and revenue but difficult to migrate. For example, the product may no longer be supported by the vendor so there is no version that will run in the modernized environment. Or it might be a homegrown app that no one really understands — or for which there isn’t even any source code to review and update. It’s essential to both identify these applications and figure out how their functions can be provided in the modernized environment.
In addition, be sure to look for other legacy technologies and determine how you can phase them out, including insecure protocols like NTLMv1, legacy file shares, and unsupported operating systems like Windows Server 2003 and Windows XP.
Devices
Modernizing Active Directory usually also involves changes to devices, including the desktops and laptops assigned to business users. Users often have many custom settings and even personal data on their machines, from their icon layout to their chosen background photo. To avoid productivity issues and an onslaught of complaints from irate colleagues, you need to make sure that user profiles are faithfully preserved during your project.
This goal can seem out of reach, especially if you’re transitioning devices from domain-joined to Entra-joined. Microsoft offers a tool called Autopilot, but it is really designed for deploying new devices rather than migrating machines that are already in use. Autopilot will wipe the devices and reinstall the operating system — leaving you with the Herculean task of manually backing up and then rebuilding the profiles. Fortunately, there is a SaaS migration solution that empowers you to migrate Windows 10 & 11 devices to Entra ID quickly and easily, without reimaging and rebuilding profiles.
IT processes
In addition to assessing your AD infrastructure itself, it’s vital to look at all the processes you’ve built around it for things like Active Directory management, Active Directory security and Active Directory reporting. Over time, those processes can become lax or diverge from modern best practices. One common issue is failing to implement consistent processes and policies in the rush to complete the IT integration for an acquisition or merger.
Here are some top considerations to keep in mind while modernizing Active Directory:
- Security — Be sure to review your security practices in light of Zero Trust principles such as explicit validation, least privilege and assumption of breach. Remember that Microsoft no longer recommends the Red Forest security model in most cases; instead, look toward adopting the Enterprise Access model, which focuses on understanding and securing your most valuable assets, known as Tier 0 or the control plane.
- Naming — As part of the modernization plan, be sure to establish standard naming practices for users, computers, GPOs, security groups and other AD components. Rigorously following these standards will help ensure accurate provisioning, strong security, IT productivity, regulatory compliance and more.
- Lifecycle management — Look at your processes for creating and retiring AD objects, especially user accounts and security and distribution groups. Implementing lifecycle control policies can help you avoid the risks associated with AD object sprawl in your new environment.
- Shadow IT — To tackle shadow IT, it’s necessary but not sufficient to discover servers tucked away under employee desks and use of unauthorized cloud services. Also take a hard look at the processes that lead users to engage in shadow IT, such as lengthy and inflexible approval workflows and lack of communication about the reasons why shadow IT is dangerous. Then consider controls you can put in place to both prevent it and promptly uncover it if it sneaks through.
- Backup and recovery — Modernizing Active Directory is a great opportunity to ensure that you have an airtight AD disaster recovery strategy. Look for a solution that offers flexible backup options, easy granular recovery of individual AD objects and attributes, and quick forest recovery. If you are modernizing to a hybrid environment, ensure that you can restore cloud-only attributes like Microsoft 365 licenses, role assignments and Conditional Access.
Human considerations
Beyond the technical challenges involved with modernizing Active Directory, you need to pay attention to the people involved, including both IT pros and all your various business stakeholders.
IT teams: Overcoming skillset challenges
Under the best of circumstances, migrations are complex endeavors with many moving parts. Even IT pros who have extensive expertise in their own arena may never have been responsible for a migration project, especially one as critical as modernizing Active Directory.
Moreover, if your project involves transitioning between on-premises AD and Entra ID, you need to make sure that your IT teams have the appropriate skills. As noted earlier, moving to the cloud means creating Intune policies from scratch based on a thorough understanding of on-prem GPOs as well as the unique security realities in the Microsoft cloud. Your team will also need to know how to transition devices from domain-joined to Entra-joined — and be prepared to manage them securely and efficiently. Beyond that, they will need to know how to manage and govern Microsoft 365 workloads like SharePoint and Teams. Simply reading a book or taking an online course is woefully insufficient, so get them started on the journey to proficiency in cloud technologies as soon as possible.
Note that some organizations face the opposite challenge: They are cloud based and acquire an organization with a lot of premises infrastructure and associated technical debt. In that case, their IT pros probably lack the necessary AD expertise to perform the IT integration.
In either case, it can be wise to consider partnering with migration experts who have completed many successful projects and are flexible about how much your in-house team wants to take on.
Business stakeholders: Proving the success of your project
To ensure that your project is considered a success, be sure to identify all stakeholders and understand their goals and priorities. As discussed earlier, particular departments might rely on a critical legacy application and need to have sufficiently similar functionality in the modernized environment. The CTO, meanwhile, might be focused on controlling costs by reducing the on-prem infrastructure footprint and even eliminating the local data centers altogether.
Document your findings and be sure to get sign-off about your specific goalposts for success in modernizing Active Directory.
One solution. Many workloads.
Planning considerations
Once you understand your current environment and what success looks like, you can move on to planning the project. Modernizing Active Directory can take several different forms:
- Consolidating to one of your existing forests
- Moving to a new forest (often called a greenfield)
- Migrating to the cloud, either totally or hybrid
The best choice depends on your organization’s specific situation and goals. Moving to a greenfield can be a rare opportunity to start with a clean slate, rather than trying to merge into an existing directory that, even after cleanup, may be less than ideal, especially if your schema needs to be revised. However, it can be a longer and more involved process.
Moving to the cloud is often an attractive option. It enables you to embrace Microsoft’s vision of the future and reap the associated benefits. Many valuable new capabilities are available first in Entra ID, and sometimes only in Entra ID. Organizations that have technological, business, compliance or other reasons for maintaining an on-prem AD can opt for a hybrid directory with synchronization. If you choose to adopt Entra ID, be sure to review these common cloud migration challenges.
Key takeaways
Modernizing Active Directory is not just an attractive pipe dream; it’s an achievable goal. Start with a thorough assessment of your current environment, paying particular attention to the technical considerations outlined above. Make sure you have the right skills in place, whether in house or through a trusted partnership, and work with all stakeholders to clearly define what success looks like. Then choose your migration path and start planning in earnest. With the right migration tool and the right partner, the journey can faster and easier than you thought possible.