Active Directory
Migration
How Cisco IT Migrated to
Microsoft Active Directory
A Cisco on Cisco Case Study: Inside Cisco IT
Presentation_ID
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Public
1
Overview
ƒ Challenge
Deploy a single directory solution for all NOS directories as well
as an enterprise directory
ƒ Solution
Migrate to Microsoft Active Directory, automating the migration
and provisioning processes as much as possible
ƒ Results
ROI in 16 months: anticipated 48-month savings of $5.8 to $8.1
million
ƒ Next Steps
Migrate MeetingMaker and POP email server directories
Presentation_ID
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Public
2
Challenge: Consolidate Multiple
Directories
ƒ Cisco IT maintained separate NOS and Lightweight
Directory Access Protocol (LDAP) directories for each
application
Mail servers, MeetingMaker calendar servers, various Oracle
applications, Windows, UNIX, and Macintosh desktops
50+ directories in lab environment alone!
ƒ Users had to keep track of multiple user accounts and
passwords
ƒ Administrators had to be trained on different systems
and update multiple directories as employees joined or
left Cisco
ƒ Cisco developers had to write different code for every
directory their applications would access
Presentation_ID
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Public
3
Challenge: Reduce Directory Costs and
Maintenance Requirements
IT faced its own set of problems relating to maintaining
multiple directories:
ƒ High costs
Training to support each directory
Licensing fees
ƒ Complicated compliance with Sarbanes-Oxley Act
The more directory environments, the harder to enforce
appropriate for each individual
ƒ Accountability
If a problem emerges, which directory group is in charge?
Presentation_ID
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Public
4
Solution: Microsoft Active Directory
ƒ Active Directory provides all functions that Cisco IT
needs, in one product:
Enterprise directory
NOS directory
LDAPv3
Public Key Infrastructure (PKI) and Kerberos security services
Network device management capabilities
ƒ No separate license fee because it’s built into Windows
operating system
Presentation_ID
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Public
5
Solution: Consolidate to Active
Directory
Presentation_ID
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Public
6
Solution: Architecture
ƒ Deployed in 12
location on Cisco
all-packet network
(CAPnet)
ƒ High bandwidth
enables fast
response for
Cisco users
worldwide as they
authenticate
Presentation_ID
© 2007 Cisco Systems, Inc. All rights reserved.
CHM
LON
AMS
BEI
RTP
BRU
SJC
SIN
RCH
BGL
SYD
Cisco Public
7
Solution: Geography-Based Domains
ƒ Five domain controllers at each deployment site:
Root domain
Three child domains based on geography
Redundant domain for local geography
ƒ Cisco employees who travel can be authenticated
locally
Presentation_ID
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Public
8
Solution: Geography-Based Domains
(Contd.)
ƒ Authentication time reduced from minutes to seconds in
some cases
Cisco.com
AsiaPac.cisco.com
Groups
Users
(Active / Inactive)
Americas.cisco.com
Computers
(Workstations / Servers)
EMEA.cisco.com
Active Directory Domain
Organizational Unit
Printers
Applications
Presentation_ID
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Public
9
Solution: Automated Migration
ƒ Automating migration reduces business risk
ƒ Cisco IT developed automated utility to migrate from
previous Windows NT 4 NOS directories
Populates user accounts in Active Directory
Migrates group accounts from Windows NT4 to Active Directory
Migrates security identifiers (SIDs)
Presentation_ID
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Public
10
Solution: Automated Migration
ƒ Script launches
when user logs in
to Windows NT4
Enables Active
Directory user
account
Sets password
More
ƒ 99% of Cisco users
migrated to Active
Directory with no
human intervention
Presentation_ID
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Public
11
Solution: Automated Provisioning
ƒ Motto: “Provision as much data as possible, master as
little data as possible in Active Directory”
ƒ 100 batch-provisioning scripts run at daily intervals
from 15 minutes to 24 hours
Employees (feed from PeopleSoft HR system)
Groups
SID history
Mailboxes
Mail aliases
Printers
Site topology
Schema extensions
Organizational units
Presentation_ID
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Public
12
Solution: Automated Updates to
Network Topology
ƒ Directory services provide network topology
IT staff refer to topology to find the fastest connection to
network resources
Incorrectly-configured site topology can affect availability of
directory-enabled applications
ƒ Active Directory requires manual topology updates
But the Cisco network changes daily, making manual updates
impractical
ƒ A challenge begging for automation…
Presentation_ID
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Public
13
Solution: Automated Updates to
Network Topology
ƒ Cisco IT wrote a script that automatically updates
topology each day
The script pulls config files from Cisco routers and then
injects this information into Active Directory
Presentation_ID
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Public
14
Solution: Replication
ƒ Multi-master replication feature in Active Directory
replicates a change made at any of Cisco’s 12 Active
Directory sites
ƒ High bandwidth of CAPnet sites avoids bandwidth
clogging during replication
ƒ To ensure rapid recovery during disasters, Cisco IT
masters data in a separate database, not Active
Directory
Reduces risk
Improves auditing
Provides IT with greater control over which system
administrators can make changes, and how often
Presentation_ID
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Public
15
Solution: Web-Based Proxy
Management
ƒ Local changes to
domain controller
result in inconsistent
server configurations,
which complicate
maintenance
ƒ Cisco IT developed a
Web-based proxy
service
ƒ Now local
configuration changes
on server; Active
Directory data
remains unchanged
Presentation_ID
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Public
16
Results: ROI in 16 Months!
ƒ Migration accomplished for $630 per Windows desktop,
a result of automated migration utility
Compares to $2,100 to $3000 industry average (source:
Gartner)
ƒ One-time migration cost savings: $1.5 million
ƒ 48-month operational cost savings for Windows
services: $2.3 million
Presentation_ID
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Public
17
Results: ROI in 16 Months! (Contd.)
ƒ 48-month operational cost savings for UNIX services: $2
million compared to Sun One or $4.3 million compared to Sun
Network Information Services (NIS+)
$4,000,000
Cumulative
cost without
automation
$3,500,000
Breakeven
At 16 months
$3,000,000
Cumulative
Savings to Cisco
after 48 months:
$2.3 M
$2,500,000
Cumulative
Cost
$2,000,000
$1,500,000
Cumulative
cost with
automation
$1,000,000
$500,000
$0
1
7
13
19
25
31
37
43
49
Time (Months)
Presentation_ID
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Public
18
Next Steps: Migrate Other Directories
ƒ MeetingMaker directories
ƒ POP mail server directories
Presentation_ID
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Public
19
To read the entire case study, or for additional Cisco IT case studies on a
variety of business solutions, visit Cisco on Cisco: Inside Cisco IT
www.cisco.com/go/ciscoit
Presentation_ID
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Public
20