Construction company enables its modern workplace initiatives with AD consolidation.

优点

• Consolidated six AD domains with vastly different architectures into a single directory.
• Migrated some 6,000 users — and needed to follow up with only about 5 percent of them.
• Enabled users to seamlessly continue using Microsoft Office apps by re-synching them to the tenant after domain consolidation.
• Improved security and business productivity while streamlining IT administration.

故事

Identity management is the foundation of IT services and cybersecurity.

BAM is a leading construction, facilities management and property services company and is part of Royal BAM Group. The company delivers integrated solutions that include everything from the design and construction of new facilities to managing the buildings. BAM operates across the commercial, education, science and laboratory, justice, residential, and heritage sectors, and has a network of offices in the United Kingdom, Ireland and mainland Europe. 

The company has grown over the years through strategic acquisitions. In time, the IT environment comprised six separate Active Directory domains, as well as one Microsoft 365 tenant that all the AD domains were synched with. This complexity was standing firmly in the way of vital business goals. Accordingly, Jeremy Mumford, the newly appointed Global Director of Infrastructure & Cloud, laid out a new business strategy to consolidate the company’s IT footprint with Active Directory as the focal point.

“Until we had a consolidated Active Directory with a single identity for users, we would not be able to bring the modern workplace systems we wanted into the business,” explains Himesh Katechia, IT Business Partner at BAM, who served as project manager for the migration project. “One of the biggest ones was the BAM modern workplace — laptops shipped straight from source, built in the user’s home environment, connected to the internet, and so on — to make the user journey a lot easier.”

But enabling user productivity is only one benefit of AD consolidation. “Equally important, using a single domain enables you to enhance security,” adds Katechia. “When you have to manage seven separate directories, you cannot centralize your processes or principles. For example, different parts of the business were using different antivirus software and different security solutions on the desktop, which increased risk. By having a single Active Directory architecture and making a single team responsible for it, we knew we could significantly reduce our attack surface footprint.”

The best laid plans…

In addition to laying out the AD consolidation strategy, Mumford had the right tool for the job: On Demand Migration by Quest. “We didn’t even really look at any competitors because our director’s recommendation was spot on: The Quest migration solution was the tool to use to get our AD consolidation project done,” Katechia reports. “When we had a demo and saw its capabilities for ourselves, we were sold. In fact, it’s such a powerful tool that in the end, I don't think we touched more than 30 or 40 percent of its full capabilities because our requirements didn't need it.”

The IT team installed the solution, developed a solid migration plan and was ready to begin testing. Then the Covid pandemic struck. Like companies around the world, BAM shifted its technology focus to enabling remote work, and major projects like the Active Directory migration had to be put on hold.

Partnering with Quest to invent a new process for remote migration

In time, however, the project made its way back up the priority list. After all, consolidating to a single AD domain was an enabler for many of the company’s business goals, and the team knew the project’s success was vital. Still, it was clear that the original project plan had to be completely revamped, since neither the IT team nor the business users were able to come into the office due to pandemic restrictions.

“We met with the Quest team to figure out a new approach,” Katechia recalls. “Then came the light-bulb moment: Can we do the migration remotely? Our people are connecting in and working. So could we use our various remote technologies instead of doing the offline domain join that was part of product?”

Together, the experts at BAM and Quest brainstormed a new strategy and then developed new scripts and processes to enable remote migration. The BAM team created new firewall rules, added security certificates and made other necessary technical changes.

“We saw that we could make it work without having to ask users to travel anywhere — as long as they have an internet connection, we'd be able to migrate them,” notes Katechia. “We tested it using some dummy accounts and it worked. Then we moved on to several members of the IT team; I was successfully migrated sitting at home. We were able to configure a machine on the old domain and launch the process, and it would reboot through the user’s home internet connection and reconnect to the new domain.”

Consolidating 6,000 users from six Active Directory domain into one — remotely

The stakes were high. The AD consolidation project needed to go forward because it was an enabler for so many other projects. Yet the process was brand new, and the company could not afford for users to not be able to work. So the IT team developed a thorough plan, with mechanisms in place for things that might go wrong.

The results were an unqualified success. “We consolidated some 6,000 user objects into a single Active Directory — and impacted less than 5 percent of users who needed us to do something like remount their laptop,” reports Katechia. “And keep in mind, those users came from six different domains with vastly different architectures and modes of operation. For example, we migrated one user during while she was on a plane to Jamaica for holiday, as well as someone who was stuck in Pakistan because flights had been canceled due to the pandemic. We even migrated a site manager as he continued his duties in his truck. It just worked.”

The project also involved a tenant migration, which worked equally well. “We had only one tenant, all six domains had been set up to synchronize into it,” Katechia explains. “Once we started moving all the users into target domain, we were able to move the syncs with it, and now everyone is able to use critical applications like Microsoft Teams, Exchange Online, SharePoint Online and OneDrive.”

Handling bumps in the road with agility

The migration process did have to be adjusted for different groups based on their VPN technology; some used Microsoft Direct Access (MDA), while others used a third-party VPN client. However, the construction side of the business was using Cisco Any Connect, and BAM was not licensed for the module the team needed. So they waited until the pandemic restrictions were eased and rolled out Microsoft Always On VPN to those users as part of a Windows 10 feature update. Then the users were given the choice of either coming into the office to be migrated or doing it from home; about 60% of those 2,000 users were migrated remotely.

Another hiccup came when business strategy changed while migrations were already in progress. “BAM decided to divest our two German companies and part of our Belgium operation,” Katechia remembers. “We were 10 percent through one migration and 5 percent through another when the new business directive was shared and we needed to change course. Working with Quest, we were able to use the same tool to re-do the migrations but in reverse.”

Unifying identity in a single domain delivers a wealth of benefits.

Thanks to the pandemic and the need to develop a new remote migration strategy, BAM’s journey to a single AD domain was more complicated than expected. But the effort has paid off in a multitude of ways. “The AD consolidation opened up all the possibilities that we were restricted from doing previously,” notes Katechia. “The greatest benefit was paving the way for the BAM modern workplace. Before, one team may have been using really good apps, such as our powerful Digital Construction Workspace VDI Platform, but none of the other users could get to them. Now they can. We've also been able to launch a number of global systems that, if we had not done the AD consolidation, would have required lots of architecture reconfiguration and complex synchronizations but that now work right out of the box.”

But the benefits do not stop there. “We've strengthened cybersecurity and simplified a wide range of IT management tasks,” Katechia adds. “And we’ve all moved from the variety of different email extensions we were using to BAM.com. That’s a softer benefit, but it looks nice and is important from a branding standpoint.”

Great partnerships deliver great results.

The partnership between BAM and Quest was a clear win-win. “The support we got from the Quest experts was brilliant,” says Phil Harvey, Global Active Directory Manager at BAM. “Together, we developed a new process and supporting technical capabilities for performing migration remotely, which has become a key selling feature of the Quest migration solution. It was extraordinary to be part of making remote migration a reality.”