Aelita Software this week will introduce the first software that provides automated tools for reshaping Microsoft’s rigid Active Directory.
The company is introducing Enterprise Migration Manager (EMM), which allows users to combine different Active Directory architectures or spilt one directory into several directories, processes referred to as pruning and grafting.
These capabilities are already available in other products such as Novell's eDirectory.
EMM gives those who initially set up a single or multiple Active Directory forests -- a collection of domains, users and resources -- options to automatically change those configurations.
The need to combine or split directories may be prompted by divestitures or acquisitions. Users also may be compelled to move domains between forests or groups of users between domains because of corporate restructuring. Users may also want to split a single forest into multiple forests to establish security boundaries that are impossible to create between domains in a single forest.
One knock against Active Directory has been that once it is set up it is nearly impossible to make those sorts of changes, because Microsoft has yet to provide the necessary tools. Also, users who make implementation mistakes typically have to start over from the beginning.
For Community General Hospital in Syracuse, N.Y., Aelita's EMM made it possible to break away from a health alliance that dissolved into two separate hospitals. EMM was used to create two new and separate directories.
"We met with Microsoft and they said they did not have tools to do this," says Scott Elia, director of information systems for Community General. "We weren't in a position to just reshape the Alliance directory, we had to rip it in two."
Two new directory shells were built and EMM was used to migrate 1,000 users and 400 PCs over nearly a four-week period.
"Basically what we did was preserve the secure IDs that we had established," says Elia.
Secure IDs, or SIDs, are unique identifiers linked to access controls and given to each user in the Microsoft environment. Ekia said the company did have to clean up SID histories and trust issues but nothing that wasn't anticipated.
Aelita rivals Bindview, NetIQ and Quest offer Active Directory migration tools as part of their management suites, but they are not as advanced as EMM, according to experts.
While Aelita's EMM will help smooth those rough spots, it does not negate the fact that restructuring the directory is still a complex task that requires tinkering with underlying security mechanisms.
"Aelita has a very viable tool," says John Enck, an analyst with Gartner. "It's very flexible. Now the penalty for making a mistake when designing Active Directory is much lower."
EMM incorporates all aspects of Active Directory migration, including planning, analyzing source and target schemas, resolving naming conflicts, migrating security descriptors and domain trusts, demoting domain controllers and updating permissions. EMM also provides the option to roll back changes.
The wizard-driven software centers around the EMM Project Manager interface that installs on an administrative console. The software lets users state what they want to do, such as move organizational units, domains or users within or between forests. EMM will realign access controls and change profiles on a user's desktop as part of the migration, which can be broken into a series of smaller jobs and delegated among administrators.
EMM also allows administrators to create migration templates to reduce the chance of human error. The software also supports coexistence during the migration so users will not lose access to network resources. After the migration, Access Control Lists are matched with the SIDS in the new accounts.
EMM is available now and is priced at US$16 per user.