“We’ve been managing our W2K servers manually ourselves, standalone, with no specialist tools. That means our administrators are connecting to every server separately to make entry updates. An admin might have as many as 200 servers that he’s involved in managing,” explains McGlinchey.
There’s probably a sense of pride coming through his voice as he points out that Garmer Group suggests a ratio of between 50 and 75 servers per administrator, while he claims he’s operating more in the 100 to 150 range. “Every server has primary and secondary support, so it works out that each admin might be making changes to up to 200 servers.”
Each unique internal customer had permissions through a separate security identifier (SID) on each server–that meant that each person might have 100s of SIDs. In an environment like that there is no easy way to track down who has access to which online service without trawling through every server.
FINDING WHERE TO START
It wasn’t too surprising that Active Directory had some appeal to McGlinchey, but he hit something of a wall in working out how to get onto it. He took a quick look at the Microsoft tools for the job, and wasn’t impressed. And most products on the market that offered any help with migration, assumed that a company already had either a previous version of Active Directory that it wanted to merge, or it was moving from the NT 4.0 platform, again migrating from some other directory.
But he was virtually in start-up mode, with 700 servers already in place upgrading from raw, manual data administration.
McGlinchey called in a Hewlett-Packard services team to help with the project, but first went looking for a systems management tool to help with the migration. He disqualified a few products due to this assumption that he was moving off another Directory product, and then put NetIQ tools head to head with those from the small AD specialist he eventually selected, called Aelita.
The team was working to a base return on investment calculation based on saving about 25% of administration man hours, which would mean that BMS would not have to up the staffing on administration for the systems for two to three years. If he had carried on as he was, McGlinchey would have been adding staff at the rate of 10% per year. Built into those savings was an amount for systems management tools, and by negotiating a master agreement directly with Aelita the total tools price stayed under the budget.
MOVING AWAY FROM THE PRICE LIST
When negotiating for 60,000 seats you have the purchasing power to get off the publicly quoted pricing, and BMS has its own IT negotiation specialists that manage this process. It has years of experience and has had a select agreement with Microsoft for the past decade or so, as have most of the very large US corporate IT departments.
With HP’s help McGlinchey entered a six-month design phase, documenting a migration and design methodology, testing the migration in key departments among some of the larger user communities until he was happy he was on the right track. “We wanted to do it right and take our time,” he said.
The actual swapover will still take from June this year to June next, with a slowly paced piloting process executing handfuls of conversions to AD, and when all the bugs are out of the process by September or October, ramping the process up to 50 then 75 servers a month. Each machine has to be taken offline, have a new set of user accounts created on it, be tested and then re-commissioned with all the right access permissions in place.
THE KEY TO SUCCESS
The key to the Aelita contribution is a set of reporting tools to reliably find all those ‘permissions’ on all of those other servers and enter them once into the new system.
Active Directory then operates a replication process and propagates the permissions across all the live AD repositories, which after all is the whole reason for having a global services directory.
McGlinchey only gets animated, if not agitated, at the suggestion that his existing Novell network with the famous NDS directory could have been used for all of this. “We use Netware for file and print. There’s no way that we could use it for this job, it can’t work with W2K. Novell NDS was supposed to manage NT 4.0. You just changed a couple of DLLs within NT and NDS could interoperate. But that was five or six years ago and it was a horror story. You don’t want to go there. We tried it across a very large space here at BMS, and Novell just didn’t have its act together. It was never truly production reliable.”
BACK TO BRASS TACKS
The animation is switched off once he gets back to his migration. Once this is done he is intent on moving on up through Windows 2003 and the improved support it has for Active Directory. “There are some advantages in Active Directory in the way replication works and how passwords get changed and replicated. But we want to let it age a little before beginning to shift there. We’ll wait until Service Pack 1.0.
“And once we have moved every server over to AD we plan to use something Aelita calls Role Space Management, where you define a role within the company and just grant security to the function, not to an individual person, and instead, you put people into a function. Security is very difficult to maintain without something like that and by then we’ll could have a common access model across all of our servers. And as we saw at the outset, for any pharma company, clearly defined security has to be high on its agenda.