A drastic optimization of costs with Microsoft Active Directory and Microsoft Exchange Case study State Revenue Service of Latvia Prepared by DPA www.dpa.lv Ph. +371 67509900 email: dpa@dpa.lv
A drastic optimization of costs with Microsoft Active Directory and Microsoft Exchange DPA consolidates State Revenue Service of Latvia (SRS) Microsoft Active Directory and Microsoft Exchange infrastructure and reduces the quantity of servers by 90%. Existing situation and problems to be solved SRS Microsoft Exchange SRS Microsoft Exchange system in year 2007 morally outdated, unsupported version, unstable in operation, complex and expensive from the point of view of maintenance, a system incompliant with today's requirements. SRS Microsoft Exchange solution in year 2007 consisted of 62 Exchange 5.5 servers that were physically located in 40 different sites. The maintenance of these servers was performed by SRS regional administrators together with the IT staff of SRS Central office. Exchange version 5.5 contains its own directory, where account and mailbox information is kept. This information is mostly duplicated by Active Directory, which served in this case as a register of domain servers and workstations, and accounts and security groups. Such a double accounting in infrastructure with several thousand accounts inevitably leads to incompatibility of information between directories, strange Exchange problems, difficulties to precisely delegate rights to Exchange resources. In the same way the upkeep of the mentioned quantity of servers is related to huge maintenance costs these servers must be kept in well ventilated and cooled premises, as well as secured with UPS power supply facilities, spare parts, controlled accessibility, ensured with a competent servicing staff, care must be taken for a sufficient free space on system and database discs, as well as there have to be installed system patches, taken care of anti-virus software, regular data backups shall be performed and also data Page 2 of
restoration from these backups shall be tested on regular basis. Microsoft Windows server and Microsoft Exchange server licenses converted in terms of money creates a conception of the scope of financial investment necessary in development of this system. SRS Active Directory SRS Microsoft Active Directory system in year 2008 was mainly decentralized. The structure of this system was composed of one forest, one tree, one forest root domain and 39 subdomains, totaling to 40 domains. Directory as a whole consisted of 112 domain controllers which were located in differed premises of SRS in Riga and regional offices. Major part of these servers was configured as DNS and DHCP servers. The greatest deficiencies of this system were too many domains, too many domain controllers, a complex and decentralized DHCP infrastructure, hardly controllable security and administrative rights policy. The huge number of domains does not comply with SRS IT infrastructure and business requirements. Maintenance, supervision and control of such an Active Directory infrastructure require unnecessary consumption of time and human resources leading to high expenses. The fact of having too many domain controllers is related to the quantity of domains, i.e., every domain needs at least two domain controllers. The implementation of every domain controller anticipates additional costs of devices, software support, installing and maintenance. The majority of domain controller servers were used for several business applications as well. Such coexistence of roles on a single server is not advisable from the point of view of maintenance, for the problems of one usage frequently entail the failure in the other systems. SRS DHCP infrastructure in year 2008 consisted of 80 DHCP servers and 54 IP subnets. The maintenance of such number of static IP configurations in various combinations on 80 servers is expensive and creates control problems. One of the key problems in SRS Active Directory infrastructure was the complex administrative rights model. In the case of 40 domains where there is one administrator Page 3 of
responsible for the specific domain it is very difficult to obtain a unified, safe and sufficiently controlled result. Solution SRS Active Directory consolidation Project was the reason for DPA to be awarded Microsoft CEE Advanced Infrastructure solutions, Active Directory partner of the year 2009 DPA is the only nominated Baltic IT company. The Advanced Infrasture Solutions, Active Directory Partner of the Year award honors partners who have practices with proven proficiency in implementing solutions based on Windows Active Directory Domain Services and who have delivered exceptional solutions in past year. Juris Vilders, DPA managing director: Latvia is not a small country in IT context we can deliver high-class solution. SRS infrastructure consolidation project was valuable professional challange either from technical or project management point of view. Many high class Microsoft specialists were involved in project team and we are proud of the great results and this international prize for excellence, SRS Microsoft Exchange restructuring During the time period from September 2007 until the March 2009 the restructuring of SRS Microsoft Exchange and Microsoft Active directories and e-mail systems was performed. At this time the system infrastructure of SRS Active Directory was consolidated from 40 domains infrastructure into 1 domain Active Directory infrastructure. The number of necessary servers was remarkably reduced. The new infrastructure consists of 11 physical Microsoft Exchange server 2007 servers and two Fibre channel type shared disc data array. There are two Exchange mailbox role servers SRSMBX1 and SRSMBX2, which are configured in three servers failover type cluster with shared disk array as the data storage. Client Access Server role is displaced on two servers Page 4 of
SRSCAS1 and SRSCAS2 that are configured in NLB type cluster. Similarly the Exchange HUB Transport role is carried by two servers SRSHUB1 and SRSHUB2 that also create NLB cluster. Exchange Edge Server role servers SRSEDGE1 and SRSEDGE2 are placed in DMZ, on its turn Microsoft ISA server 2006 servers SRSISA1 and SRSISA2 are responsible for publishing of Exchange Outlook Web Access and Outlook Mobile Access services to distant SRS users. Microsoft does not support a direct transition from version 5.5 to 2007. Because of this fact the migration was done with Quest Exchange Migration Wizard. With the aid of this software the coexistence was created between the old and the new Exchange infrastructures and afterwards the Exchange mailboxes were migrated. During the course of the project there was performed an overall study and documentation of the old infrastructure, a due planning and development of various versions of the new infrastructure, as well as designing of the chosen version, prior-migration works testing, migration to the new infrastructure and in the end of the project a training of SRS administrators and presentation of solution planning and design documents. SRS Microsoft Active Directory rebuilding Upon the end of SRS Exchange restructuring project the SRS Microsoft Active Directory rebuilding and consolidation project begun. It lasted from August 2008 up to April 2009, and the works were performed by a project manager and two consultants. Consultants of Microsoft Latvia also were involved. The project as a whole consisted of four stages. Pre-planning stage, where information in a manner of surveying and technical methods was gathered and analyzed regarding the Active Directory infrastructure and related systems; Planning stage, where the concept of the new infrastructure was developed and presented, planning and design documents created and a voluminous testing of the chosen migration solution performed in virtual environment, by using the backup copy of the production SRS directory; Page 5 of
Implementation stage, which consisted of development of the new infrastructure, resource migration and liquidation of the old infrastructure. Finalization stage during which DPA developed and submitted the documents of disaster recovery and backup restore procedures of SRS Active Directory, as well as carried out the training of administrators. During the course of the Planning stage a decision was made to consolidate SRS Active Directory structure to a model, where the directory consists of one forest, one tree and one domain. In compliance with this decision in the framework of migration all the directory resources of subdomains were migrated to the forest root domain which is maintained by 3 domain controllers that are also configured as DNS servers. The functional level of domain was raised to Windows Server 2003. In the end of the project DPA prepared the procedure document according to which SRS administrators performed a transition to the directory of Windows server 2008 version. During the course of project implementation it was first replanned and developed the new SRS.gov.lv Organizational Unit structure, afterwards rights assigned to respective parts in accordance with the new administrative rights model. User accounts and security groups were migrated with Microsoft ADMT tool. On its turn workstations were migrated in packs with Microsoft WAMS - this tool is produced in Microsoft Russia; it was Beta at that time and was provided by Microsoft Latvia. In parallel to migration of workstations there was performed DHCP infrastructure optimization. During the planning stage DPA and SRS agreed for a total consolidation of DHCP to 2 central servers, which carry the configuration of all the IP subnets and allocate the respective IP addresses to regional DHCP clients by using DHCP relay agents. After the migration of resources contained by domains all the servers were migrated to the central domain. Liquidation of each domain released several servers. Workstations of regional users were configured to use central domain controllers for DNS services. During the course of the project all the WINS servers and NT4 domains were removed. In the process of consolidation Group Policy Object configuration was defined from scratch and implemented. Prior to the restructuring each domain had several local GPOs that the local administrators had created upon their own Page 6 of
comprehension and in compliance with the necessities of their own users. During the time period of several meetings DPA and SRS agreed on a set of GPO that would refer to all SRS users. Additionally there were assigned rights to regional administrators to create and maintain the GPOs of their respective OUs. For the purpose of collection and processing of information regarding the SRS Active Directory infrastructure, as well as for various migration activities several tenths of Powershell and vbscript scripts were created. During the course of implementation daily reports were created and sent to the customer. Results During the course of the project 499 distribution groups and 5623 mailboxes were migrated to the new SRS Microsoft Exchange system with the total data volume of 500 GB. Altogether 950 groups, 4612 user accounts and 3537 workstations and servers were transferred to the new SRS Active Directory system. As a result of the project the total number Active Directory servers came down from 112 to 3. In order to maintain the old SRS Active Directory infrastructure, the administrators of SRS Central office and territorial institutions had to settle both the emergency and preventive characteristic defects and failures on a regular basis - the maintenance of infrastructure prior the migration was time consuming and human resources employing. After the restructuring of SRS Active Directory the responsibility lies almost entirely upon technical experts of SRS Central office. In the result of this project SRS users obtained modern e- mail, calendar, collaboration and baseline IT infrastructure services, including remote and mobile access to their mailboxes. Also the number of registered problem incidents after the implementation of the project has minimized by 90%. By performing the consolidation and modernization of SRS Microsoft Active Directory and Microsoft Exchange in a time period from year 2007 to 2009 SRS minimized maintenance Page 7 of
costs of these systems by 80%. Viesturs Šķila, SRS Facts and figures SRS Microsoft Exchange Profile Prior to After the migration migration Microsoft Exchange server version 5.5 2007 Quantity of servers 62 11 Infrastructure administrators involved in maintenance 39 2 499 distribution groups, 5623 mailboxes, total data volume 500 GB migrated. SRS Microsoft Active Directory Profile Prior to After the migration migration Quantity of domains 40 1 Quantity of domain controllers 112 3 Quantity of DNS servers 112 3 Quantity of DHCP servers 112 2 Infrastructure administrators involved in maintenance 39 2 950 groups, 4621 users accounts, 3537 workstations migrated. Page 8 of
More information Microsoft Exchange Server: http://www.microsoft.com/exchange/2007/default.mspx Microsoft Active Director: http://www.microsoft.com/windowsserver2008/en/us/activedirectory.aspx More about DPA, Microsoft CEE Partner of the year 2008 and 2009: www.dpa.lv More about State Revenue Service: www.vid.gov.lv Published August, 2009 Page 9 of