© 2007 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 1

Active Directory MigrationHow Cisco IT Migrated to Microsoft Active Directory

A Cisco on Cisco Case Study: Inside Cisco IT

© 2007 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 2

Overview

ChallengeDeploy a single directory solution for all NOS directories as well as an enterprise directory

SolutionMigrate to Microsoft Active Directory, automating the migration and provisioning processes as much as possible

ResultsROI in 16 months: anticipated 48-month savings of $5.8 to $8.1 million

Next StepsMigrate MeetingMaker and POP email server directories

© 2007 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 3

Challenge: Consolidate Multiple Directories

Cisco IT maintained separate NOS and Lightweight Directory Access Protocol (LDAP) directories for each application

Mail servers, MeetingMaker calendar servers, various Oracle applications, Windows, UNIX, and Macintosh desktops50+ directories in lab environment alone!

Users had to keep track of multiple user accounts and passwordsAdministrators had to be trained on different systems and update multiple directories as employees joined or left CiscoCisco developers had to write different code for every directory their applications would access

© 2007 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 4

Challenge: Reduce Directory Costs and Maintenance RequirementsIT faced its own set of problems relating to maintaining multiple directories:

High costsTraining to support each directory

Licensing fees

Complicated compliance with Sarbanes-Oxley ActThe more directory environments, the harder to enforce appropriate for each individual

AccountabilityIf a problem emerges, which directory group is in charge?

© 2007 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 5

Solution: Microsoft Active Directory

Active Directory provides all functions that Cisco IT needs, in one product:

Enterprise directory

NOS directory

LDAPv3

Public Key Infrastructure (PKI) and Kerberos security services

Network device management capabilities

No separate license fee because it’s built into Windows operating system

© 2007 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 6

Solution: Consolidate to Active Directory

© 2007 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 7

Solution: Architecture

Deployed in 12 location on Cisco all-packet network (CAPnet)

High bandwidth enables fast response for Cisco users worldwide as they authenticate

SJC

CHM AMS

SYD

BRU

LON

BGL

SIN

RTP

RCH

BEI

© 2007 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 8

Solution: Geography-Based Domains

Five domain controllers at each deployment site:Root domain

Three child domains based on geography

Redundant domain for local geography

Cisco employees who travel can be authenticated locally

© 2007 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 9

Solution: Geography-Based Domains (Contd.)

Authentication time reduced from minutes to seconds in some cases

Cisco.com

AsiaPac.cisco.com Americas.cisco.com EMEA.cisco.com

Active Directory Domain

Organizational Unit

Groups

Printers

Users(Active / Inactive)

Computers (Workstations / Servers)

Applications

© 2007 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 10

Solution: Automated Migration

Automating migration reduces business risk

Cisco IT developed automated utility to migrate from previous Windows NT 4 NOS directories

Populates user accounts in Active Directory

Migrates group accounts from Windows NT4 to Active Directory

Migrates security identifiers (SIDs)

© 2007 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 11

Solution: Automated Migration

Script launches when user logs in to Windows NT4

Enables Active Directory user accountSets passwordMore

99% of Cisco users migrated to Active Directory with no human intervention

© 2007 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 12

Solution: Automated ProvisioningMotto: “Provision as much data as possible, master as little data as possible in Active Directory”100 batch-provisioning scripts run at daily intervals from 15 minutes to 24 hours

Employees (feed from PeopleSoft HR system)GroupsSID historyMailboxesMail aliasesPrintersSite topologySchema extensionsOrganizational units

© 2007 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 13

Solution: Automated Updates to Network Topology

Directory services provide network topologyIT staff refer to topology to find the fastest connection to network resourcesIncorrectly-configured site topology can affect availability of directory-enabled applications

Active Directory requires manual topology updatesBut the Cisco network changes daily, making manual updates impractical

A challenge begging for automation…

© 2007 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 14

Solution: Automated Updates to Network Topology

Cisco IT wrote a script that automatically updates topology each day

The script pulls config files from Cisco routers and then injects this information into Active Directory

© 2007 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 15

Solution: Replication

Multi-master replication feature in Active Directory replicates a change made at any of Cisco’s 12 Active Directory sitesHigh bandwidth of CAPnet sites avoids bandwidth clogging during replicationTo ensure rapid recovery during disasters, Cisco IT masters data in a separate database, not Active Directory

Reduces riskImproves auditingProvides IT with greater control over which system administrators can make changes, and how often

© 2007 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 16

Solution: Web-Based Proxy Management

Local changes to domain controller result in inconsistent server configurations, which complicate maintenanceCisco IT developed a Web-based proxy serviceNow local configuration changes on server; Active Directory data remains unchanged

© 2007 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 17

Results: ROI in 16 Months!

Migration accomplished for $630 per Windows desktop, a result of automated migration utility

Compares to $2,100 to $3000 industry average (source: Gartner)

One-time migration cost savings: $1.5 million48-month operational cost savings for Windows services: $2.3 million

© 2007 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 18

Results: ROI in 16 Months! (Contd.)

48-month operational cost savings for UNIX services: $2 million compared to Sun One or $4.3 million compared to Sun Network Information Services (NIS+)

$0

$500,000

$1,000,000

$1,500,000

$2,000,000

$2,500,000

$3,000,000

$3,500,000

$4,000,000

1 7 13 19 25 31 37 43 49

CumulativeCost

Time (Months)

Cumulative Savings to Cisco after 48 months:

$2.3 M

BreakevenAt 16 months

Cumulative cost without automation

Cumulative cost with automation

© 2007 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 19

Next Steps: Migrate Other Directories

MeetingMaker directories

POP mail server directories

© 2007 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 20

To read the entire case study, or for additional Cisco IT case studies on a variety of business solutions, visit Cisco on Cisco: Inside Cisco IT

www.cisco.com/go/ciscoit