Most of the talk about cloud security and cloud identity has been directed at the cloud service provider and applications, and the various methods your company can use to provide single sign-on (SSO) and identity security working with these apps. At the same time, we shouldn’t neglect the state of our own identity and access management (IAM) infrastructure. Is it ready to handle the new requirements and challenges that federation and cloud services will put on it? Fortunately, there’s a free tool available to help you assess this.
Preparing your identity and access infrastructure to interact with web services via federation is a topic worthy of exploring in some detail, which I’ll be doing in an upcoming article. In this column, I want to focus on a utility Microsoft developed to make migration to its Office 365 SaaS suite easier. The Microsoft Office 365 Deployment Readiness Tool (a name apparently untouched by anyone in Marketing)—currently in beta—does exactly what the name says: It analyzes different aspects of your current environment to determine if there are any major road blocks to deploying Office 365.
What the Tool Does
Whether or not you’re planning to use Office 365, don’t stop reading! Everyone with an Active Directory (AD) forest should run this tool as a free, quick, and easy way to check the consistency of his or her AD data. It’s also a great tool for system integrators to run a quick check on a customer’s AD environment to quickly gauge the complexity of what they’re getting into.
The Office 365 Deployment Readiness Tool makes assessments in seven sections: Domains, User Identity and Account Provisioning, Exchange Online, Lync Online, SharePoint Online, Client and End User Experience, and Network. Which assessments you care about depends on which, if any, Office 365 components you’re planning to deploy. If you’re just looking to run the tool against your forest to see what errors it flags, you’ll care about the Domains, User Identity and Account Provisioning assessments. Because this is a column about enterprise identity, we’ll focus on these assessments.
Designed by former Microsoft Consulting Services engineers, the tool performs a comprehensive suite of tests against your AD and SSO environment. One of the main purposes of the AD-related assessments is to check how well your AD implementation would work with Office 365’s Directory Synchronization Tool. DirSync is a critical Office 365 component, running on a dedicated server in your environment, that integrates your on-premises directory information—users, groups, and contacts—with the Office 365 infrastructure in the cloud. With DirSync, you make all changes to your users, groups, and contacts in your own AD environment, and the updates are synchronized with the Office 365 cloud. DirSync is also necessary to provide an SSO experience for your users.
The first questions you should ask about this tool are, “How intrusive is it?” and “Does it require any administrative rights?” The answer to the first question is: No, it’s not intrusive. It’s been tested with customers who have very large AD installations of more than 300,000 users, so it scales to large environments without interfering with daily operations. The answer to the second question is: No…ish. Read on for more detail.
Running the tool is simple; in fact, it’s disconcertingly simple. When you unzip and run office365deploymentreadinesstool.exe, you expect the Welcome screen of the tool’s installation wizard. But there’s no welcome screen: The tool has already begun analyzing your environment. (It feels vaguely like malware.)
What the Report Shows
When the tool has finished running, it generates a long browser page containing all the assessment results, separated by sections, with a link for the online version of the complete enterprise deployment guide. A nice touch is that there’s a link at the top of each section that takes you to the appropriate section of the online deployment guide. This makes it easy to get guidance when you get results you need to follow up on. The page is stored at C:\office365reskit\htm\assessmentrunning.htm—good to know if you accidentally close the browser window.
The first action you’ll want to take is to click the CSV File Maker link. Doing so will extract and prompt you to save a utility to create .CSV files of exceptions generated by the reports. Save it, and run it, and it will create all the .CSV files you need to examine. If you should happen to click a Review the Results link before you’ve run CSV File Maker, the link will tell you to run it first.
Domains. The Domains section simply lists the number of email domains and primary email domains (reply-to addresses) that the tool discovered.
User Identity and Account Provisioning. The User Identity and Account Provisioning section delves into the security principals in your AD environment. It has four subsections that review different aspects of your identity infrastructure. It also displays some interesting statistics that are often hard to come by and might, by itself, make running the tool worthwhile. It displays the total number of domains in your forest—which you hopefully already know!—but also the number of your users, contacts, groups, and mailboxes across the entire forest. It also displays the total number of objects that will be used by DirSync. Note that this is not the total number of objects in your AD forest; this count doesn’t, for example, include computer objects, which outnumber users in a typical forest.
Forest and Domains. The Forest and Domains subsection provides information about the active and inactive trusts associated with your forest, and what kind of trusts they are: Unidirectional, bidirectional, down-level (e.g., NTLM) or up-level forest trust, and whether the trust is transitive. In my case, it reminded me of an old trust I’d set up with a test forest named sandbox.test. If the tool does discover a forest trust, it will generate a warning that DirSync supports only one logon forest—that is, a forest containing user accounts. Though we’d all like to have one master account directory (even if it’s a metadirectory or virtual directory), for various legitimate business and regulatory reasons many companies have separate account forests. Office 365 doesn’t currently support more than one account forest, but I’m confident this large-enterprise restriction will be lifted soon. The initial DirSync capabilities had to cover most companies’ configurations, but releasing products directly to web (RTW) ensures that new features can be rolled out rapidly, and I’m sure a multi-forest sync capability is a high priority.
Schema and Forest/Domain Functionality Levels. The Schema and Forest/Domain Functionality Levels subsection displays the forest schema level, the Exchange schema level, and the domain and forest functionality levels. If your schema has been upgraded to handle Exchange Server 2010 SP1 or later, the tool will display a warning that the schema isn’t ready for an Exchange Hybrid Deployment (in which some mailboxes are on premises and others are in Exchange Online).
Active Directory Cleanup. The Active Directory Cleanup subsection is where you’ll probably find the most value in this tool. It inspects a few key AD attributes across your forest for inconsistencies that will cause an Office 365 migration to generate errors or fail. Whether or not you deploy Office 365, you should clean up data inconsistencies in your forest; sooner or later, these inconsistencies will trip up future AD-integrated applications that require AD data, or enhancements to your identity infrastructure such as a metadirectory or virtual directory.
This section checks sAMAccountname (user name), gIVENName (first name), sN (last name, aka surname), and dISPLAYName for character length and unsupported characters. It also checks mail (email address), mAILNickname, and pROXYAddresses for spaces and duplicates. Unfortunately, it doesn’t check for consistency in phone numbers or other attributes you might think are useful, because Office 365 doesn’t require this. If you do have errors in this section, or any other section that requires attention, the tool will display a link to a .CSV formatted file with the data in error so that you can attack the errors programmatically.
Directory Synchronization. The Directory Synchronization subsection provides an assessment of the number of objects DirSync will run against (and therefore be uploaded to Office 365). Interestingly, if the object count is greater than 10,000, you’ll be prompted to contact Office 365 support to notify them how many objects you need to upload. This is to prevent Denial of Service (DoS) attacks. Note that some of these “more information”-type links open in new tabs and some don’t, so pay attention when you follow the links so that you don’t accidentally close the assessment report.
This section also does an Enterprise Admin check. “An EA check?” you ask. “Doesn’t this tool run without elevated privileges?” Yes, it does; this check is for privileges needed to install DirSync—not the Readiness Tool; during the DirSync installation, you’re asked to provide EA credentials. Why does DirSync need EA privileges to install? From the documentation: “The (DirSync) configuration wizard uses Enterprise Admin credentials to create the directory synchronization service account, MSOL_AD_Sync. This service account is created as a domain account with directory replication permissions on your local Active Directory and with a randomly generated complex password that never expires…these credentials are erased from the computer’s memory after the service account is created.” This section also performs a check for user principal name (UPN) duplicates and that every user is assigned a UPN; this will affect your ability to implement SSO with Office 365.
The tool also performs a basic Exchange assessment, listing the Exchange servers in the environment, users, and public folders. It also runs network tests to ensure that your network can reach Office 365.
A Great Start
The Office 365 Deployment Readiness Tool is a free, easy-to-use utility that gives you a quick assessment of your AD, Exchange, and SharePoint environment. It’s not comprehensive, but it’s a great way to give you an idea of how much cleanup work must be done before you begin extending your identity information beyond your company’s borders. The Microsoft Office 365 Deployment Readiness Tool is available at http://bit.ly/qhrJRL.
Sean writes about cloud identity, Microsoft hybrid identity, and whatever else he finds interesting at his blog on Enterprise Identity and on Twitter at @shorinsean.
