What is DSEvolve?
DSEvolve offers a unique approach to securing and managing Active Directory. Encapsulating the most advanced thinking in the industry, it enables the most stable, cost-effective and fastest optimisation of the directory, whilst ensuring results of the highest quality.
DSEvolve will fully optimise any Active Directory in days – regardless of its current state – with little or no disruption to the users. This is achieved using architecture pre-fabrication, clearly defined processes and tightly controlled changes, all of which have been production-tested in many organisations. The newly optimised directory is fully documented, will pass any compliance audit, offers vastly improved security and shows much greater resistance to uncontrolled change.
This radical approach is delivering huge benefits for many companies across a broad spectrum of markets. These benefits include:
- Successful optimisation that raises the core of the organisation’s technical architecture to the highest level of security, stability and GRC (Governance/Risk/Compliance) – a core architecture designed to engage all of the most up-to-date capabilities of the Active Directory
- Vast increase in security over the whole Windows infrastructure
- Multi-layered Hierarchal role-based authority far in advance of industry standard implementations, and without which effective security is impossible
- Greater resistance to uncontrolled change resulting in improved stability and reliability, which in turn reduces the number of outages and issues
- A rationalised, more tightly controlled directory, making administration simpler and lowering overheads in service maintenance
- Predictable optimisation costs and timescales through production-tested project plans
- An optimisation cycle measured in days instead of months
- Detailed documentation to support implementation, administration and Disaster Recovery
- Third party support for the core architecture to ensure consistency and effective support even when administrators change
- A clear forward path for core security and functionality, as DSEvolve automatically assimilates new features of each Windows Operating System on release.
Why is Active Directory so often under-optimised?
Installation of Active Directory is a standard consultancy skill, and most organisations have installed Active Directory to a basically stable and functional state. However, optimisation of Active Directory – the process of ensuring that the Active Directory truly fulfils the organisation’s security and compliance needs – requires specialised skills and several months to complete.
An industry-standard Active Directory project lasts 3 to 4 weeks. This is, quite simply, not enough time to design, implement, test, reiterate and document a solution that will realise the full potential of the technology and resist degradation over time.
As the directory influences so many systems, and most implementations are undocumented, optimisation projects are perceived as dangerous. Most are shelved, if not entirely ignored.
Consequently, optimisation of the Active Directory is rarely pursued – a situation that exposes the whole Windows infrastructure to a variety of threats.
How does DSEvolve work?
The consultancy compromise
The standard way to implement Active Directory involves building an internal structure specific to the organisation. It is an iterative process that, if done correctly, takes months – not the industry standard of 3 to 4 weeks.
Comprehensive optimisation of the Active Directory takes considerably longer and costs much more than most organisations are willing to countenance. Without this optimisation, the directory is left weak and unstable – a fact that will eventually become obvious.
Active Directory, though absolutely critical, is a background service. It is invisible to the users until a security event (audit failure or actual breach) occurs or a new directory-enabled application is required by the organisation. This lack of immediate visibility has made it possible for incomplete implementations to become the norm across the industry. Consultants build the best Active Directory they can within the time and cost constraints placed on them.
The same constraints apply when an Active Directory implementation is carried out by internal staff, as they have even more immediate concerns. For example, email or database maintenance always outranks Active Directory optimisation in terms of operational priority until a security or Disaster Recovery event occurs.
Pre-fabrication: the way forward
Only pre-fabrication can deliver the maturity of architecture that is required to secure and sustain the Active Directory. Pre-fabrication is made possible by understanding that all organisations have the same basic requirements of their Active Directory. These “general” requirements will account for 90% of the deliverables of any Active Directory project, but are rarely documented (or even recognised) in the project brief. Some examples are:
- Correct segmented storage of the different type of objects relevant to their use, for example, separating:
- “user” accounts from “administration” accounts
- “client” computer objects from “server” computer objects
- “resource” groups from “authority” groups
- Correctly targeted and assigned access controls to create a secure and functional role-based authority system, which gives administrators of different levels appropriate powers. For example:
- a “server admin team” authority
- a “client admin” authority
- a “user admin team” authority
- A properly levelled and controlled group policy implementation
- It must meet Best Practice and compliance criteria
- It must be fully documented and version-controlled to allow effective maintenance and upgrade.
Understanding this to be the true nature of the Active Directory, DSEvolve installs pre-fabricated architecture, code-built to be perfectly consistent every time. This architecture fulfils all of the general requirements for any type of organisation, and can be scaled to any size of organisation.
The few remaining requirements are organisation-specific, and these are met by making small extensions to the DSEvolve core during the implementation project.
The DSEvolve way of optimising an Active Directory is summarised in the following diagram (NB: the architecture shown is a simplification):
The DSEvolve process
The optimisation project is as controlled and pre-fabricated as the new architecture itself:
- DSEvolve builds the new “core” architecture in an instant
- Information gathered by the process defines exactly what organisation-specific extensions are needed
- Role-based authority requirements are documented and mapped onto the core
- In controlled batches, users and computers (and all other relevant objects) are moved into the new core
- Once the legacy structure is empty (and so no longer has any impact on the infrastructure), it is simply removed, leaving only the strong core.
The process is fast, stable and production-tested. Most of the documentation to support the process is pre-fabricated:
- Project plans – the outline and much of the detail of the project is always the same
- Change controls – the individual tasks of the project vary only in terms of the names of the objects involved
- Communications – gathering information and setting administrator and user expectations.
What other features does DSEvolve offer?
Focusing only on its pre-fabrication technology, here are some of the benefits of DSEvolve in more detail:
- Dramatically cuts the cost of optimisation
- Is production-tested, proven technology with a large installation base
- Guarantees the quality of the resulting Active Directory implementation
- Can homogenise multiple internal Active Directories for a large or acquisitive organisation, presenting “unified, consistent architecture” without the need for expensive migration projects
- Ensures accurate times and costs for the optimisation project through production-tested plans and process
- Architecture can be scaled to ANY size of organisation and any configuration of forests
- Removes the requirement for internal consultation and its associated politics, thereby improving the efficiency of the project
- Automates the creation project and site documentation
- Introduces production-tested deployment procedures
- Introduces production-tested, pre-fabricated change control documentation
- Introduces production-tested, pre-fabricated communications plans and templates.
DSEvolve technical requirements
In order to complete the implementation, the following should be arranged in advance:
- One Windows 7 or 8 x64 workstation that is a member of the domain
- .net 4 client side extensions (x64)
- C++ 2010 redistributable components (x64)
- Local Administrator credentials on the workstation
- Independent access to the internet for the Implementer’s laptop (outside the firewalls)
- Domain Administrator’s time to work with the implementation, learning to support the new architecture and assist in both information gathering and issue resolution. The more time the Administrator spends with the implementer, the smoother the handover.
- Project Manager’s time to enter and expedite change controls from the information provided by the implementer
- RDP access to a domain controller in each domain in the forest
- HTTPS access to specified internet locations for the DSEvolution service running on the root domain controller
- Use of a domain admin account. This access can be supervised if required, but this greatly increases the amount of internal administrator time required.
- Jointly signed non-disclosure agreements
- Signed acceptable usage policy.
DSEvolve client time requirements
General discussions Each day of the project
- At least 2 hours of the Domain Administrator’s time each day of the project
Over the course of the project
- 2 hours of the CIO/IT Manager’s time
- 3 hours with the Service Delivery Manager
- 1 hour at least with each Admin team leader
- A 2-hour workshop attended by all higher administrators
- A 1-hour workshop attended by all lower administrators
Once DSEvolve has transformed the Active Directory, the increase in security and stability creates an almost complete resistance to uncontrolled architectural change by anyone except the (now very limited number of) Domain admins. The next step through the DSEvolution suite is the activation of DSEnforce that will monitor and maintain the correct state of the implementation. DSEnforce will guard against accidental degradation and uncontrolled change attempted by anyone or anything, including the nominated domain admins.