External Id
1171
PD Domain
Platform Management
PD SolutionArea
Microsoft Platform Management

lead

description test new info lead

Download Your Free Infographic

By downloading, you are registering to receive marketing email from us. To opt-out, follow steps described in our Privacy Policy.

reCAPTCHA protects this site. See Google's Privacy Policy and Terms of Use.

Protect and Defend - Securing the AD Foundation

Microsoft Active Directory (AD) is the main source of authentication, identity management, and access control for more than 90% of organizations – including Federal government agencies. When even a minor breach can cripple an agency, are Feds doing enough to keep AD secure?

Learn about the key AD security threats that Federal government agencies face and discover how Quest solutions can protect critical systems and data from threats. 

View Infographic

Global bank ensures security, cyber resilience and compliance.

Solutions

The Canada-based bank relies an integrated suite of Quest solutions — and its partnership with the world’s top Active Directory experts.

  • Industry

    Finance

Challenges

A large international bank must ensure the security and cyber resilience of its large hybrid IT ecosystem, as well as maintain and prove compliance with a growing set of increasingly stringent regulations across the many regions it serves.

orange bg dots

Although we have kept a close eye on the market over the years, we have never found another vendor that offers products with such wide range of features — and that also coexist and integrate amongst each other, which greatly enhances the value add of the whole solution..

Senior Infrastructure Engineer, Large International Bank

Solutions

For nearly two decades, the bank has relied on solutions and expertise from Quest. As it migrated workloads to the cloud, Quest was ready with integrated solutions that deliver unified visibility and control over the entire IT environment. Moreover, the Quest professional services team provides in-depth consulting and knowledge transfer, empowering the bank to proactively optimize security, cyber resilience and compliance.

Benefits

  • Stronger security through robust auditing and change control
  • Enhanced cyber resilience with reliable backup and fast recovery of the hybrid environment
  • Ability to ensure and prove compliance with regulations
  • Peace of mind that comes from a long-term relationship with a trusted partner and advisor

The Story

In industries like banking, Active Directory security and availability is especially vital.

No business wants to suffer a security breach or service downtime, but for highly regulated and critical sectors like finance, such events can be especially devastating. That’s why a large Canada-based bank with a presence in North America, the Caribbean, Europe and Asia-Pac has long relied on a suite of solutions from Quest to secure, monitor and ensure swift recovery of its hybrid IT ecosystem.

The bank has a single production Active Directory (AD) forest with seven domains and one production Entra ID tenant. Keeping them secure and available is a top priority. “When retailers, social media companies and many other service providers experience an outage, customers may get angry and some of them may even take their business to another vendor,” explains a senior infrastructure engineer from the bank. “But banking is super sensitive because that is where your money is. If our operations were to shut down for any length of time, there will be loss of revenue, and there would also be regulatory impact because we have to comply with mandates from multiple regions, including not just Canada but the US, the EU and more. But even more important would be the serious and lasting damage to the bank’s reputation. As a result, Active Directory security and cyber resilience are critical for our business.”

The bank has relied on AD security and recovery solutions from Quest for nearly two decades.

The bank has been partnering with Quest for nearly two decades. “We started with Recovery Manager for Active Directory, followed by InTrust and Active Roles, and we quickly saw the value add,” says the senior infrastructure engineer. “When Change Auditor came along, we saw the benefits it offered, so we brought it in. Although we have kept a close eye on the market over the years, we have never found another vendor that offers products with such wide range of features — and that also coexist and integrate amongst each other, which greatly enhances the value add of the whole solution.”

Moreover, as technologies advanced and business realities changed, the bank found that Quest products kept evolving to keep up. “Almost everything we are doing on premises is getting extended into the Entra ID space,” he adds. “Quest has been ready with SaaS solutions that give us visibility and control over the entire hybrid environment, and those tools have been rapidly joining our portfolio. We found the value we get from our Quest solution set is much more attractive to us compared to other tools on the market.”

Robust auditing and change management deliver strong security.

Today, cybersecurity experts recommend that organizations adopt an assume-breach mindset. That makes it vital to implement comprehensive auditing and analysis of activity across the environment. With Quest solutions, the bank’s IT team has the visibility and control they need to prevent costly breaches and downtime.

“We used to do auditing with native tools, and we found it quite painful because it was difficult to interpret the cryptic logs and identify threats,” the senior infrastructure engineer recalls. “Change Auditor provides highly enriched logging that is truly beneficial for us. We easily customized some of the built-in reports and now our InfoSec teams can accurately spot and investigate out-of-band activity. We even have the reports generated automatically on the schedule we choose and sent to a designated mailbox.”

The bank team also relies on Change Auditor to detect drift in Active Directory configurations that could open security gaps or compromise service availability. “Over the years, any Active Directory tends to accumulate excess access rights, stale identities and other issues, and ours was no exception,” notes the senior infrastructure engineer. “With Change Auditor, we were able to collaborate with the InfoSec team and clean up the directory to make it more secure and easier to manage.”

An additional benefit of Change Auditor is its ability to block changes to powerful security groups, critical Group Policy objects and more. “Using Change Auditor, we have put many Active Directory objects and attributes into protection policies, which prevents them from being changed, whether accidentally or maliciously,” the senior infrastructure engineer explains. “That approach has withstood extensive testing: We perform regular red team exercises to attempt to breach the environment, and Change Auditor has been there to prevent the breach from occurring.”

Moreover, with its Quest portfolio, the bank has visibility and control across the entire hybrid environment. “Because Change Auditor is integrated with On Demand Audit, we have consolidated reporting,” says the senior infrastructure engineer. “Being able to track changes both on premises and in Entra ID is a tremendous value add for us. For example, when a team requests privileged access to certain data or applications, we can thoroughly review their previous activity. We can show them what changes they have made over a long period of time and demonstrate that they don’t actually need any standing privileged access. As a result, we can minimize our attack surface area.”

Speedy and reliable disaster recovery delivers cyber resilience.

The bank recognizes that even the most comprehensive identity threat detection and response strategy cannot prevent all adverse events. Accordingly, they have built a robust disaster recovery strategy using Recovery Manager for Active Directory integrated with On Demand Recovery.

Indeed, the bank’s senior leadership understands how critical the Active Directory and Entra ID identity platforms are for the business. The senior infrastructure engineer recalls that they attended a presentation about the infamous NotPetya attack. While the primary target was Ukraine, companies around the world suffered staggering damage. For instance, shipping giant Maersk had no backups of its Active Directory, so it had to painstakingly shuttle a domain controller that luckily had been offline during the attack from Ghana to the UK; Maersk estimated that recovery cost $250–$300 million, though other insiders suspect the total was actually much higher. Even more compelling for the executives at the presentation may have been the fact that it took just 45 seconds for NotPetya to bring down the network of a large bank. “We didn’t have to sell the importance of our identity platforms to our CEO,” says the senior infrastructure engineer. “He grasped it very quickly. AD and Entra ID disaster recovery was aligned with the risk known to the business.”

With the Quest solutions, the bank has implemented a comprehensive disaster recovery strategy that includes a pair of synched Recovery Manager servers in each data center. “Each server has a full immutable backup of the entire environment, so we don’t need all four to survive a disaster, we need just one. In addition, we have two Recovery Manager servers in Azure with their own immutable backups, which provides additional redundancy.”

The bank tests its disaster recovery plan regularly, and the results speak for themselves. “If we were to have a cybersecurity incident that destroys our entire forest, we know we could restore the forest well within four hours,” the senior infrastructure engineer reports. “Recovery Manager removes the definitions of the 70+ domain controllers we have in production and brings up a pristine new forest using one of our immutable backups. Plus, thanks to the integration with On Demand Recovery, we can recover not just AD but also Entra ID.”

Security and cyber resilience are essential for regulatory compliance.

Financial institutions are subject to strict regulatory requirements and oversight, and banks with an international presence have to comply with mandates from multiple jurisdictions. Quest solutions can dramatically ease this compliance burden.

“Change Auditor automatically generates the reports we need and sends them to appropriate teams,” explains the senior infrastructure engineer. “At the same time, Recovery Manager and On Demand Recovery enable us to comply with the most stringent disaster recovery requirements. In fact, given the depth of reporting and the capability of the tooling we have, we have no issues whatsoever in meeting the regulations we are subject to. Moreover, we are well-positioned to address any new requirements that come our way.”

An integrated suite of solutions is critical for today’s hybrid IT ecosystems.

A collection of disparate point solutions is not an effective approach to cybersecurity and cyber resilience today; organizations need integrated solutions that enable a unified approach across the hybrid environment. Indeed, the senior infrastructure engineer argues that this is a defining value of the bank’s investment in Quest solutions.

“When you look at the extensive portfolio of Quest solutions and how they integrate seamlessly with each other and complement one another, that’s where the value add is,” he says. “For example, Recovery Manager for Active Directory stands head and shoulders over any other product on the market. But you cannot plan for just on-prem AD; you must also plan for Entra ID. Together, Recovery Manager and On Demand Recovery provide end-to-end recovery of the whole identity platform, including both recovery of specific objects and disaster recovery.”

An experienced and trusted partner is as important as any software product.

As much as the bank values the Quest solutions it replies upon, the senior infrastructure engineer is quick to point out that the relationship with the vendor is just as crucial. “There are very few vendors with the maturity and capability that Quest has,” he notes. “We particularly appreciate the depth of experience and knowledge of Quest professional services. Our internal teams very much take a hands-on-keyboard approach, and we rely on the Quest experts to advise us about optimizing our processes. They help us understand best practices and use the Quest products most effectively in our environment.”

The support team is equally experienced and helpful. “We actually have not had many support engagements over the years because the solutions work so well,” notes the senior infrastructure engineer. “But when we have reached out, the support team is quite responsive and usually resolves the problem quickly. And if we happen upon a product bug, the issue gets escalated into the sight of relevant executives, which we appreciate.”

In fact, the bank is interested in expanding its portfolio of Quest solutions. In particular, they are actively looking at protecting their Tier Zero assets with Security Guardian and SpecterOps BloodHound Enterprise.

IT solutions and managed service provider trusts the Quest products it sells

Solutions

Phoenix Software strengthens its own security and cyber resilience with solutions from Quest.

  • Industry

    IT solutions & managed service provider

  • Website

    www.phoenixs.co.uk

Challenges

As an award-winning provider of IT solutions and managed services, Phoenix Software only partners with vendors of the highest quality and reputation. Indeed, whenever feasible, the company’s IT teams test prospective solutions in their own environment before they are offered to customers. During this process, a select few tools prove so valuable that they become part of company’s own IT technology stack.

orange bg dots

Recovery Manager is brilliant — it’s the only tool that automates the work of building out domain controllers after a disaster. Every other backup tool simply recovers the Active Directory database file and leaves you to do the work. Recovery Manager doesn’t restore a file — it automates the entire recovery process. In just an hour or two, I can have the environment back up. Without it, we’d need days to build that out..

Shaun Tosler Infrastructure and Security Manager, Phoenix Software

Solutions

Phoenix applied its careful vetting process to Quest Active Directory security and cyber resilience solutions — which delivered with flying colours. As a result, their internal IT teams now rely on the tools for a range of crucial functions, from threat detection and response to disaster recovery.

Benefits

  • Blocks threats by preventing changes to critical admin accounts, GPOs and other objects
  • Enhances AD security with effective Group Policy governance
  • Ensures cyber resilience by slashing disaster recovery time from days to just an hour or two
  • Facilitates compliance with regulations and contracts by automating privilege management tasks

The Story

Award-winning IT solutions and managed service provider carefully vets the solutions it offers.

Phoenix Software provides IT solutions and managed services that empower UK organisations to modernise and secure their infrastructures and to protect, visualise and manage their data. The company’s excellence has been recognised with a wide range of awards, including the 2023 Microsoft Modern Endpoint Management Partner of the Year and 2021 Microsoft UK Partner of the Year.

Phoenix’s obligations and commitments to customers are their highest priority. “We have a thorough onboarding process for our strategic vendors,” explains Laura Banks, data protection specialist at Phoenix. “If I see an opportunity in our portfolio for a new solution, it will go to our technical team for review and testing. Before we offer it, we need for them to say, ‘Yes, that’s the best product out there on the market.’ We will onboard only the best vendors and solutions.”

Actually using these solutions in house whenever feasible provides multiple benefits. “We are very strong advocates of using the tools that we sell,” notes Shaun Tosler, infrastructure and security manager at Phoenix. “Obviously, we can’t do it with everything, but by verifying that a solution works well for us, we can have confidence that it will work well for our customers. Plus, it enables our teams to gain experience with the tools we offer so we can better support clients who adopt them.”

As a Quest Platinum Partner, Phoenix had the opportunity to trial Quest Active Directory security and recovery solutions. Those solutions not only passed the criteria to enter the company’s portfolio, but also proved so valuable that they remain vital components of its own IT ecosystem. Together, Change Auditor, GPOADmin and Recovery Manager for Active Directory Disaster Recovery Edition from Quest and One Identity Active Roles help Phoenix ensure strong Active Directory security and cyber resilience.

Change Auditor provides advanced threat detection — and can even stop attackers cold.

With Change Auditor, Phoenix enjoys real-time threat monitoring and security tracking of all key user activity and administrator changes. “For security auditing, our primary tool is Microsoft Sentinel,” notes Tosler. “But we do not think it’s wise to put all our eggs in one basket by having only a single tool for critical functions. What if it’s wrong or gets compromised? Change Auditor provides an important secondary source of information. Moreover, because of where it sits in the technical structure of AD, it provides enriched information that the native logs do not capture.”

Phoenix is even more enthusiastic about the ability of Change Auditor to block unwanted changes to critical objects, such as powerful administrative accounts and key Group Policy Objects (GPOs). “Change Auditor will stop attackers — no matter what permissions they have — if they try to modify protected objects,” Tosler says. “It is our safety net against privilege escalation and AD misconfigurations. We can say that a particular account can’t be touched at all, or it can be edited only from within a certain IP address range or so on. For instance, if someone accidentally made every account a Domain Admin, it wouldn’t matter because Change Auditor provides a blockade to deny any critical change.”

Indeed, with Change Auditor in place, Phoenix is better positioned for prompt threat detection and response. “With Change Auditor, if an attacker did get into our AD, two things are going to happen,” Tosler explains. “First, they’re going to make more noise, which means that our other security tooling is going to be better placed to spot them. And even if the attacker managed to disconnect our primary logging source, Change Auditor is still logging the information. In short, it gives us more time, more noise and more protection across the attack chain.”

GPOADmin enables effective Group Policy governance.

Group Policy plays a crucial role in Active Directory security, and Phoenix utilises GPOADmin to manage its GPOs efficiently and effectively. “GPOADmin makes it easy for us to control the rollout of GPOs,” Tosler says. “When we have a change that we need to put in place by a certain time, our engineers do not have to wait up until 1:00 in the morning to deploy it so it will have the least impact on users. Instead, we can make the change, stage the GPO and schedule the rollout to meet our requirements.”

Moreover, GPOADmin offers robust GPO change management. “The fact is 99% of security holes come from not having proper change management — someone simply takes an action without a proper process in place,” notes Tosler. “We use the approval feature in GPOADmin to ensure that one person makes a change but someone else has to approve it, which helps both prevent hasty mistakes and malicious actions. Moreover, GPOADmin tracks every event and provides clear details so we can always see exactly what was changed.”

Of course, even with the most thorough processes in place, issues can arise, so GPOADmin provides advanced rollback capabilities. “Even with the most careful testing and approvals, it is possible that a GPO might be rolled out and then a problem might be discovered with it,” Tosler points out. “With GPOADmin, we can quickly and easily roll back the GPO to a previous state to promptly restore Active Directory security. It’s very rare that a tool does exactly what it says in terms of controlling and administering Group Policy, but GPOADmin does just that, and it does it quite well.”

Recovery Manager for Active Directory is “brilliant,” slashing recovery time from days to hours.

To ensure cyber resilience, Recovery Manager provides efficient and reliable AD backups, reducing bloat by omitting extraneous and risky components like boot files. Indeed, Tosler considers it “one of the best tools on the market for AD backup.”

However, he says that recovery is where the solution really shines. “Recovery Manager is brilliant — it’s the only tool that automates the work of building out domain controllers after a disaster,” Tosler explains. “Every other backup tool simply recovers the Active Directory database file and leaves you to do the work. Recovery Manager doesn’t restore a file — it automates the entire recovery process. In just an hour or two, I can have the environment back up. Without it, we’d need days to build that out. Moreover, it enables you to restore information that you simply can’t rebuild, which increases its value exponentially.”

Although Phoenix has never had to perform a disaster recovery, knowing that its speedy recovery capabilities are right at hand delivers peace of mind. “In case of a domain compromise, I’d have 1,001 things to think about, and the CEO or CTO is going be standing right there because the business would be losing money every second,” says Tosler. “With Recovery Manager, I know I have one button to press to get the recovery moving, restore our identities and get services like email back up. It’s invaluable, honestly.”

Indeed, Tosler would recommend Recovery Manager to any organisation whose Active Directory has been wiped out by a disaster, noting that the solution would likely deliver a full return on investment immediately. “Recovery Manager will give you a solid basis to start your recovery,” he says. “Let’s say you’ve got tens of thousands of users — creating all those accounts manually could take 10, 20, 30 hours. Recovery Manager takes all the labor out of it and automates the account creation. That’s not something you can do with any other tool. The amount of time you save would probably more than pay for the solution in that situation.”

Active Roles strengthens AD security by simplifying identity management.

For identity security, Phoenix uses Active Roles, which provides management and fine-grained delegation of privileges across Active Directory domains and Entra ID (formerly Azure AD) tenants from a single console. Using role-based access control (RBAC), Phoenix can strictly enforce the least privilege principle.

“Active Roles provides the abstraction we need for identity security,” explains Tosler. “For example, we no longer have to provide admin accounts to our service desk technicians; instead, we direct them to a web interface. We can also delegate tasks like group management to the people with the necessary expertise, such as the developers of custom apps. And no one other than the break-glass accounts can make any changes directly within AD.”

Active Roles also helps Phoenix ensure compliance with the data sovereignty requirements of both company contracts and regulations like the GDPR. “Our employees need to go on holiday and access their emails, but some clients do not allow their data to be processed outside of the UK,” Tosler says. “Active Roles provides the automation we need to honor those contracts. We simply set it up so that the user will be automatically removed from certain groups when their holiday begins and added back when they return. As a result, we do not have to worry about users retaining access rights they should not have.”

A suite of solutions that work together

As valuable as each solution is individually, Phoenix recognises that they work together to deliver even more value. “If you adopt Active Roles for identity management, you may as well bring in Change Auditor to do the AD lockdown,” explains Tosler. “Similarly, Recovery Manager will create backups, and Change Auditor will watch over them and prevent anyone from tampering with them. With those types of controls in place, I can trust that the data required to get the service back online is going to be there when I need it.”

Healthcare organisation closes a serious security and compliance gap

Torbay and South Devon NHS Foundation Trust migrates 5.5TB of risky PST files to Microsoft 365 with help from Quest.

  • Industry

    Healthcare

  • Website

    torbayandsouthdevon.nhs.uk

Challenges

When users at Torbay and South Devon NHS Foundation Trust faced strict mailbox size limits combined with strict data retention mandates, many of them stashed data away in PST files. As a result, huge volumes of data were invisible to vital eDiscovery, data protection and backup processes.

orange bg dots

A key benefit of PST Flight Deck was that it scanned users’ machines, so we dug up a lot of PSTs that we didn’t know existed. Finding all the different places where people had stashed the files and forgotten about them over the years was definitely a shock to us. If we had done the discovery manually, I think we would have been able to find at most 80% of the files because we wouldn’t have looked in locations where we didn’t expect PST data to be stored..

Jai Ragwani Technical Delivery Manager, Torbay and South Devon NHS Foundation Trust

Solutions

The IT team knew that migrating the data to Microsoft 365 would mitigate these risks. With Quest, they found not just a powerful migration tool but an experienced and flexible partner. In just six months, all 5.5TB of PST data was accurately identified and migrated.

Benefits

  • Migrated 5.5TB of PST files to Microsoft 365 without loss of data or fidelity
  • Uncovered huge volumes of data that would otherwise have been overlooked, thanks to automated PST discovery across a wide variety of sources
  • Provided “superstar” migration services that freed up the internal IT team to focus on communication and training
  • Slashed the project timeline in half, from one year to just six months

The Story

PST files put security, business continuity and compliance at risk.

Torbay and South Devon NHS Foundation Trust was the first NHS organisation in England to join hospital and community care with social care and are proud pioneers in integrating health and social care nationally. It provides health and social care services to people in their own homes or in their local community, and runs Torbay Hospital (providing acute hospital services) as well as five community hospitals. Torbay and South Devon employs over 6,500 staff and has over 350 volunteers.

As a healthcare institution, Torbay and South Devon NHS Foundation Trust is subject to strict government mandates, including policies that can require lengthy data retention periods — even as long as 20 years. But until recently, users at the trust had only 4GB mailboxes. As commonly happens in such situations, many users created PST files to store the excess data that needed to be kept for business, personal or compliance reasons.

Though this workaround satisfies users’ immediate needs, it has important drawbacks. PST files cannot be centrally tracked or managed, so they are often poorly protected and easily corrupted. Moreover, they may not be covered by IT backup processes, and they make thorough and accurate eDiscovery impossible. As a result, PSTs put security, business continuity and compliance at risk.

Given that the trust’s IT ecosystem includes some 8,000 users, including people who had been with the organisation for decades, the IT team was seriously concerned. They proposed a project to discover the PST files and migrate them to Microsoft 365, where they could be properly managed and secured.

“One reason for this proposal was that our trust is part of the national NHS shared tenant, so Microsoft 365 is provided at a basic level at no cost to us,” explains Jai Ragwani, technical delivery manager at Torbay and South Devon NHS Foundation Trust. “In addition, it would be efficient to host the data in one place rather than in various file shares and personal drives. Finally, by migrating the data to the cloud, we could reserve our expensive on-prem storage for workloads that we can’t move to the cloud.”

Migration projects are complex and risky — especially when they involve critical and regulated data.

Although the IT team had proposed the migration project, when it was approved, they felt a bit of a shock as they realized the scale of data and work involved. One clear challenge was a lack of migration experience. “My team did not have much experience with this type of migration,” Ragwani says. “We’ve been very much an on-prem-first organization and that’s very much where our knowledge lies. We thought we could probably do the work internally, but we weren’t sure of the process and the best practices to follow. That was definitely a risk in my head.”

Another key concern was lack of insight into the data. “At a high level, we knew how many file shares we had and a guesstimate of how many PSTs,” he adds. “But we didn’t have any kind of robust mechanism to be sure that this file share contains this type of data. Therefore, there was a real risk that we could accidentally migrate data that needed to remain on premises, such as data that’s used by older on-prem applications or clinical records that weren’t in scope.”

Finally, there was the risk of service disruption. “Like many organisations, we’ve experienced shadow IT. In our case, clinicians and administrators develop something to meet their needs, and we don’t even know it’s there,” notes Ragwani. “Accordingly, there was definitely a risk that by migrating data to the cloud, we might disrupt a service that we provide. Obviously, as a healthcare organization, that could be quite bad.”

An experienced and flexible partner is essential for a successful migration.

With those concerns in mind, the team put together a requirements document. “Definitely at the top of our list of criteria were a solid understanding of NHS shared tenant and how we operate as an NHS trust, as well as a willingness and ability to collaborate with the people who manage the tenant nationally, namely NHS England and Accenture,” Ragwani says. “The NHS moves quite rapidly at times and every few years there are huge changes in how it operates, so we knew that flexibility to adapt to ever-changing landscapes would be critical to success.”

After carefully reviewing all the tenders they received, the team found that only Quest had the requisite experience, knowledge and flexibility to handle the project. “Not only had NHS England worked with Quest in the past, but we learned that Quest was slated to become an approved migration partner for the shared tenants,” Ragwani adds. “That was another big tick in our book.” Specifically, the team chose PST Flight Deck and the associated fully managed PST migration service.

Finding all files, instead of just 80% of them, is critical to security and compliance.

The first step was PST discovery. PST Flight Deck automatically discovers all PST files — not just on user workstations but in other locations that other solutions tend to exclude, such as local drives, attached USB devices, network shares, and OneDrive for Business.

“A key benefit of PST Flight Deck was that it scanned users’ machines, so we dug up a lot of PSTs that we didn’t know existed,” recalls Ragwani. “Finding all the different places where people had stashed the files and forgotten about them over the years was definitely a shock to us. If we had done the discovery manually, I think we would have been able to find at most 80% of the files because we wouldn’t have looked in locations where we didn’t expect PST data to be stored.”

Plus, the discovery process was far faster with PST Flight Deck. “After just one or two weeks, we already had a pretty complete picture of what PST files we had,” Ragwani says. “Without PST Flight Deck, it would’ve taken us months to do just the discovery piece, and we still wouldn’t have found all the PST files that were in scope for migration.”

A thorough discovery was absolutely essential for Torbay and South Devon NHS Foundation Trust. “The files on users’ personal drives were not only consuming space, they were very liable to corruption and improper deletion, which could have meant loss of important information,” notes Ragwani. “Similarly, PSTs that had been accidentally stored on a shared file share were a clear security and compliance risk, so it was incredibly valuable to us that PST Flight Deck discovered them.”

5.5TB of PST data is migrated in just six months, with no loss of data fidelity.

After the discovery phase, the team began moving the data to Microsoft 365. “We migrated 5.5TB of PST data in just six months,” reports Ragwani. “We initially put aside a whole year for the project. The Quest tool automated the work and cut that timeline in half.”

But that speed did not come at the cost of quality. “The PST files being migrated may well have included really important emails that are subject to data retention requirements and might be required as evidence years down the line,” Ragwani notes. “If that data hadn’t gone across correctly or had remained on premises and become corrupt, the trust could have been left in quite a precarious position. But thanks to the Quest solution and migration service, the success rate for our PST migration was incredibly high; it definitely surpassed my expectations.”

In fact, PST Flight Deck can even automatically repair corrupted files using industry best practices. “We had already had years of experience with people having huge PST files that had become corrupted. We’d try to repair them. Probably 60% of the time the repair would seem to be successful but actually they’d end up losing data,” explains Ragwani. “If a source file was corrupted, PST Flight Deck would try to repair it itself. We had high confidence that if the tool couldn’t repair it, neither could we. So, it handled a very time-consuming part of the process for us and did the job well.”

Engaging a migration service frees up the internal IT team for vital user communication and training.

With the Quest team handling the migration jobs, the internal IT team had time to focus on making the migration a success in the eyes of users. “We would simply compile a list of data that we wanted to migrate and ping that off to the migration-as-a-service team, and we knew that the job would run at the designated time.” Ragwani explains. “That freed up our time internally to focus on elements like communication, training and support. As a result, we were able to let users know what to expect in advance, which helped ensure that they had a positive experience.”

Indeed, the IT team at the trust raves about the quality of the Quest team. “I rarely say this about anyone, but our program manager at Quest was an absolute superstar,” says Ragwani. “We’re an incredibly busy team with many plates spinning at the same time, but he was very good at keeping us and the Quest resources on track and aligned to the project plan. For example, there were scenarios where we needed to adjust resources or timelines to cater to changes in priorities at the trust, and he managed those situations expertly. I’ve rarely seen it work better.”

Ragwani offers similar accolades for the Quest professional services team. “The team leader was incredibly knowledgeable — he almost made it his mission to understand how the NHS shared tenant worked, down to all the intricacies and special parts,” Ragwani recalls. “Aside from that, his general knowledge, experience and wisdom were incredibly helpful for us in terms of making internal decisions and planning the migration as we went forward.”

In short, Torbay and South Devon NHS Foundation Trust knows that it made the right decision in selecting Quest for its PST migration project. “Without the help of Quest professional services, I think we would have got some of the way to our goal, but definitely nowhere near as far; we just didn’t have the knowledge and experience,” says Ragwani. “Plus, we would not have had time to focus on the support, training, communication and planning aspects that were equally critical to success. Knowing that the technical guff and migration jobs were being handled by experts was a huge weight and resource drain lifted from us.”

A global organization drives synergy by merging Microsoft 365 and Active Directory

For over 20 years, Japan Tobacco International, as part of the JT Group, operated its International and Japanese-domestic tobacco businesses with separate IT teams and in two IT environments: Directory domains and Microsoft 365 tenants. With help from Quest migration software solutions, Quest Professional Services and the Quest Migration-as-a-Service team, the company was able to streamline business operations by merging two IT environments into one by consolidating Microsoft 365 and Active Directory.

  • Industry

    Tobacco

  • Website

    https://www.jti.com/

Challenges

JTI is a subsidiary of JT Inc, a leading international tobacco and vaping company, with global headquarters in Geneva, Switzerland. In 2020, the company’s IT department faced a formidable challenge – a tenant-to-tenant migration project that needed to combine two separate IT environments into one by merging 17,000 end users in Japan into a single global environment spanning multiple languages and time zones across APAC, EMEA, and North America — all without adversely affecting end user access and productivity.

orange bg dots

Combining our internal team with the Migration-as-a-Service team gave us sufficient expertise and resources to cover this lengthy, complex process..

Constantine Sulema Identity and Collaboration Solutions Architecture Lead for JTI

Solutions

JTI deployed Quest Migration Solutions to ensure a smooth and efficient migration process. In addition, after assessing the complexity of the migration project, JTI also chose to utilize Quest Professional Services and Migration-as-a-Service (MaaS). The global team was well coordinated and helped JTI successfully execute the migration, with handoffs for every event, all communicated in real time through internal Microsoft Teams chats.

Benefits

  • Increased collaboration and synergy between the domestic and international sides of business
  • Heightened security posture due to maintaining one centralized IT environment
  • Improved standards compliance across the organization
  • Creation of a foundation for streamlined optimization in the future
  • Lower operating costs by decommissioning the Microsoft 365 source tenant

The Story

JTI is a leading global tobacco company. It employs approximately 46,000 people around the world and sells its products in over 130 markets. Its portfolio includes widely-recognized tobacco and cigarette brands such as Winston, Camel, Mevius and LD, as well as a range of Reduced-Risk Products (RRP) – non-combustible technologies like vaping and other alternative nicotine products.  The Japanese domestic tobacco business, based in Tokyo, operates five factories and multiple distribution points across Japan, whereas JTI, the JT Group’s international subsidiary, is headquartered in Geneva, Switzerland, and has a span of over 70 countries, with 38 finished goods and tobacco related factories as well as 8 research and development centres.

The growth of JTI over the years has been a key contributor for the mass regional diversity. JTI itself was formed as the result of the 1999 acquisition by the JT Group of all the non-US operations of R. J. Reynolds and its global presence has been strengthened over the years by further mergers and acquisitions.

Merging two IT environments into one.

The international and Japanese-domestic tobacco businesses operated independently for over 20 years, with separate IT infrastructures, separate IT teams and separate reporting lines. “As we started to transition our services to the cloud, we did it in parallel,” says Constantine Sulema, Identity and Collaboration Solutions Architecture Lead for JTI. “So JTI would have created its own Microsoft 365 tenant, and JT would have created its own Microsoft 365 tenant.”

Although the two IT infrastructures had points of interconnection, true interconnectivity across the enterprise was limited. “We would have the IT organization in JTI with its own structure and reporting line, and an IT organization in JT with its own structure and reporting line,” explains Sulema. “There was strategic governance from the top, but operationally, these two organizations were pretty much independent.”

As JT Group looked at creating a totally new operating model, one that would further consolidate the International and Japanese-domestic tobacco businesses, the key requirement was to facilitate collaboration. “When we started to look at options, we realized that JTI had a bigger, more complex environment, with a larger number of business applications, and a much larger geography,” Sulema says. “After analyzing all these factors, we came to the conclusion that the best way to integrate the environment would be on the JTI platform.”

Complexity of the environment required migrating users in batches over 12 months. 

The company had two simultaneous goals: to merge two IT environments into one, as well as migrate user workstations. In addition, the company wanted to consolidate its Active Directory by merging two on-premises AD domains into one. Because of the unique challenges facing the migration project, JTI found it preferable to take a phased approach, migrating users in batches over 12 months.

Why? In a large complex environment with numerous interdependencies, it would be virtually impossible to migrate all 17,000 user accounts – as well as business applications and other resources such as Teams, SharePoint, Power Platform, etc. – all at once. To make it happen, JTI had to migrate users in batches. “Cross-premises access, or cross-tenant access, was a pretty big challenge actually,” Sulema explains.

Because of all the dependencies between the two environments, JTI found that using Microsoft-provided integration and migration tools simply wouldn’t work for a project of this scale. “With that in mind, we started to look around for a toolset that would allow us to facilitate this migration. But because of the unique circumstances, an out-of-the-box configuration was not likely to solve all the challenges. Customization was needed.“

Need for professional services and Migration-as-a-Service.

JTI’s need for a customized solution is one of the reasons the company turned to Quest and the Quest Professional Services team. “I must say we had great support from the consultancy team, who did a great job helping us to build a configuration that would address our requirements,” Sulema explains. “I mentioned the complexity of migrating multiple workloads at the same time, and we spent most of our time building the configuration that would allow us to overcome the challenges of this complexity.”

The Quest Professional Services group worked with JTI to configure a solution comprised of Quest tools such as Migrator Pro for Active Directory, On Demand Migration for mailboxes and Teams, and Quest On Demand Migration for OneDrive. In addition to Quest solutions, the migration project also implemented the use of some Microsoft-provided tools, as well as third party tools to migrate some very specific workloads.

The design process took approximately seven months. The team then spent the next six months testing and validating the solution until it was working without issues. Three months before the migration, the company piloted the process, migrating small batches before starting the mass migration.

As with any large-scale migration, there were small pitfalls along the way. “For example, you may have some issues with the migration process because of a specific configuration of a workstation, and the process would not complete successfully,” Sulema says. “And then you need to either roll back or find a way to complete the migration and fix the issue. Of course, we had the whole [Quest] support organization behind us, helping us to deal with any post-migration incidents.”

It was during this time that JTI decided to use Quest Migration-as-a-Service (MaaS) rather than perform the migration in house. One of the reasons for using Migration-as-a-Service instead of relying solely on in-house teams, was to have a team with relevant migration experience. In addition, JTI needed to have resources that would be available in different time zones. “If you look at the time zones, it would be much more complicated to do it with an internal team,” Sulema adds. “Combining our internal team with the Migration-as-a-Service team gave us the expertise and resources sufficient to cover this lengthy, complex process.”

The Migration-as-a-Service (MaaS) was executed by a well-coordinated, globally-managed services team that successfully executed the migration, with handoffs for every step. All communication was communicated in real time through internal Microsoft Teams chats.

Optimized, streamlined IT operations create more synergy between teams.

The whole migration project, from design to execution, stretched for over 30 months. “It was a very large project, in terms of the volume of work and impact, but it was certainly worthwhile,” Sulema adds. “Now we can operate and collaborate much more smoothy, and we’ve built a foundation for further integration of business applications and optimization of the environment.”

One of the key metrics to determine the success of the migration project was completeness. “We would track migration of all the resources, user accounts and workstations and make sure that we’ve migrated everything,” Sulema explains. “Once we completed the migration, we were able to effectively decommission the Microsoft 365 source tenant.”

Not only was the JTI IT team happy with the outcome of the migration project, so were the end users. “The [end user] feedback was very positive, even though the process wasn't completely seamless,” Sulema explains. “Of course, we had challenges, especially at the beginning.”

But post migration feedback from end users indicated that at a business level, the interaction between the Japanese domestic and the international sides of the business has improved dramatically. “Now we work in one single common global environment that allows us to integrate business processes and applications, improve our security posture and compliance with standards across the organization.” 

Lessons learned.

One of the things Sulema and his team learned is that the more fragmented the environment, the more the company has to face complexity and risk. But now, JTI has a global environment that supports the business and that the IT team can maintain more easily while ensuring sufficient levels of security. “We are more capable to ensure that security standards and policies are applied in a consistent way across the whole environment,” Sulema says.

“Although the migration has reduced the cost of maintaining two separate IT environments, the migration project itself was not a cost-driven exercise,” Sulema says. “Rather it was an effort to optimize and streamline business applications and create more synergy between teams. The overall aim of this project was to drive collaboration and improve our ability to integrate the domestic and international tobacco businesses,” he adds. “And from what we hear from our business partners, we have successfully completed that.”

But in more personal terms, Sulema also appreciates the growing reputation that the IT team has earned from company leadership throughout this migration project. “Of course, any successful project is something you should be very proud of…but it’s doubly rewarding if you improve relationships with our business colleagues at the same time,” Sulema concludes. “And this was indeed a very good example where have delivered what was expected, and more.”

Greater security through AD consolidation

Building material company uses Quest AD migration solutions to consolidate 31 Active Directory domains and 40,000 users into a single environment for their EMEA region, while enhancing security and avoiding disruption.

  • Industry

    Building Materials

  • Website

    https://www.holcim.com/

Challenges

Two leading companies in the building material industry merged to create one business, Holcim. Given the security risks associated with the high number and complexity of their environments — 31 different domains and around 40,000 employees — Holcim needed to find a solution that could consolidate their numerous Active Directory (AD) environments.

orange bg dots

The quality of the services that Quest offered to us was simply amazing..

Samuel López Trenado User Lifecycle Supervisor, Holcim

Solutions

Due to their complex environments, the Holcim team quickly realized that Microsoft proprietary tools were not equipped to tackle their elaborate consolidation. In the end, they chose Quest AD migration solutions for their convenience, efficiency and synchronization capabilities.

Benefits

  • Created a unified Active Directory.
  • Delivered a more controlled and efficient environment.
  • Ensured a zero-impact migration with no downtime or disruptions.
  • Increased security by reducing AD domains and shrinking the attack surface.

Holcim is a leading global building material company with a EMEA digital centre based in Spain, and specializing in innovative and sustainable building solutions. The company, birthed after the union of Lafarge and Holcim, two leading organizations in the industry, has operations in more than 70 countries and employs about 40,000 people in its EMEA region. When the company needed to consolidate and update its complex IT infrastructure after their merger, the team quickly decided it had to be done by Quest.

Before the companies merged, they had disparate Active Directory approaches. Holcim had a single Active Directory domain, while Lafarge had 30 separate Active Directory domains within a global forest – one for each country in which it operated.

Consolidating 31 Active Directory domains into one

Following their company merger, a companywide Active Directory consolidation project was defined to merge the 31 domains into a single environment. The consolidation project was led by Samuel Lopez Trenado, User Lifecycle Supervisor, who was working as the Active Directory team lead at the time.

The company chose this approach after acknowledging that having so many Active Directory domains was a security risk. “If you have more Active Directory domains, for sure you will have more security issues,” Lopez Trenado said. “You have more points where you could be compromised.”

To create a centralized system with optimal control and security, they needed a single directory structure.

Lopez Trenado analyzed the solutions on the market that they could utilize to achieve the most seamless consolidation. Due to their complex system integration challenge, the Holcim team quickly realized that Microsoft proprietary tools were not equipped to tackle the elaborate consolidation process that was ahead of them.

The team decided on selecting Quest AD migration solutions for their convenience and synchronization capabilities. The company also had previous experience with Quest’s professional services and were impressed by their efficiency. “In terms of proximity and quality of the services commitment and business understanding, I think that the professional services are much better than others,” Lopez Trenado said.

Seamless migration with no downtime or end user impact

Holcim used Quest AD migration solutions to successfully consolidate its AD structure with minimal impact on users and no downtime.

Once the domains and tools were prepared for the migration, the local IT teams in each country were trained on how to execute the migration. The team set up a tool management process that was administered by a central team and executed by each local team. This process allowed the local teams to choose the most convenient timing for their migrations to happen – a key aspect that the team wanted to ensure during their migration process.

“This is a capability which is offered by Quest, but for sure is not offered by the native tool,” Lopez Trenado said.

The threat of disruption and downtime was something that the company was very cautious of when choosing a solution for their migration. They wanted to ensure that their users would be impacted as little as possible throughout the process. They were relieved when they discovered that the only effect the migration would have on their users was a simple computer restart that could be done at the users’ convenience.

“After users restart their computer, they are in the new Active Directory domain and everything works as it was working before,” Lopez Trenado said. “This is quite efficient.”

Enhanced security post consolidation

Holcim approached their Active Directory consolidation project from a security, compatibility and productivity standpoint. Their consolidation allowed them to implement a single sign-on approach for their users, improving the efficiency and security of their organization. Their consolidation helped modernize their business and set them up for future success.

“The quality of the services that Quest offered to us was simply amazing.”

Samuel López Trenado, User Lifecycle Supervisor, Holcim

Lessons learned

To companies preparing for an Active Directory consolidation, Lopez Trenado recommends being very clear on each member’s roles and responsibilities from the start of the project. He also advises keeping a playbook detailing each step of the process, so it can be easily replicated and executed by others.

Lopez Trenado chose to trust Quest with Holcim’s Active Directory consolidation because he believes Quest has the highest quality of professional services, the most advanced capabilities and the best technical advantages.

“This is what makes the difference between Quest and the other solutions or other vendors that you might find in the market,” Lopez Trenado said.

Insurer slashes Active Directory recovery time

Solutions

orange bg dots

With native tools, a restore would take days or weeks; with Quest, we can be fully operational again in hours..

Krist Cappelle, Information Security Program Manager, P&V Group

Retailer Ensures PCI DSS Compliance

Solutions

orange bg dots

For PCI DSS compliance, we have to have turn on all native logging and provide auditors with complete logs for the past year…. Without InTrust, we would have run out of space a long time ago. .

Enterprise Administrator, Large Retail Chain

NHS Arden & GEM Commissioning Support Unit migrates seamlessly and securely with Quest migration sol

orange bg dots

We were able to see a return on our investment right away by cutting down significantly on the man hours needed for the migration and we no longer worry about the risks involved with user mistakes,.

Chris Reynolds, Head of Innovation and Product Development.
Subscribe to Migration and Consolidation