at the upper levels of the forest," said Dee Lueckenotte, a member of the Active Directory/Exchange project group. Previously each agency maintained full control over who could access what within its own forest. "We had to cut that security model back to give them enough control to be able to do the job they needed to do, but not to be able to interfere with another agency," she said.
One of the technical decisions the group made was how to divide the Active Directory forest into subdomains, or "trees," Lueckenotte said. Could each agency get its own tree, or would that approach make the system too cluttered?
Missouri ended up creating four trees. One houses the servers that run the Exchange e-mail system, desktop management, Active Directory and other objects used across the state system. Each of the other three trees houses a group of agencies with related functions -- one for health care and social services, for example. Within that structure, the CIO's office controls higher-level functions, but each agency performs its own day-to-day administration, such as adding new employees, computers and printers to the network. "We didn't want to create a central bureaucracy, where every little change needed to come through one or two people," Bott said.
40,000 Patches at Once
With the consolidation complete, state employees now can share data and collaborate on projects without maintaining multiple identities. The unified Active Directory also makes it easier to manage security and other features on the state's thousands of desktops. "When Microsoft sends out a patch, we can push one button and send it out to everyone in the state," Bott said. Also, under the new model, the IT department can procure virus protection, spam filtering and other tools for all 14 departments at once and ensure that all users receive the same level of protection, he said.
In return for its investment in consolidation, Missouri also realized many other benefits. Some flow directly from having moved all executive-branch employees into one forest. Others flow from the fact that the consolidation has put all of these end-users and their systems under centralized management.
As part of the consolidation, for example, the state's IT division replaced departmental servers with central servers, using virtualization to reduce the number of boxes. Central management also decreased the number of software licenses required. And it has cut the number of technicians the state needs, since one team now maintains the whole IT infrastructure, rather than a separate team for each department. Bott said the state saved $3 million in one-time IT expenses and expects to save another $385,099 per year for fiscal 2009-2013.
In the course of the consolidation, the state introduced modern technology that's more reliable than the older systems it replaced. One example is a storage area network for the e-mail system.
"We went from 14 different environments that were somewhat suspect -- in some cases, they had very aged equipment -- to a state-of-the-art environment with redundancy and proper backups," said Howard Carter, director of the state data center. If the budget permits, in the next year the state could build on this foundation to develop disaster recovery for the e-mail system, he said.
In fact, Missouri will be positioned to develop a complete, common disaster recovery strategy, Bott said. Having just one Active Directory forest and one e-mail system to recover, rather than 14 or more separate systems, makes this task much easier. "Short of the data center building, if we lost any single building in the capitol complex or around the state, we would have a backup for that building that we've never been able to have before."
Having a single e-mail system also makes it easier to develop a statewide e-mail archiving system. "We now have a whole state solution where