Active Directory Project Was a Key to Missouri Consolidation

Consolidating e-mail 'communities' saves money and improves quality of life for Missouri state employees.

by / March 15, 2009

They all worked for a single state government. But until recently, Missouri's executive branch employees were dwelling in a wilderness of isolated IT villages.

Each of the 14 departments used its own Microsoft Active Directory system, the framework that organizes, secures and controls access to network resources, services and user accounts. Some departments used more than one, giving the state about 20 separate IT communities. Each community managed its own infrastructure -- controlled its desktops, looked after its security, operated its peripherals and updated its software. Each ran a separate e-mail system. If employees in different communities needed to share data files, or even schedule multidepartment meetings on electronic calendars, they had to give employees special access to one another's systems, saddling workers with extra user names and passwords to remember.

The quality of life in these IT communities varied widely, said Bill Bott, former deputy CIO of Missouri, who resigned in January 2009 to join the Change and Innovation Agency. "Some people were living in mansions; some people were living in shacks." Some, for example, had excellent antivirus protection, while others scraped by with shareware.

Over the past few years, though, Missouri replaced its hodgepodge of IT neighborhoods with a single, full-service community. As part of a broader effort to consolidate IT under the state CIO, it moved all 40,000 of its end-user accounts onto a single e-mail system and a single Active Directory.

This strategy, state officials said, streamlined IT administration and gave users more equitable access to IT resources. It's also saving Missouri millions of dollars.

Missouri consolidated its data centers into a single facility 10 years ago. But the state government was still running numerous IT operations. When departments failed to collaborate on business challenges, many people blamed that failure on the fact that they couldn't share data. Departments also conducted IT projects in isolation -- for example, implementing content management systems with no thought to how they might share resources.

To address these problems, then-Gov. Matt Blunt promoted a move to put all of the state's IT budgets, employees and equipment under the control of a single IT division. As IT officials discussed how to launch this consolidation, two ideas rose to the top. They would merge the Active Directory systems, also known as "forests," and they would bring the whole executive branch onto a single e-mail system.


One Pair of Keys

The new environment would be like a gated community with well run, shared services, Bott said. To access any of those services, a resident would need just a single user name and password -- one pair of keys, not a crowded, jangling key ring.

By migrating all users to one Active Directory system, Missouri was bucking a trend. Many organizations instead choose to build links among their separate directories, so data can pass back and forth among systems. That approach, however, requires some users to maintain multiple identifications, Bott said. And as the environment evolves, it develops features that aren't well documented. "It's cluttered, and it makes changes to the directory much harder to do," he said. "It's harder to manage."

Missouri started planning the consolidation in July 2005. Implementation began in January 2006 and wrapped up in November 2007, a month ahead of schedule. The project cost about $250,000, which was spent mostly on new equipment. Because in-house, salaried employees performed all the work, the state has not broken out the labor costs, Bott said.

The main challenges the project team contended with were political rather than technical. "One of the biggest battles we had with the agencies was over who was going to control security

at the upper levels of the forest," said Dee Lueckenotte, a member of the Active Directory/Exchange project group. Previously each agency maintained full control over who could access what within its own forest. "We had to cut that security model back to give them enough control to be able to do the job they needed to do, but not to be able to interfere with another agency," she said.

One of the technical decisions the group made was how to divide the Active Directory forest into subdomains, or "trees," Lueckenotte said. Could each agency get its own tree, or would that approach make the system too cluttered?

Missouri ended up creating four trees. One houses the servers that run the Exchange e-mail system, desktop management, Active Directory and other objects used across the state system. Each of the other three trees houses a group of agencies with related functions -- one for health care and social services, for example. Within that structure, the CIO's office controls higher-level functions, but each agency performs its own day-to-day administration, such as adding new employees, computers and printers to the network. "We didn't want to create a central bureaucracy, where every little change needed to come through one or two people," Bott said.


40,000 Patches at Once

With the consolidation complete, state employees now can share data and collaborate on projects without maintaining multiple identities. The unified Active Directory also makes it easier to manage security and other features on the state's thousands of desktops. "When Microsoft sends out a patch, we can push one button and send it out to everyone in the state," Bott said. Also, under the new model, the IT department can procure virus protection, spam filtering and other tools for all 14 departments at once and ensure that all users receive the same level of protection, he said.

In return for its investment in consolidation, Missouri also realized many other benefits. Some flow directly from having moved all executive-branch employees into one forest. Others flow from the fact that the consolidation has put all of these end-users and their systems under centralized management.

As part of the consolidation, for example, the state's IT division replaced departmental servers with central servers, using virtualization to reduce the number of boxes. Central management also decreased the number of software licenses required. And it has cut the number of technicians the state needs, since one team now maintains the whole IT infrastructure, rather than a separate team for each department. Bott said the state saved $3 million in one-time IT expenses and expects to save another $385,099 per year for fiscal 2009-2013.

In the course of the consolidation, the state introduced modern technology that's more reliable than the older systems it replaced. One example is a storage area network for the e-mail system.

"We went from 14 different environments that were somewhat suspect -- in some cases, they had very aged equipment -- to a state-of-the-art environment with redundancy and proper backups," said Howard Carter, director of the state data center. If the budget permits, in the next year the state could build on this foundation to develop disaster recovery for the e-mail system, he said.

In fact, Missouri will be positioned to develop a complete, common disaster recovery strategy, Bott said. Having just one Active Directory forest and one e-mail system to recover, rather than 14 or more separate systems, makes this task much easier. "Short of the data center building, if we lost any single building in the capitol complex or around the state, we would have a backup for that building that we've never been able to have before."

Having a single e-mail system also makes it easier to develop a statewide e-mail archiving system. "We now have a whole state solution where

we're retaining all state e-mails indefinitely," Bott said. "But there will be another policy coming out, I'm sure, as the records retention folks catch up with the technology."

In the long run, the Active Directory consolidation could help Missouri do a great deal more. Bott said the state's strategy is much like the one that led Walt Disney to buy thousands of acres in central Florida in the 1950s, even though he needed only a fraction of that land to build Walt Disney World. That purchase allowed Disney to add hotels, resorts and more parks when the time was right.

"We don't have all the answers about how we're going to use Active Directory, but we know it has allowed us to build our 'theme park,'" Bott said. "Now we're able to do all those other things that branch out because of the foundation we have."

Merrill Douglas Contributing Writer
Platforms & Programs