If you have onboarded multiple AD domains in multiple Umbrella orgs, you can now consolidate them to a single Umbrella org. Cisco Umbrella now offers a procedure that will aid in consolidation of multiple Umbrella orgs that include a single AD domain each to a single Umbrella org with multi-AD domain support.
Important note: As per announcement posted here, support for automated consolidation of orgs will no longer be available after November 1, 2020.
- Each of the orgs to be migrated should have a single AD domain onboarded and at least one AD Connector deployed for this domain.
Initiating the consolidation process
- You will need to raise a support ticket and clearly indicate which are the orgs that need to be migrated and which is the destination org for the migration. It is recommended to choose the org with the largest deployment (maximum number of AD identities and on-prem components) as the destination org.
- For each source org that will be migrated to the destination org, you will need to specify a "downtime" (a 4 hour slot on a weekday) during which the migration of this source org can be carried out. While DNS will continue to function during the downtime, AD identity attribution for DNS requests will not be available for AD users logging in during this downtime. Also any changes to the AD structure (user additions, deletions, group modifications) made during this downtime will not be synced to Umbrella.
- On-prem components like the VA and AD Connector may upgrade during this downtime.
- You will be notified once the migration of each org is completed, either via the Umbrella dashboard or as a follow-up to the Support ticket.
- Once migration is complete, you will need to restart the Connector service on each AD Connector to view the domain name for AD users and groups. To do this, run Services.msc on the server where the connector is deployed, locate the "OpenDNS Connector" service in the list, right-click it and select restart.
What will be migrated
The following components will be migrated:
- Active Directory Identities (Groups, Computers, Users)
- Active Directory Servers (Domain Controllers)
- Virtual Appliances
- Active Directory Connectors
- Roaming Computers
- Policies to identity mapping (for the identities those are migrated)
- AD Groups
- AD Users
- AD Computers
- Roaming Computers
- Internal Domains
- Internal Networks
- Service Account Exceptions
Roaming Computers will be migrated only when they sync to Umbrella.
What will not be migrated
The following will not be migrated automatically and need to be manually reconfigured or re-registered against the destination org:
- Network Devices
- Mobile Devices
- Chromebook Users
- AnyConnect Roaming Security Module (Steps to do this manually are covered here)
- Network Tunnels (Umbrella firewall service)
- User Provisioning (SAML Users and Groups)
- Default Policy (default policy of destination org will be applied)
- Any centralized settings for policy that are configured through the Multi-Org Console
- Any centralized destination lists (Allow or Block) that are configured through the Multi-Org Console
- Reporting (Any historic reports, scheduled reports or reporting related configurations are not migrated)
- Any admin specific configurations
- User Roles
- Log Management
- Bypass users
- Bypass codes
- Platform API keys
- API keys
- Custom block page
- Policy Integrations
- Investigate API
- Review the policies in your destination org and re-order if required.
- Your source orgs will continue to exist after the migration. However some of the components that have been migrated to the destination org (Virtual Appliances, AD Connectors, Roaming Computers) will no longer show up in the source org. Other components including Policies, Sites and Domain Controllers will continue to show up in the source org.