If you have onboarded multiple AD domains in multiple Umbrella orgs, you can now consolidate them to a single Umbrella org subject to certain conditions. Cisco Umbrella now offers a procedure that will aid in consolidation of multiple Umbrella orgs that include a single AD domain each to a single Umbrella org with multi-AD domain support.
- Each of the orgs to be migrated should have a single AD domain onboarded and at least one AD Connector deployed for this domain.
- If the total number of DNS queries across the orgs that will be consolidated exceeds 20 million per day, then reporting is likely to get impacted after consolidation. In this case, Cisco does not currently recommend consolidation of the orgs. Support for consolidation for such orgs will be announced in a future release.
- Note: The number of DNS queries per day for each individual org can be checked in the Activity Volume report from the dashboard of that org. Alternately, the total number of DNS requests can be checked from the Overview report (Centralized Reports) on the Multi-Org Console.
- If the total number of identities across the orgs that will be consolidated exceeds 20,000, then reporting is likely to get impacted after consolidation. In this case, Cisco does not currently recommend consolidation of the orgs. Support for consolidation for such orgs will be announced in a future release.
- Note: The number of identities for each individual org is the sum of the count of all identities (except AD groups and G-Suite OUs) seen on the Policy configuration page.
- Not all components can be migrated from one org to another. This is covered in a section below.
Initiating the consolidation process
- You will need to raise a support ticket and clearly indicate which are the orgs that need to be migrated and which is the destination org for the migration. It is recommended to choose the org with the largest deployment (maximum number of AD identities and on-prem components) as the destination org.
- For each source org that will be migrated to the destination org, you will need to specify a "downtime" (a 4 hour slot on a weekday) during which the migration of this source org can be carried out. While DNS will continue to function during the downtime, AD identity attribution for DNS requests will not be available for AD users logging in during this downtime. Also any changes to the AD structure (user additions, deletions, group modifications) made during this downtime will not be synced to Umbrella.
- On-prem components like the VA and AD Connector may upgrade during this downtime.
- You will be notified once the migration of each org is completed, either via the Umbrella dashboard or as a follow-up to the Support ticket.
- Once migration is complete, you will need to restart the Connector service on each AD Connector to view the domain name for AD users and groups. To do this, run Services.msc on the server where the connector is deployed, locate the "OpenDNS Connector" service in the list, right-click it and select restart.
What will be migrated
The following components will be migrated:
- Active Directory Identities (Groups, Computers, Users)
- Active Directory Servers (Domain Controllers)
- Virtual Appliances
- Active Directory Connectors
- Roaming Computers
- Policies to identity mapping (for the identities those are migrated)
- AD Groups
- AD Users
- AD Computers
- Roaming Computers
- Internal Domains
- Internal Networks
- Service Account Exceptions
Roaming Computers will be migrated only when they sync to Umbrella.
What will not be migrated
The following will not be migrated automatically and need to be manually reconfigured or re-registered against the destination org:
- Network Devices
- Mobile Devices
- Chromebook Users
- AnyConnect Roaming Security Module (Steps to do this manually are covered here)
- Network Tunnels (Umbrella firewall service)
- User Provisioning (SAML Users and Groups)
- Default Policy (default policy of destination org will be applied)
- Any centralized settings for policy that are configured through the Multi-Org Console
- Reporting (Any historic reports, scheduled reports or reporting related configurations are not migrated)
- Any admin specific configurations
- User Roles
- Log Management
- Bypass users
- Bypass codes
- Platform API keys
- API keys
- Custom block page
- Policy Integrations
- Investigate API
Your source orgs will continue to exist after the migration. However some of the components that have been migrated to the destination org (Virtual Appliances, AD Connectors, Roaming Computers) will no longer show up in the source org. Other components including Policies, Sites and Domain Controllers will continue to show up in the source org.