5 Reasons It's Time to Migrate Your Directory from DSEE

Legacy directory servers make it nearly impossible to keep up with modern modern identity and access management (IAM) requirements. These legacy products have seen no major innovation for more than a decade, are missing many IAM features and leave bloated and costly hardware footprints. 

Adding to their limitations, many legacy systems—including Oracle (formerly Sun) Directory Server Enterprise Edition 11g (DSEE)—are facing end-of-life support realities. These legacy systems are increasingly hindering other critical business and IT initiatives, and the urgency to replace them has never been higher.

In the case of DSEE 11g, Premier support was originally supposed to end in December 2015. While the deadline is now set for December 2019, the end of support is inevitable. And in the meantime, you can’t help questioning what you’re actually getting for that investment since the product clearly nearing obsolescence. 

Aside from the end-of-life realities, if you’re using DSEE, there are several reasons to switch from your current directory to a more modern data store. But you may be understandably concerned about making a move. 

Read on to learn five reasons why migrating to a modern directory is worth tackling sooner than later and get a behind-the-scenes look into how Boise Cascade made a smooth directory migration from DSEE with zero downtime.

As you manage more and more lines of business and applications with your current directory or directories, you’ve increased the demand from all of over your enterprise. And in doing so, you’ve likely experienced firsthand the limitations of DSEE. Your business really needs a directory with high availability and uptime—or else the business stops being productive or making money. But your legacy solution wasn’t designed to handle the scale and performance demands you’re placing on it. 

You need a modern directory scalable enough to consolidate and unify all of your current and future users identity and profile data, plus be flexible enough to store unstructured data from applications. Of course, there’s also the security piece. Your directory services must be easily consumable by all applications, even mobile, cloud-based, and legacy mainframe apps; while simultaneously protecting that sensitive data from breach. Anything less, and you’re hamstrung to deliver the performance your business needs.

If you’re like many DSEE users, you’ve probably found that the more you tax your current system, the worse it performs. You may be conducting more frequent reboots and patching. You might also have a hard time finding or keeping people who still have the specialized expertise to actually do patches and customizations on such an outdated system (the latest version went GA in 2010). At the same time, you’re faced with increasing maintenance fees for DSEE 11g support, even though the product isn’t receiving any Oracle investment.

If any of this sounds familiar, you know better than anyone that it’s about time you had a solution that’s well supported by the vendor, cost-effective to operate and easy to manage. DSEE is arguably none of these in this late stage of its lifecycle. 

Just a guess, but I’ll bet your enterprise is regularly adding or building applications and developing more partnerships than ever. If you’re in a regulated industry or your development teams need to make frequent updates, you’re likely also on the receiving end of an endless stream of requests from application developers to add this field or remove that one.

While being buried in hard-to-meet demands isn’t a good feeling, it’s actually the best case scenario. The other—and even more distressing—alternative is that your dev teams have taken matters into their own hands and are storing their identity data in modern databases and siloed data stores outside of your control. You really need to provide a directory service that enables you and your team to be responsive to modern app dev requirements.

Your C-suite is pressing you to move more and more applications to the cloud. But your legacy server is making migration a tough nut to crack. Sure, you could move your DSEE instance to the cloud, but since reducing cost is usually a major driver for cloud initiatives, the increased fees to host its bloated footprint in AWS, Azure or Google Cloud would defeat the purpose. 

Even if cost isn’t your main concern, Oracle’s requirement for you to prove a support issue is taking place on bare metal before they look into the issue should halt any thoughts of migrating DSEE to the cloud. And despite the proliferation of cloud-first initiatives, many enterprise applications will need to remain on-premises, at least for the foreseeable future. DSEE isn’t flexible enough to straddle both worlds. 

To satisfy the needs of your business, you may find a more realistic compromise in a hybrid IT environment where some applications remain on-premises, some are running in public clouds like AWS and still others are SaaS. You need a vendor that won’t just support you through this transition, but one who’s committed to helping you through it and able to provide customized options to support your particular IT environment.

Given the business critical nature of the data stored in your ailing infrastructure, you may be worried about the potential disruption that can happen when infrastructure change isn’t managed well. You can’t really rip and replace everything you have, nor would you want to. Making a smooth migration with no downtime is the most prudent way forward. And that may feel like an insurmountable task, not to mention a huge leap of faith. 

But it’s possible with the right solution and approach. You can make a smooth migration with zero downtime when you’re supported by real-time, bi-directional synchronization capabilities. You’re able to migrate or sync user data from multiple sources, manage structured and unstructured data, and provide applications stable directory services via developer-friendly REST APIs. 

And many have experienced it firsthand, including Boise Cascade. 

Headquartered in Boise, Idaho, and founded in 2004, Boise Cascade Company manufactures wood products and distributes building materials in the United States and Canada. It operates in two segments: wood products and building materials distribution, generating over $4.4B in revenue in 2017. Driving this success are over 100 internal and customer-facing applications authenticated with LDAP across the U.S. and Canada, supporting over 8,000 internal and 1,500 external users. 

A few years back, with Oracle Directory Server Enterprise Edition (DSEE) and Microsoft Active Directory (AD) in place for directory services, the company had spun off their IT folks to another company. Wanting to keep AD as the master record database, but having inherited this environment without any DSEE expertise, the IT team learned quickly that using Identity Synchronization for Windows to pull AD identities over to DSEE was far from seamless, requiring constant resyncs. User passwords would get out of sync with the primary AD account while authenticating with LDAP, and this would generate an onslaught of password reset requests. 

Ben Hale, Infrastructure Manager for Boise Cascade, explains that when they began exploring their upgrade options, they first looked to Oracle as the incumbent vendor with the assumption that this would be the path of least resistance. After investigating the complexity and cost of a move from Oracle DSEE 11g to Oracle Unified Directory 12c, they learned that sticking with Oracle was no simpler than migrating to an entirely new vendor. So they started looking to other enterprise-proven directory solutions.

After scanning the industry for the right directory solutions, the team at Boise Cascade looked to Ping Identity. Ping’s strong track record of successful migrations from DSEE, combined with its attractive cost of ownership and ease of application management made it a natural choice. The flexibility of PingDirectory made it easy for Ben and his team to stand up clusters in other data centers and enable a cloud presence, without requiring a significant additional investment in a partner to set up additional nodes.

Since migrating in May 2018, Boise Cascade has eliminated upwards of 90% of password reset requests by synchronizing passwords using PingDirectory’s pass-through authentication plug-in. If a password fails in PingDirectory but works in AD, the plug-in updates the password in PingDirectory. Hale explains, “Oracle would try to capture the password, but sometimes those password changes were missed, and PingDirectory just does it better.” 

The team has realized other benefits, too, including:
 

• Hands-off operation—in Hale’s words, “It just works, so there’s no need to intervene.”
• Quick recovery during an outage or disaster recovery scenario.
• Constructive mapping between AD and PingDirectory.
   

Everything is still on-prem for now, so they’re maintaining a hybrid environment with an eye to the cloud in the future. Hale says their next steps will be to stand up a PingDirectory cluster in AWS to support some of their future cloud-based applications so they don’t have to point down to an on-premises directory service.

In reality, migration is rarely a one-time event. On-premises applications are not easily moved to the cloud, making a hybrid IT environment a likely scenario. For some enterprises, logistics, approvals, timing or other events may require that changes be implemented over the course of several months. Others may simply want the option to maintain their current solution while implementing the new one, creating coexistence in the event something doesn’t go as planned. 

Regardless of your situation, you need options to make your migration as smooth as possible. To learn more about how you can make your own zero downtime migration from DSEE, get the Migration Guide.