- Jeremy Nicol
How to Migrate On-Premises Secret Servers to the Cloud
If you have decided to migrate from Secret Server On-Premises to Secret Server Cloud, you should be aware that migrating from your On-Premises environment to the Cloud is not a simple copy-paste from Target to Source. There are multiple prerequisites that must be fulfilled before your migration can even begin. In this article, we will cover the pre-migration steps that must be completed, talk about what is migrated and what is not, and cover steps that are needed after the migration is completed.
Step 1: Creating Your Administrator Account
Before your migration can even begin, your Secret Server Cloud instance must be provisioned. Someone in your organization should have received an email that would point them to a URL where they will set up your new subdomain for your Secret Server Cloud instance. Once that is set up, then they will be able to log into the instance. The first user that logs in has Administrator rights. If that user is not the one who will be setting up the cloud instance, it is recommended that they create a local administrator account that will be used for others to create the account. This new user should not contain “admin, ss, Delinea, Thycotic” or any combination of those names or your companies’ names.
Step 2: Setting Up Your Cloud Secret Server
On your first day with your consultant, they will guide you through the process of setting up your Distributed Engines, manually adding your Secret Server Service Accounts, setting up your Domain, and Syncing your Users and Groups. Once that is completed, they will work with you to get your settings copied over from your On-Premises environment to your Cloud environment. This process can take a bit of time. It is very important that if your company uses Secret Policies that those get re-created in your Cloud environment. Custom Secret Templates will need to be exported and then imported into the Cloud. You’ll want to go through the out-of-the-box templates and look for any custom Fields, Password Requirements, or Launchers that have been added to those templates. There are three things that must match up for the Export/Import migration to complete successfully: the correct Users/Groups, correct Secret Templates, and any additional settings that were added to Secret Templates.
Any other custom settings will need to be migrated over as well, such as Configuration settings, Custom Roles, Secret Policies, and other settings such as IP Address restriction items and List. These settings, however, have little impact on the initial migration of Folders/Secrets.
Step 3: Migration
Once your Cloud environment is prepped to receive your Folders/Secrets, we move on to the next phase of the project: migration. It is very important that you are aware of what is migrated over and what is not. Folders and their permission settings are migrated over, as well as Secrets and their settings. However, Secret Policies are not migrated over. If you have Secret Policies applied to your Folders or Secrets, you will need to manually add the Secret Policies to the Cloud and then apply them to the Folders or Secrets. Additionally, no Audit logs or Session Recordings are copied over. Any historical items, such as password history or other field history items on Secrets, are not copied over.
Step 4: Ensure Everything Has Migrated Properly
Once the migration has completed—hopefully without any errors—we need to validate the data. First, check the Secret count and validate whether the Cloud instance has the same number of secrets as your On-Premises instance. If not, then we’ll need to locate what failed to move, and either add it manually (if there are only a few) or perform a second Migration once the issue that caused them to fail is resolved. Next, we need to verify that all of the folders were migrated over and check the Folder permissions. Are the correct users and groups assigned to each folder? Do they have the correct permissions? If not, then we need to resolve that issue before we give anyone access to the Cloud environment.
Once data validation is complete there are other items you may need to set up. For example, you might have Event Subscriptions that are tied to a Folder or a Secret. With these additional items set up, your migration is complete.
Have question or comment? Feel free to post below or send to email@example.com.