After a leisurely 6 months of planning, 2 months of pre-implementation, 2 months of implementation and a long tail of finishing up, I can successfully proclaim that I’ve moved my company to G Suite.

Well we had to really? With half the company insane open shares off personal Google accounts, secret Dropbox covens, unloved Office Online, on premise shares and an unloved Confluence wiki, the migration had to happen.

Does G Suite feature good tools? Yes!

Does Google provide relevant advice how to actually perform the migration? Do they fuck.

Contents:

Yeah, I know, hail corporate etc etc

Active directory sync

Unless you’re a start up of some kind, you’ll likely need to federate your active directory into Google for core authentication and security group functions. Google Cloud Directory Sync (GCDS) is what you’ll need. The tool works, but has two major short comings. Firstly, they recommend you authenticate your sync tool against your administrator account via OAUTH. This is insane, as if the administrator left, the sync would break.

Instead you have to pay another ~£5/month for a dedicated sync user. Is this documented anywhere? No.

The sync tool has odd safeties in it, like ‘don’t sync if more than 5% of users change’, so unless you’re dispatching notifications on failures on failure, your sync could be silently failing. Could they pop up a notification in the admin control panel or actually utilise their cloud infrastructure for this purpose? Apparently the answer to this is ‘no’.

The GADS actually outputs a large XML configuration file featuring your LDAP/AD sync preferences and any exclusions. Be prepared to write custom rules to exclude objects by attribute and similar. Store this file in version control.

Finally you schedule your import tool with the XML as a parameter and you have a working sync if you’re lucky.

Data migration from personal accounts

You’d think Google would want to make it easy to migrate to G Suite but you’d be wrong. I found two optimal patterns for migration which are not written up anywhere.

You’ll want users to create individual team drives for migrating their files, which they share from their corporate account through to their personal account (assuming it contains corporate data you want to move out). This will allow users to drag in their corporate files into their team drive from their personal account, and from their corporate account drag into their ‘My Drive’ or the appropriate corporate team drive.

I created an entire new-style Google Site with migration documents like this with screen shots, FAQs and the like — and I had to, because as the administrator I can’t get at data in people’s personal Google drives.

Any consultancy who says they can ‘do your G Suite migration for you’ are liars.

Data migration from corporate shares

I was fortunate that Google’s new corporate document access tool ‘Drive File Stream’ just left beta as I was starting implementation. Drive file stream is a life saver for:

Retaining access to legacy file formats like .XLSX

Retaining use of legacy tools like rich image editors

Avoiding having to intensively train all users on doing all their work through https://drive.google.com/

Most importantly, it only stores meta data, not actual corporate data on the end point, allowing it to be mounted from most locations. You will need to get in installed under every damned users account however, the tool can be pushed out, but not authorised via group policy. You’ll likely want to pick a drive letter (e.g. ‘S:’) so that all users have the same drive letter via manipulating a registry through a GPO. This entailed a lot of sitting down with users.

Not documented is that drive file stream is a great way to move on premise file shares into Google.

Many syncs were performed via:

robocopy \\fileserver\fileshare\ S:\Team Drives\fileshare\ /e /mov /IT /r:0 /w:0

Be warned, if you allow the local file stream cache to exceed ~5,000 items, it can flake out and stop syncing. If you’re being paranoid, you might want to /e the first time and /e /mov only when you’re happy the files are copied so as not to nuke any data. So long as you avoid files being in two places and your users know when their files in question are moved, no data should get out of sync.

It amazes me there’s not a tool from Google to help with this process, maybe there’s something from a 3rd party.

Offline files — in extreme circumstances

You don’t want business files on end points, they’ll go out of sync, the devices will get lost and users will hiss at you if you try and take their devices away. Still, some execs have a genuine reason so do work offline on the train, so one must attempt the horrible hack to allow this.

The G Suite support staff were mostly knowledgeable about their product sets, one notable exception was when it came to configuring devices offline. ‘Registry keys? What are they?’ ‘Group policy? I’m afraid we don’t know about that’.

It turns out their Google’s system for allowing offline documents is security-by-obscurity. On Windows, the end goal is to get a registry key pushed out:

[HKEY_CURRENT_USER\Software\Policies\Google\Chrome\3rdparty\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\policy\allowedDocsOfflineDomains]

“1”=”yourgsuitedomain.com”

On Mac it’s something very similar with nodes and plists.

Once you push that out, the Google Docs Offline extension (id = ghbmnnjooekpmoecnnnilnnbdlolhkhi ) knows the machine is authorise to sync documents offline through Chrome.

Of course, anyone can set this registry, there’s no user or corporate token in there for example. So don’t set this please. :(

Conclusions

G Suite drive has been a successful implementation at my company, with very low friction and all on-premise file shares have been removed.

Like most large companies , whilst their support staff are mostly well informed and friendly Google is not responsive in continuously improving their documentation, instead asking you to lobby for features on their administrator community forum. Since I’m not a Google reseller and all these problems were one-time issues, I’m disincentived from trying to raise ‘feature ideas’ which are simply ‘the documentation is misleading’ and ‘you don’t provide relevant examples of how to do X’

Still, this is what writing annoyed blog articles is about.

B- would Google again.

Don’t get me started on Gmail though…

/r/Sysadmin liked this post where I added some small items of clarification and expansion