Planning a Google Workspace Deployment
Andrew Despres
Posted on November 23, 2024
Preamble:
This space will be utilized to synthesize my notes and help improve my learning process while I study for the Google Workspace Professional Administrator certification. I will be doing a similar process for other certifications I work on in the future. Please follow along for Google Workspace notes and feel free to ask any questions or, if I get something wrong, offer suggestions to correct any mistakes.
Google’s 3-phase deployment methodology
Core IT:
Month 1 of a 3 month deployment. Usually a small group of IT professionals within your organization to pilot the deployment. This is where you create the technical design, confirm and test setup options and become familiar with Google Workspace tools and technologies. This phase will not disrupt the existing IT operations.
Best practice for this phase is to manually add users to Google Workspace either individually or in bulk via CSV. It is not recommended to provision Shared Contacts, Groups and Calendars.
Early Adopters:
Month 2 of a 3 month deployment. This is a full deployment that is rolled out to between 5-10% of your total workforce. You will validate your migration approach, gather training and communication feedback and test your change management plan. Something to help your users with migrating is to have some employees act as “Google Guides”.
During this phase all remaining users should be provisioned into your GWS Tenant because this is when you can start to provision directories from AD. Business information should also be added to each user profile and each user be placed into their appropriate OU.
All external contacts and groups will be synced from your legacy directory
Global Go-Live:
Final stage of a 3 month deployment. Proactive communication and easy access to training materials is essential to help achieve global user acceptance. Not properly supporting users is the main reason why deployments fail.
All users should be provisioned into GWS with all required services enabled mail delivery is now being completed by Google Workspace and not your legacy mail provider. All calendar resources need to be migrated from your legacy system
Migrations should run between 90-120 days
Users and other Company Resources
When planning for your Google Workspace deployment you must consider what company resources will need to be migrated and synced such as groups and calendars. If you company is using a Directory service that supports LDAP Active Directory), you can sync users, groups and shared contacts using the Google Cloud Directory Sync (GCDS) tool.
There are several ways that you can provision users to Google Workspace.
- Individually
- Bulk via a CSV file
- GCDS
Please note that using GCDS to sync your Directory service is a one-way process. This means that any changes from Active Directory is never modified and will sync across to Google Workspace. If you make changes to users/groups in Google Workspace manually, these changes may be reversed or you can end up receiving sync errors from the GCDS tool.
GCDS must be installed on a local server and configured to connect to a local directory and authorized to connect to Google Workspace account. You will then create rules on what specifically will be synced. Please note that Passwords cannot be synced via GCDS and Active Directory because passwords are stored in write-only mode. Google has a tool specifically for passwords called Password Sync.
Password Sync must be installed on each Domain Controller so whenever a user password is changed Password Sync will immediately push the new password to their managed Google Account.
Google Workspace has 3 different type of groups:
- Admin-managed groups: Can only be created and managed by Google Workspace administrators in the Admin Console. These are also called Distribution Lists and can be synced from AD to Google via GCDS.
- Google Groups for Business: Known as User-managed groups can be created and managed by both Google Workspace admins and users. These groups are NOT synced using GCDS.
- Personal Groups: Also known as Labels. These groups are created and managed by individual users. They are like a personal email contact group. Also not synced via GCDS.
NOTE: It is considered best practice to audit your AD instance and make necessary changes before beginning your first sync with GCDS. A clean source directory will help reduce problems after GCDS has been deployed.
Mail Delivery during a Google Workspace Deployment
During a GWS deployment an organization will typically encounter one of the following scenarios:
Legacy mail server will forward messages to Google for users who have moved to GWS. Later, all mail is delivered to Gmail.
Google’s mail servers can reroute messages to legacy systems for any user who has not yet moved to Gmail. After deployment all users exclusively user Gmail but messages from unknown users are routed to a special mailbox or external server.
Delivery types:
- Direct Delivery: Mail is delivered directly to the user’s mail platform. This can be a legacy mail platform or Google Workspace.
- Dual Delivery: Incoming messages are first delivered to the legacy platform and then copies of the messages are forwarded to users Gmail inbox. NOTE: This can also be configured so mail is delivered to Gmail first before being forwarded.
- Split Delivery: Incoming messages are delivered to Google Workspace and then routed to either a Gmail inbox or a legacy platform depending on which user mail is delivered to. NOTE: This is usually configured during the early adopters stage. This is when the MX records have been changed to point to Google Workspace instead of the legacy mail server so all mail will be routed through GWS. This will allow users who have migrated over to GWS will receive mail directly into their Gmail inbox and for legacy users their mail will be routed to the legacy mail server.
Steps to setup Dual Delivery:
- Setup a Domain alias. This is so mail from the legacy mail server can then forward messages to GWS users. This will be required during the Core IT and Early Adopters phase.
- Configure an Inbound Gateway: As more users are deployed you will want to make sure messages are successfully forwarded from the legacy mail server and aren’t classified by Google as spam. Configure the inbound gateway setting in Google Workspace with the IP address of the existing mail server
- Create Forwarding Rules: For each user that is switching to Google Workspace during the Core IT and early adopters phase you’ll need to add a forwarding rule that sends any messages received in their legacy inbox to their Gmail inbox. You will switch your MX record in the early adopters phase but the forwarding rule must be setup so your GWS users will continue to receive intradomain mail.
Steps to setup Split Delivery:
- Create an OU for all legacy users. It is important to have all legacy users in this OU so we can route mail to the legacy mail server. This can be done via GCDS by mapping a custom AD attribute to the OU in Google Workspace.
- Create an OU Routing policy for legacy users. This route will contain the IP address of the legacy mail server so mail can be sent to it via Google Workspace.
- Configure a default routing policy to the legacy platform. Doing this will reroute messages back to the legacy mail platform for any users, groups or alias’ that has not moved over to Google Workspace.
How Mail will flow during a deployment
Core IT Phase:
Direct delivery will remain the same having the MX record pointed to the legacy mail system. Dual delivery will be used to send mail to your Core IT users with the use of an alias domain. The Google Workspace MX record will be pointed to this alias domain. An inbound gateway will also need to be configured with the legacy mail server IP to prevent mail being marked as spam in Gmail.
Early Adopters phase:
MX record for the primary domain will be changed to point to GWS. This is where split delivery will be implemented so that mail received by google that is destined for legacy users will be routed to the legacy mail server. Dual delivery will remain in place for users who have moved to GWS to ensure intradomain mail is received.
Global Go-Live:
MX record will be pointed to Google Workspace and directly delivery established.
Data Migration During a Google Workspace Deployment
Which users data will be migrated?
What kind of data will be migrated?
How will the data be migrated?
When will the data be migrated?
2 main approaches to data migration
- Server-side migration: Preferred when the data being migrated is server-based or if the migration needs to be centrally controlled. These are usually managed by IT Administrators.
- This approach typically requires the deployment of additional servers to host and run the migration software.
- Client-side migration: Users install software that is locally run to begin migrating data. This approach can be useful if the data is stored locally like a PST file. If this approach is selected staggering the migration may be required so networks are protected from potential performance issues. Training for staff will be required for users to use the local software to begin the migration of their data.
- This approach is generally considered to be more difficult to manage.
Options to consider during the first 2 phases of user migration: Core IT and Early Adopters
- Option 1: Migrate nothing
- Users will only receive new mail messages after they switch to Google Workspace. If they want to access any previous messages they will need to go to a read-only version of their legacy platform.
- In many ways this is considered to be the best option because time is not spent setting up data migration tools and instead focus can be put on other deployment efforts.
- Users will only receive new mail messages after they switch to Google Workspace. If they want to access any previous messages they will need to go to a read-only version of their legacy platform.
- Option 2: Minimal Migration
- This means migration certain amounts of data for different sets of users. You may migrate all calendar events and contacts data with 90 days of historical emails for most users except for Executives which you can implement a full mail, calendar and contact migration.
- Benefit of this approach is it can save time by only migrating what users need for go-live. If older mail is required, it can be migrated fully later.
- This means migration certain amounts of data for different sets of users. You may migrate all calendar events and contacts data with 90 days of historical emails for most users except for Executives which you can implement a full mail, calendar and contact migration.
- Option 3: Complete Migration
- All user data will be migrated. If there is a lot of user data this will extend the amount of time for a total deployment to be completed.
Migration Tools
Google Workspace Migration for Microsoft Exchange (GWMME)
- Server side tool that migrates mail, calendar and contacts from Exchange. If you have a lot of data to migrate this software can be installed on multiple systems simultaneously.
- If required GWMME can also be used to migrate PST files from Outlook. This might be useful to migrate PST archives after Go-Live
How does it work?
- Create a CSV file that contains the email addresses of the users that need to be migrated.
- GWMME connects to the Exchange server (or other data source) to retrieve data associated with those email addresses.
- Data is then sent to GWMME for processing.
- GWMME then converts the data to a format specified by Google APIs.
- Data is then securely migrated over to the users Google Workspace account.
Best Practices
- It is best to co-locate migration servers with Mail Servers. This will give you the best performance.
- Avoid migrating data via a proxy server or firewall. These will impact performance and may cause migration failures.
- To estimate how long a migration may take run a set of migration tests. If the migration takes too long you can then scale up the number of migration servers to meet your migration time estimates.
- Actively monitor for any migration failures so they can be dealt with early.
- Migrate archives after the Go-Live data and not part of the deployment project.
- Migrate Calendar and contact data just before users switch to Google Workspace.
- Try to place your migration server as close to your internet connection as possible.
Data Migration Strategy
What should be migrated during each phase of deployment?
- Before deployment starts decide what will be migrated
- For example you may choose to migrate all calendar and contacts as well as 90 days of email for most users but then full mail, calendar and contacts migration for smaller groups of users.
- During the Early Adopters phase a partial mail data migration for new users that were added during this phase but full calendar and contacts migration. During this phase a more extensive test migrations will happen to prepare for the go-live phase.
- During Go-live either a partial or full mail migration for the rest of your users depending on what is needed. A full migration of calendars and contacts will also need to be performed.
- After the global go-live continuation of historical mail will be migrated.
Coexistence
Coexistence refers to when an organization has both Google Workspace and a legacy platform running at the same time.
Different Types of Coexistence
- Short Term: Usually around 90 days
- Long Term: Can take months to complete. Some tools that Google provides to deal with Long Term Coexistence is sharing free/busy information across multiple platforms.
- It is not recommended to use these tools as they can extend migration timelines. These tools are highly complex and time consuming to configure.
- Long Term coexistence does not offer a good overall user experience.
And with that this concludes these study notes for Planning a Google Workspace Deployment. This is also the last set of notes for the Google Workspace Professional Administrator certification exam. If you are interested in taking this exam make sure to go through the exam objectives, be familiar where settings are located in the Admin Panel, read any Google Help Articles for settings/technologies you don't understand and take some practice exams to make sure you're ready to pass. Personally I find the most practice exams on Udemy. Below is a link to one such set of practice exams:
Udemy Practice Exams
If you are planning on taking the Workspace exam I wish you the best of luck and hope these notes were helpful with your preparation! Please make sure to follow for my notes as I go through my future learning adventure. Some exams that I plan to study for include:
CompTIA Network+ 009
Professional ChromeOS Administrator
CompTIA Security+ 701
Happy Holidays and see you soon with more study notes!
Posted on November 23, 2024
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.