By Rajat Bhargava Posted July 29, 2015
Over the last fifteen years, Microsoft Active Directory® (AD) has become the leading directory services platform. With Microsoft’s backing and deep integration into the Microsoft Windows ecosystem, Active Directory had been the default choice for corporate directory services for many organizations.
How AD Worked
AD combined with a domain controller enabled IT admins to control who could join the network and what IT resources they could access. Network users benefited by having single sign-on access to on-premises Windows-based resources. Users simply logged into their Windows machine and were automatically granted the appropriate levels of access. IT admins centrally managed access across their Windows network through Active Directory.
This process worked well for a number of years. As long as the organization relied on Microsoft technology and leveraged the Windows platform, AD worked competently as a central control point within the network.
Device Innovation Disrupts the Directory
We all know that Microsoft’s dominance has been challenged over the last several years. Even Microsoft COO Kevin Turner admitted In July 2014, “The reality is the world’s shifted, the world’s evolved. We now measure ourself by total device space.”
Microsoft still has 90% of the PC market, but only 14% of the device market [2014, Geekwire].
With the introduction of cloud-based technologies, the resurgence of Apple, and the dominance of Google Apps, cracks in the Active Directory foundation have begun to show. IT admins now take pause when considering whether they should implement AD or go with a more versatile alternative.
Based on a number of conversations, JumpCloud has compiled a list of the top challenges that IT organizations face when running Microsoft Active Directory.
5 Challenges of Running Active Directory
(1) Management Overhead
Active Directory requires significant resources to manage and run. As organizations shift to the cloud where on-going maintenance and management is handled by the third party provider, Active Directory forces IT organizations to spend time and resources keeping the hardware and software up-to-date and operational.
With no self-service capabilities, Active Directory forces IT admins to be hands on with each add, delete, and change — all of which increases their workload.
All of these on-going challenges are in addition to the initial setup and configuration of Active Directory. Merely establishing AD is a hassle and a significant expense, even if it only has to occur one time.
(2) Cloud Servers
As the cloud becomes ever more ubiquitous, the challenges for IT admins running Active Directory just keep growing.
The introduction of Infrastructure-as-a-Service capabilities over the last handful of years has further weakened the capacity for Active Directory to exert control over the foundational server infrastructure within an organization.
IaaS servers are by definition hosted in the cloud. They are not on-premises andww as such Active Directory struggles to connect to those devices and manage them. Each cloud server must have a clear route back to the on-prem Active Directory instance and that requires making AD internet visible of building VPNs. Both of those options are less than appealing to IT admins.
Cloud infrastructure in many instances is Linux-based, creating another challenge for AD. DevOps personnel have sensed the mismatch and have largely opted to manually manage user accounts or leverage configuration automation tools such as Chef and Puppet. Both of these approaches tend to be better than trying to create secure connections to Active Directory, but still leave a lot to be desired.
(3) Gmail / Web Services
Google Apps has shifted the way organizations operate.
Microsoft Exchange servers are being traded in for cloud-based corporate email from Google Apps. With Gmail, there is no email infrastructure for IT admins to manage. Email is now mission critical for just about all organizations and keeping everything running at all times is a challenge. That challenge is now Google’s and they are set up to succeed with keeping email virtually 100% available and high performance.
Beyond Google Apps, organizations are moving to Web-based applications for their core applications including CRM, file management, accounting, and numerous other categories. All of these Web-based applications are creating yet another directory structure that is needed. Google Apps runs its own mini directory service as does Salesforce. While it is possible to connect these applications to the on-premise Active Directory, many organizations opt to centralize their control over Web applications through a Single Sign-on (SSO) solution.
With Google Apps in the cloud and Active Directory on-premises, IT admins are in no man’s land. Google Apps in particular creates a significant dichotomy for IT admins who now are faced with the question: will their new solutions be focused on-premises or in the cloud?
(4) Mac / Linux Support
Active Directory is of course primarily focused on Windows devices. While AD has the ability to authenticate both Mac OSX and Linux devices, doing so introduces a number of challenges.
AD simply can’t manage those platforms in the same way it does with Windows devices. On Windows, Group Policy Objects are powerful constructs that enable IT admins to execute tasks on Windows machines as well as set policies (many times these are security focused policies). There is no similar capability to manage Mac or Linux devices.
So while admins can authenticate Linux and Mac users through Active Directory, the IT organization is left to find other tools or platforms to execute tasks on those non-Windows platforms.
(5) Security / Auditing
AD doesn’t inherently have any security built into it, other than protecting the passwords that are stored inside it. This is because it was created during a different era where security risks were far less serious than they are today.
Active Directory’s on-premises nature assumes that you’ll be protecting and securing it with other tools. Presumably, the AD server will live inside your network and behind the various network security measures that you have taken. The lack of intrinsic security is why most IT admins are uncomfortable with the thought of AD being exposed to the Internet.
In an era where compliance with a wide variety of regulations is a regular part of the IT organization’s mission, AD requires you to purchase additional tools to support these compliance requirements. Detailed auditing is not a core part of AD and so IT admins are forced to add another tool into the mix.
Running Active Directory is No Longer Worth the Challenges
Active Directory was the tool of choice for a long time and has been the market share leader. As IT enters a new phase, Active Directory is struggling to keep pace with the fundamental changes of the cloud, Web applications, and mixed operating system environments.
As an IT admin, force-fitting Active Directory has significant costs. Not only is it more expensive to leverage Active Directory, it is more time consuming, and you are more vulnerable.
Consider a Directory-as-a-Service®
There is a better way than struggling with Active Directory. Directory-as-a-Service solutions are addressing the concept of creating a core, cloud-based user directory. The goal of DaaS is to connect users with the IT resources they need regardless of location and platform.
DaaS solutions are focused on integrating with cloud infrastructure, Web services, and mixed operating system environments. They’ve been built from the ground up with an understanding of cloud security and compliance.
If you would like to learn more about how Directory-as-a-Service can help solve the significant issues you face with Active Directory, drop us a note and we’d be happy to chat with you.