By Rajat Bhargava Posted July 10, 2017
We often talk with IT admins who are wondering if Microsoft Active Directory is still the right way to go. This is a great question and an important one for organizations to ponder. Identity and access management strategy is the core to an organization’s overall IT strategy. Controlling who has access to what assets is one of the fundamental tenets of IT. And in today’s environment, with security breaches happening regularly, this part of an IT organization’s role is mission critical.
The IT landscape is shifting and Microsoft is no longer the monopoly it once was. IT organizations are searching for the best solutions to meet the challenges of a changing environment. For the first time in the history of Active Directory, IT admins are widely asking whether it even makes sense to use the platform. To help answer this question, we have put together a series of questions and answers in order to help determine if Active Directory is right for your organization.
IT Admins Are Asking: Do I Really Need Active Directory?
1. What’s fundamentally changed to even think that Active Directory isn’t the right choice?
Everything. Think back to the year 2000 when AD was just being introduced. What did the world look like? On top of that, what environment did Microsoft design their directory services solution for? Well, Microsoft Windows was the dominant operating system platform, and applications were largely based on it as well. The IT environment was virtually all on-premises, and the concept of the cloud was just being introduced, however at the time it was only in its nascent form.
Active Directory was designed specifically for this environment. It was tightly integrated into Windows and made a number of assumptions about how IT environments would run. For example, they would be on-prem and security would be handled outside of Active Directory, that machines could be interchangeable where users could login to whatever machine they needed, and that a single Windows login could access a large number of Windows-based IT resources assuming they were all networked together. These assumptions made a great deal of sense at the time.
Fast-forward to modern times, and those assumptions seem a bit silly. In fact, the world is quite the opposite of what Microsoft thought: heterogeneous, cloud first, and global. WiFi equipment is the only on-prem IT resource in many organizations, and so much more of the environment is based on Macs and Linux with nary a Windows device in sight. So many of a user’s IT resources are located on the web. In essence, the concept of a domain is a just a vestige of the past.
With all of these fundamental changes – not to mention the move to mobile devices – Active Directory seems downright antiquated. Even its model of deploying a self-managed server in an on-prem data center goes against the model that IT organizations are leveraging. Installing hardware and software, and managing those fixed assets, is largely becoming a thing of the past.
With all of these changes, it’s really no wonder that IT admins are asking a question that’s never been asked before, “Do I really need Active Directory?”.
2. How does Active Directory handle cloud infrastructure such as AWS?
Cloud servers hosted at AWS, and similar IT resources, need to have a direct path to connect and authenticate to Active Directory. This requires that the AWS environment, for example, be connected via VPN or some direct connection into the on-prem Active Directory server. Unfortunately, this creates additional work for IT to manage these requirements.
An alternative is to place another Active Directory server with the hosted cloud infrastructure. Unfortunately, the need to manage, replicate, and sync the two (or more) AD servers creates drawbacks to this approach, as well.
In short, Active Directory was created long before the cloud was popular. As a result, it was not designed to be cloud friendly.
3. How does Active Directory handle macOS and Linux devices?
Microsoft Windows has historically been the most dominant platform. But the balance of power in the systems space has changed dramatically over the past decade. Today, only one in five devices is running Windows (Forbes). MacOS and Linux machines have made significant inroads even into large enterprises.
This mixed-platform environment places a great deal of pressure on Active Directory. AD was not made to easily handle non-Windows systems and applications. While it is possible to have primitive authentication services with macOS and Linux devices, all of the depth that AD provides for Windows is not entirely available for Mac and Linux.
As a result, IT admins are often forced to add more third-party solutions on top of Active Directory in order to handle alternate platforms.
4. How does Active Directory help support web application single sign-on?
Active Directory doesn’t specifically support web application single sign-on, but there are a number of add-on solutions that can help address the issue. Some of these solutions are internal Microsoft products. Active Directory Federation Services (AD FS) and Azure Active Directory are examples. Other options include purchased, third-party solutions that sit on top of Active Directory.
5. With the move to WiFi, does the domain controller still help me?
Most networks today are WiFi. Organizations are adopting WiFi at unprecedented rates because of the productivity enhancement, cost savings, and agility that it provides. But this leaves many wondering if the move to WiFi means that their domain controller won’t work in the same way.
The answer? Not necessarily. You can still use a domain controller and Active Directory with additional integration and potentially third party servers. But the question then becomes a bit broader. If you are getting away from your fixed, wired network, the next step is often to move to the cloud. Why have a significant network on-prem if you can avoid it? WiFi gives you the flexibility to move away from heavy network infrastructure. So what are the advantages of keeping a domain controller on-prem?
Furthermore, in a cloud-first world, the concept of the domain controller is obsolete. Users are logging into a wide variety of services that the domain controller doesn’t have access to. It doesn’t have the ability to control them, either. This makes the domain controller much less helpful.
6. I’m trying to move everything off-prem, can I run Active Directory from the cloud too?
There have been hosted Active Directory services or Active Directory from the cloud solutions, but unfortunately these have never taken off. The issue has largely been twofold. First of all, the model for AD is to have a direct connection to the IT resources that it authenticates. The second issue involves security.
Even when users were remote, IT admins needed to have them log into a VPN in order to be authenticated with Active Directory. The communication model for AD wouldn’t work over the Internet without a secure connection. As a result, moving Active Directory to the cloud now means that more users and IT resources will need to be networked so that they can reach the AD server.
On the security side, Active Directory wasn’t built during an era of the cloud. Its security model is one where it assumes there are security controls in place outside of it. As a result, placing an AD server on the public Internet is strongly discouraged.
Moving AD to the cloud is a possibility, as long as you can handle the additional security and networking issues.
7. I’m moving to either G Suite or Office 365, do I still need Active Directory?
G Suite and Office 365 have made a significant change in the way that organizations function. Google Apps (the previous name for G Suite) was introduced a number of years ago and gained a great deal of popularity because it eliminated the need for Microsoft Exchange, Windows Server, and even Office. Office 365 was Microsoft’s answer to Google and has become a very popular solution as well. O365 has also shifted some Microsoft components to the cloud.
With Exchange making the leap to the cloud, a common question is whether or not G Suite or O365 can also replace AD. As IT admins dig into this possibility, they quickly realize that isn’t possible. G Suite Directory and Azure Active Directory are simply user management platforms for their respective services. They aren’t a replacement for AD. In fact, both platforms have explicit strategies to integrate with the on-prem Active Directory instance. That clearly defeats some of the benefits of moving to the cloud with G Suite and O365.
8. Are there alternatives to Active Directory?
Yes! The most complete replacement to Active Directory is our own cloud-hosted directory solution called Directory-as-a-Service®. The goal of this virtual identity provider is to reimagine what AD could be for the cloud era. As a SaaS-based directory service, it is completely managed by JumpCloud so IT admins don’t need to procure hardware or software and manage the ongoing operations.
Beyond the benefits of SaaS, Directory-as-a-Service is aimed at being completely independent, avoiding the lock-in that was created by Microsoft with Active Directory. Directory-as-a-Service works with Windows, macOS, Linux, AWS, G Suite, O365, and more. It is provider, platform, protocol, and location independent. As a cloud-hosted directory, its goal is to enable IT admins to connect their user identities to virtually any IT resource that their users need.
Is AD Right for You?
Whether or not you decide to leverage Active Directory for your organization, or whether you are deciding if you need to keep AD, it’s an excellent topic to ponder. Many IT organizations have already shifted away from Active Directory with great success.
If you would like to learn more about how Directory-as-a-Service could be your Active Directory replacement, drop us a note. Or sign up for a free account and try it out for yourself. Your first 10 users are free forever.