By Kayla Coco-Stotts Posted November 4, 2019
What Does Active Directory’s Server Do?
Active Directory® (AD) is a directory service introduced by Microsoft® that runs on a Windows® server to manage user access to networked resources. The server role in Active Directory is run by Active Directory Domain Services (AD DS), and the server running AD DS is called a domain controller. The domain controller:
- Authenticates and authorizes all users and systems in a Windows-based network; and
- Assigns and enforces all security policies for Windows systems.
AD DS manages network elements, like systems and users, by organizing them into a structured hierarchy. The domain controller is then responsible for authorizing user authentication requests within the network. Domain controllers contain data that determine access to an established network, making it a primary target for cyberattackers looking to corrupt or steal confidential information.
Although the domain controller serves an important role, some IT admins question the sustainability of a Windows-centric identity authorization source in a growing mixed-platform IT landscape. Is an on-prem server — which doesn’t function for mixed-platform, cloud-based environments natively — still the right choice for modern organizations?
The modern workplace has shifted to the cloud, leaving legacy management solutions like the domain controller struggling to manage the disparate, non-Windows-based identities that have become commonplace in the average IT landscape.
For example, the widespread implementation of web applications like Salesforce® and Box™ means that end users can no longer leverage single sign-on (SSO) through AD for all resources. Twenty years ago, when the IT landscape consisted entirely of Windows applications and desktops, AD connected every user to just about every resource they required. Now, AD no longer grants that level of authorization, forcing admins to adopt additional tooling to manage authentication and authorization to a variety of IT resources.
Microsoft did introduce an Identity-as-a-Service (IDaaS) solution with Azure® Active Directory (AAD), but AAD made identity management complex, time consuming, and costly for IT admins by forcing them to keep on-prem AD and use AAD in conjunction. Additionally, if IT professionals wanted to leverage SSO for their users without AAD, they would have to add Active Directory Federation Services (AD FS) to their on-prem AD, which would need to be housed on-prem.
Additionally, the domain controller struggles with providing access to IT resources outside of the on-prem Windows networks, so AWS and GCP infrastructures can be difficult to integrate, as can G Suite. Again, there are third-party solutions to extend AD to these cloud resources, but they can be pricey and complex.
Currently, systems must be directly bound to the AD to deploy Group Policy Objects (GPOs) which are registry settings, configurations, or tasks that need to be executed. Mac® and Linux® systems’ commands and scripts (i.e. no GPOs) cannot be managed from the Windows domain controller, meaning that IT admins must manually configure each system if they choose not to implement add-ons.
Basically, the domain controller does not fully support wireless networks, though these networks have been increasing in popularity since the advent of the cloud. The domain controller used to be the go-to solution for managing access, but with workplace environments growing in complexity and being heterogeneous, IT admins are being forced to spend more time managing a number of add-ons or patches to make the domain controller work for them.
Can You Run Active Directory Without a Server?
The short answer is no, simply because Active Directory requires an on-prem server (i.e. software installed on a machine somewhere that an IT admin manages) to operate, even though this hardware isn’t being utilized in how it was in years prior.
Windows servers often played a number of roles in an organization including, for example, being file servers. But, now many organizations are utilizing cloud file servers like G Suite™, Box, and Dropbox™, and have no need for the traditional on-prem server, making the cost and upkeep of a domain controller seem aimless. On-prem infrastructure is not needed for a user’s daily workload, which exists primarily in the cloud through web applications like Office 365™ and Salesforce.
AD still requires legacy infrastructure to function, forcing IT admins to manage disparate identities both within the cloud and on-prem through the domain controller.
Utilizing a Cloud Domain Controller
To save the cost and time of maintaining an on-prem domain controller, organizations have been moving their operations to managed services in the cloud. This process frees up time and money for IT admins looking to manage a variety of systems and applications from one built-in service.
The managed domain controller is designed for cloud-forward IT organizations looking to leverage their directory services in a mixed-platform environment. This cloud-based directory service manages and authenticates users to virtually every system, network, or application in a secure way.
Click here to learn more about leveraging AD-like capabilities without a server through a cloud directory service.