Why AD May Not Work for Remote Environments

Written by Cassa Niedringhaus on April 21, 2020

Share This Article

As we see a shift to remote work environments, IT admins are grappling with how to use Active Directory® (AD) to do so. IT organizations are chartered with getting their users up and running quickly — but also securely and safely. The challenge is, of course, that not all tools and technologies that worked for an in-office environment work well for WFH.

These are some of the challenges that IT admins face when using AD for remote environments:

  • VPN: The domain environment requires a VPN for remote workers
  • macOS® & Linux® systems: Challenges with non-Windows® system management
  • Point solutions: Required add-ons to extend AD identities to web apps, IaaS, & more
  • Support: End users require increased support from IT to access domain-bound resources, change passwords, & more

Despite these challenges in running AD for remote environments, there are several solutions, which we’ll cover below. 

Strategic Active Directory Extension

One path is to strategically extend AD with a comprehensive identity bridge. Emerging cloud directory services can replace various point solutions — such as targeted web application single sign-on (SSO) solutions — to serve as an identity bridge to virtually all resources outside the domain.

These solutions can federate AD identities to macOS and Linux systems, web and LDAP applications, and RADIUS networks. That way, users enter the same core credentials at login to their systems, SSO portals, and VPN connections. The right cloud directory service can also introduce cross-platform system management so admins can configure and lock down machines across their fleets.

This approach has various benefits — including that it allows admins to leave AD in place during a time when they already have to deal with a number of transitions. By integrating a comprehensive cloud directory with AD, they can run a synced directory in the cloud and begin to manage AD from the cloud. The right solution will write back changes from the cloud to AD, such as new users, new groups, and password changes.

Admins can also consolidate vendors, rather than relying on a web of targeted vendor solutions to keep their remote users productive and secure.

Domainless Enterprise Model

The other path is to move away from the concept of the Windows domain and to go “domainless.” In the domainless enterprise model, IT admins use new architecture to secure users and devices — no matter where they’re located — entirely from the cloud.

The domainless enterprise model revolves around a central cloud directory service and has two key components: identity instantiation and device security and trust. A user has one authoritative identity, which they use to access virtually all IT resources and which IT controls from the cloud directory. The user’s system serves as the conduit to their IT resources, and IT controls and monitors that system from the cloud directory as well.

Each user is untrusted by default, so they must assert their identity at each access point, which admins can further secure with multi-factor authentication (MFA) and SSH keys, where applicable. This can dramatically change the approach admins take to access control and system management, and it works as well off-premises as it does on.

Learn More

JumpCloud® has an Active Directory Integration feature, through which you can extend AD to virtually all IT resources via the cloud. Learn more about this complete identity and access management (IAM) approach.

If you’re interested in learning more about the concept of the domainless enterprise and how to implement the model in your own organization, we’ve compiled a resource with a step-by-step overview. Click here to read the Roadmap to the Domainless Enterprise.

Continue Learning with our Newsletter