Why I Ditched Domain Controllers

Written by David Worthington on January 14, 2022

Share This Article

Running a small to medium-sized enterprise (SME) with my brother taught me that every dollar counts toward the bottom line. That mindset carried forward when I began to do IT consulting work, because every dollar counts to a business owner. One engagement put that ethos to the test and changed how I think about managing IT. My experience shaped the recommendations I’d initially offered, which were appropriate for the client but anchored by a formulaic approach that revolved around the perception that domain controllers are still “indispensable.” The status quo wasn’t in her best interests and so my final guidance was: 

Don’t buy a new server … you’ll save a lot of money, and you’ll get more out of JumpCloud.

Arriving at that decision was a teachable moment, but let’s backtrack to how I arrived at the conclusion to ditch the server, which may be a choice that you’re wrestling with. 

When Something Breaks, Opportunities to Grow Arise

The job began with my client’s urgent need to replace an outdated domain controller that was running Windows Server 2008, along with a list of aspirations that would modernize IT at her family business that we’d address afterward. That edition of Windows Server couldn’t even run Windows Update anymore, and was an acute security threat. Her brother, who is not a security analyst, was so bothered by the sound of the running machine (alongside cobwebs beneath the stairs) that he switched it off every night. While that wasn’t a terrible idea, I considered the server to be compromised at the onset. Therefore, the first priority was to replace and decommission the server as quickly as possible.

We initially spoke over the phone and developed a solid plan to address her needs, which also saved her family business thousands of dollars over a competitor’s quote by selecting refurbished hardware. Overall, the strategy would improve security, flexibility, and prioritization of future projects. We planned to use a better EDR; implement configuration, SSO, MFA, and RADIUS server to secure company Wi-Fi; improve onboarding/offboarding; and conduct security awareness training. The next step was to visit the office to assess what was really going on in the spider preserve (server room).

A Do-Nothing Domain Controller

My assumption was that the domain controller was doing something, but it really wasn’t performing any kind of role that would justify spending anything on new hardware. Plus, obtaining buy-in for IT spending can be an uphill battle at a family-run SME — not wasting money on unnecessary stuff and working with senior family members who were raised to make do with what they already have.

Here’s the gist of what I learned while poking around on-site:

  • An ISP was managing DHCP from its network hardware
  • There were zero policies for secure device configurations
  • VLANs weren’t being utilized
  • Work was happening within Microsoft 365 and a cloud file sharing service; there wasn’t even a file server being run in-house anymore
  • The only thing that it was doing was managing office printers

I could still justify the lesser expense of refurbished hardware, because there’s a case to be made that using ADFS for single sign-on (SSO), implementing policies in AD, and adding MFA (and some conditional access policies) to the mix would provide enough value to justify buying a server. Unfortunately, that path would involve numerous upcharges from Microsoft for add-ons and higher “tiers” of services. Plus, something bugged me (and it wasn’t the spiders): How would I feel if this was my money? 

I began to consider how long it would take until the client’s business growth rendered the new server obsolete and the cost of maintaining it. The scenario got even murkier when considering that more hardware and pricey virtualization software is required to run other services through Windows, such as RADIUS, or even to configure basic high availability.

What needed to be done was clear, but it wasn’t necessary or prudent to pay the Microsoft IAM (Identity and Access Management) “tax” or blow my client’s budget on hardware. It just didn’t feel right to cost my client thousands of dollars, but I wasn’t familiar with any good alternatives, but that changed after a friend suggested that I evaluate JumpCloud.

Why I Decided to Ditch Active Directory and Go With JumpCloud

Admittedly, I was skeptical at the onset. Active Directory is very powerful and Microsoft’s cloud service integrates nicely with it. That’s what I knew, and it worked, but doing what you know without asking why is a disservice to one’s self (and your clients). A colleague who was a process management expert at my business dispelled the notion that length of tenure makes a great employee by asking, “How can you say someone has 20 years of experience if they stopped learning after five years?” It was only fair to hold myself just as accountable, so I signed up for a trial of JumpCloud.

That single call sealed the deal. I realized that it was possible to do what I sought to accomplish for my client for less, with greater efficiency and platform consolidation:

  • JumpCloud can manage printers or I could implement a cloud print server.
  • JumpCloud has pre-built policies, but can deploy a secure configuration using advanced registry settings (We’ll soon publish a new article that outlines how to do that).
  • RADIUS and MFA are built in, but there’s still the option to manage identity through Microsoft 365 and use its services.
  • SSO is possible and easy using a growing library of pre-built connectors through JumpCloud, without the paywall Microsoft throws up with Azure AD, which limits what you can do with it unless you pay more.
  • There are no services to manage or hardware to buy.
  • JumpCloud scales with you and has lower administrative overhead.
  • JumpCloud also manages non-Windows devices, including mobile, and provides compliance and governance advantages cross-OS (such as patch management), within a single pane of glass. That would have been yet another vendor, and/or server.

Would I be a good consultant if I still recommended a domain controller? The answer, to me, was simple. The client was paying me to make expert recommendations and JumpCloud provided the greatest value and simplest path forward. My business sense also factored into that decision: I’ve signed the front of paychecks and understand what it means to be an SME and make payroll. It’s not my money: it’s theirs, the client’s. Many SMEs don’t need legacy hardware server configurations, even those that have unique requirements can extend Active Directory with JumpCloud IAM.

Not only did I ditch the domain servers, I resigned from my last job and joined JumpCloud after trying the product and gaining an appreciation of what’s possible within the domainless enterprise. My teachable moment unexpectedly became a new career path: all that was required was a willingness to change. I strongly encourage you to try JumpCloud if the scenario outlined above has a familiar ring. Change delves into the unfamiliar, but it’s worth it.

Try JumpCloud

The JumpCloud platform is free for 10 devices and 10 users with complimentary premium chat support, available 24×7/365 within the first 10 days of your account’s creation. You can even keep your Windows devices joined to your domain while you preview the platform’s capabilities. If you’re getting the itch to join me at a great organization in a new career path, changing how remote work happens, please feel free to reach out.

David Worthington

I'm the JumpCloud Champion for Product, Security. JumpCloud certified, security analyst, a one-time tech journalist, and former IT director.

Continue Learning with our Newsletter