How Remote Systems Communicate with Active Directory

Throughout 2020 many of us have had new challenges managing an organization and the resources needed to Make Work Happen®. Organizations using Microsoft Active Directory^Ⓡ (AD or MAD) to manage their identities, systems, and access may run into frictions impacting manageability. In this article, we’ll look at the various ways that some fundamental characteristics of AD have caused many organizations to look for a more cloud-forward approach to management.

Constant Communication

Active Directory is developed to be primarily an on-premises solution, creating a security perimeter for the resources, identities, and devices it manages. This perimeter is called the domain. AD’s primary service, Active Directory Domain Services^Ⓡ (AD DS), manages and controls the users, policies, access, permissions, roles, and auxiliary integrated services within the domain. For well over two decades, Active Directory was the backbone of many organizations across the globe. With the introduction of state and local legislation for work from home mandates due to the COVID-19 pandemic, Active Directory developed friction for organizations moving to this style of environment. 

Primarily it comes down to communications. Active Directory was built to have all devices and users operating on the same network on-prem, whether that be LAN or WiFi. The devices and users would be domain-bound, meaning that in order for devices and users to be verified and working, there would need to be a continual connection between them and the local Domain Controller (DC). Domain Controllers can be akin to an operations manager — always ensuring that the environment remains up, running, and workflow is uninterrupted.

AD natively and primarily supports devices installed with Windows^Ⓡ. These devices connect to the Domain Controller through an associated binding where the DC running AD DS pushes down policies, identities, credential changes, and more. Paired with Microsoft’s Kerberos Authentication Protocol, legacy Active Directory architecture is built around the idea of a constant connection being the norm not the exception.

To ensure that remote domain joined devices have continual connections to the DC, organizations would have to have a dedicated VPN connection between employee devices and the office network to ensure that secure channel, Kerberos sessions, and updates continue to work uninterrupted. Herein lies one of the primary issues running AD for work from home employees.

A real world example of an issue created by this would be during revoking employee access. The example organization lacks the network infrastructure for a distributed workforce. Windows devices bound to a DC require constant connections. Changes made to either the employee user account, device, group policy objects, or attributes in the domain would not be reflected on the employee’s device until a connection is established. 

An admin needs to revoke an employee’s access due to leaving the company while the DC cannot contact the device to make the disablement changes. Essentially the former employee can still use the system with the cached credentials with the current user account. This creates a major security risk during an employee’s offboarding.

Imagine There’s No Server

Reflecting on the requirements that maintaining Active Directory in a distributed environment takes some extra considerations. Having constant communication between employee devices and the domain is critical to ensure workflow is uninterrupted. Organizations who are currently struggling with maintaining a domain in the current landscape may want to consider alternatives to their current architecture. As more organizations migrate to become fully cloud based, there needs to be a platform that can cover many of the fundamental tools Active Directory brings, without the major fallbacks — the answer may be JumpCloud^Ⓡ.

JumpCloud is a directory platform born in the cloud — no hardware, no VPN, no Domain Controllers. Imagine your organization running distributed across the globe in either offices or from home. Now imagine a platform where IT admins can easily authenticate to a single platform and manage the organization’s user identities, devices, cloud services, SSO applications, RADIUS networks, LDAP, and  more. Now imagine that you could migrate from your current Active Directory domain to JumpCloud directory platform seamlessly. 

2020 has shown all of us in technology the upsides and downsides to managing organizations of any size. Manageability, unification, and security are baked into the JumpCloud directory platform making it easier on admins and their employees to continue to work wherever they are. 

Many of us here at JumpCloud come from IT roles and backgrounds and understand the frictions performing duties within legacy infrastructures. At the intersection of device, identity, and access, JumpCloud blurs the lines between MDM, EMM, UEM, SSO, and directory to allow users to authenticate to any resource anywhere while admins have a central portal to manage and monitor everything. 

Try JumpCloud Free

Evaluate JumpCloud Free today to see why 100,000+ organizations trust JumpCloud to help secure and easily manage their resources. With JumpCloud Free, you receive up to 10 users and 10 systems, as well as 10 days free of premium in-app chat support to help you explore the entirety of the platform.