If a Windows shop moves "everything" to the cloud, does it still need Active Directory?

Question

Taking a spin off of this question: Do I really need MS Active Directory? in a new direction for 2014.

Taking into account a basic Windows infrastructure:

• domain controllers
• Exchange 2007/2010/2013
• Sharepoint
• SQL
• File Servers / Print Servers
• AD Integrated DNS
• AD authenticated 3rd party devices (let's say 802.1X for networking and maybe some content-filtering, etc.)
• AD/LDAP authenticated "administrative" functions on IT apps/hardware/etc.
• perhaps some KMS stuff
• throw in a CA if you'd like
• home grown apps
• 3rd party in-house apps

Now, let's rip it all out and decide we are going to the cloud. We've contracted to move Exchange/Sharepoint/File Services to Office 365. SQL will now be hosted as well on something like Azure. We've gotten away from the need for AD-DNS and simply run everything via a simple Windows DNS server. We still need 802.1X and would like SSO if possible to our various cloud apps. Home grown and 3rd party in-house apps would likely stay, but have the ability to use internal user databases instead of AD authentication

The question is...do we really need Active Directory at all?

Or more to the point, AD on-premise or even hosted via Azure or similar (ADFS) or running ADDS on a hosted VM through Azure or similar. Could/Should we look to something else like a 3rd party SSO option such as http://www.onelogin.com/partners/app-partners/office-365/ or similar that can provide SSO functionality even if it is as simple as LastPass or similar for each user?

What kind of legitimate needs does AD fulfill if everything else in the cloud?

Could a MS-centric infrastructure get away with not having AD at all if they move everything that previously relied on AD to SaaS offerings that didn't rely on AD authentication?

Answer 1

I've managed large numbers of workstations without AD. I had power tools (Altiris Deployment Solution), but it still hurt in certain situations:

1. Security auditor comes in and says that our default workstation password policy isn't good enough. In order to change password complexity and expiration, etc., on 5,000 machines, we had to write a (nontrivial) script and schedule that to run on all machines. (Good luck catching the laptops, by the way!)
2. Mapping department printers. Sure, we could use the IP number. That means that if Department A and Department B get into a printer war, the remedy involves staking out the printer and then following the offender back to their workstation to remove the printer from their workstation. (I suppose you could buy print management software instead.) Also, how did that printer end up on their workstation in the first place if they're not supposed to use it, and how will you prevent it from ending up there again?
3. There are registry keys for WSUS, so you technically don't need AD for patch management. However, if you include those registry keys in the image, you need to make sure and delete a couple of keys (SusClientID and PingID) or else they will never get updates ever. Or, to be more specific and accurate, only one of them will get updates.
4. Software installs. You can do these with power tools (LANdesk, Altiris, etc.), but that's extra money.
5. "Poison" printer drivers. I've seen a couple of these. The best remedy was a print queue with an updated driver.
6. Windows 7 printing would have epic tantrums unless we set allowed forest/allowed hosts in point and print restrictions. Perhaps this wouldn't be a big deal if all printers were ip-only, as long as User1 never wants to use User2's local printer. Without AD, our techs had to either use gpedit on the workstation or on the master image.
7. You're assuming cloud Exchange, but I'm also going to add that email migrations and other large infrastructural changes without AD are painful on the client end. I scripted the "remove software from old failed migration/add workstation to AD/migrate user's profile from local to domain/demote user from admin to power user/make changes to firewall" jobs and ran them through Altiris. (The Microsoft consultants were suggesting we hire temps with thumb drives until I showed them my kung-fu.)

Also, there are software vendors who look at you like you have three heads when you tell them you have workgroups rather than domains. Altiris runs in workgroups, but your desktop techs are never allowed to change their passwords, for example. (Okay, okay. They can change their password. But they also have to swing by your cube and type their new password into the server, or tell you what their new password is.)

What I'm getting at is: You can manage lots of workstations without AD, but you may need to buy replacement software, and even with nice software you'll run into painful things.

Answer 2

AD and GPO will still handle management of workstations. Without it, you're paying for a 3rd party application or really really really trusting your users.

If you're doing something like strictly BYOD, or distributing only stateless VMs for working, then this doesn't apply as much.

Answer 3

The central point of this issue depends on what you see AD as doing for you. If it's only being used as the central store for SSO credentials that are only used to authenticate to cloud apps then of course it can be replaced with another central store.

But AD can do a lot more than that:

• Software deployment.

• OS Deployment.

• Printer Management.

• User profile management (e.g. using roaming profiles or UE-V to allow users to log in anywhere and keep their local data and customisations). I think this still matters even when all your services are in the cloud, because data can still be local and client machines still break down or get replaced.

• Scalability: I'd rather manage the provisioning and ongoing management of my thousands of user accounts via ADUC & 'local' powershell scripting, etc. than purely via Office 365.

• Integration with non-standard applications - e.g. we have a RFID-based ID card system that integrates with AD and I really wouldn't fancy trying to make it talk to Azure-based ADFS.

Of course, not all of these things will be relevant every time - the reverse of my comment about scalability is that a small business with only a few users could certainly just buy Office 365 or Google Apps, plus whatever laptop is on sale this week at the nearest supermarket, for each new hire if they decide this is less painful for them.

Answer 4

The Cloud is just another ISP

While exciting, any Cloud is just another outsourcing provider - a company trying to offer flexibility for your infrastructure and operations, often at lowered cost, and (hopefully) better reliability. Sure, the Cloud is targeted at simplifying common sought out service objectives like scalability, reliability and performance - but it's still just a hosting option

You require an Identity and Access Management platform, and Active Directory fits that need on-premise or at your hosting provider already you say?

Changing the physical location of your network services doesn't change your requirements.

Active Directory is highly extensible, even with a large number of systems not directly dependent on AD DS, you can still utilize it to manage "stand-alone" infrastructure components, hosted in the Cloud or anywhere else.

If you continue to utilize the Windows platform and Microsoft middleware, the sheer level of support for Active Directory authentication in the Cloud begs for Active Directory Domain Services, even more than on-premise.

Cloud all the way

Still really keen on moving everything to the Cloud? Do it! Virtualize your Domain Controllers, it's not a show stopper. It's just another outsourcing solution :-)

I think the real question is whether you can move your MS-centric "Windows shop" to the Cloud without AD DS

Answer 5

Could you? Yes. Would you want to? I don't think so. All of the hosted solutions you mentioned support AD Federation, and since you want SSO everywhere the only universal way of accomplishing that is going to be AD.

And products like LastPass are a password vault, not SSO.

Answer 6

Aside from some really good answers, I'd like to reverse the question: what's the point in not having Active Directory if you are running a Microsoft shop? You can get around to use and manage Microsoft products without AD, but they are just designed to work with it, and native AD integration will always be better than any workaround you can throw in.

Less complexity? Not having AD actually adds more complexity to your environment, because you have to find suitable alternatives for everything AD would have done out-of-the-box; having AD adds... what? A couple of domain controllers (which may very well be VMs, thus not even requiring additional hardware)? Any junior Windows admin can manage a small AD, and all senior ones can manage a large one. If you are proficient enough on Microsoft products to be able to find and implement workarounds for not having AD, you are definitely skilled enough to actually use it.

Costs? Which costs? You already said you are going full cloud, so a couple additional Azure VMs will not even be able to make a small dent in your budget; not even a couple Windows Server licenses for physical DCs would, given what you are already spending in online services (not to mention client Windows and Office licenses, which you still need for all your users).

TL;DR: all in all, I really don't see any point in not having AD, given how trivial is to implement it (even on a large scale) and how much you gain by having it.

Answer 7

You don't "need" AD, but it will make your life easier. Depending on your size make sure you have 2 Servers, 1 primary, 1 backup, otherwise if you lose your AD server (and only have 1) you'll need to rebuild a domain, unless your backups are SOLID.