49

Taking a spin off of this question: Do I really need MS Active Directory? in a new direction for 2014.

Taking into account a basic Windows infrastructure:

  • domain controllers
  • Exchange 2007/2010/2013
  • Sharepoint
  • SQL
  • File Servers / Print Servers
  • AD Integrated DNS
  • AD authenticated 3rd party devices (let's say 802.1X for networking and maybe some content-filtering, etc.)
  • AD/LDAP authenticated "administrative" functions on IT apps/hardware/etc.
  • perhaps some KMS stuff
  • throw in a CA if you'd like
  • home grown apps
  • 3rd party in-house apps

Now, let's rip it all out and decide we are going to the cloud. We've contracted to move Exchange/Sharepoint/File Services to Office 365. SQL will now be hosted as well on something like Azure. We've gotten away from the need for AD-DNS and simply run everything via a simple Windows DNS server. We still need 802.1X and would like SSO if possible to our various cloud apps. Home grown and 3rd party in-house apps would likely stay, but have the ability to use internal user databases instead of AD authentication

The question is...do we really need Active Directory at all?

Or more to the point, AD on-premise or even hosted via Azure or similar (ADFS) or running ADDS on a hosted VM through Azure or similar. Could/Should we look to something else like a 3rd party SSO option such as http://www.onelogin.com/partners/app-partners/office-365/ or similar that can provide SSO functionality even if it is as simple as LastPass or similar for each user?

What kind of legitimate needs does AD fulfill if everything else in the cloud?

Could a MS-centric infrastructure get away with not having AD at all if they move everything that previously relied on AD to SaaS offerings that didn't rely on AD authentication?

TheCleaner
  • 32,352
  • 26
  • 126
  • 188
  • 7
    Your users' workstations aren't going to "the cloud" ... and if they are, I would very much like to know how you do it! – Michael Hampton Jan 25 '14 at 15:59
  • Doesn't Amazon have a hosted VDI product? (Sounds like lunacy to me, but then I'll just get into a CAPEX versus OPEX battle w/ a bean counter...) – Evan Anderson Jan 25 '14 at 16:22
  • 1
    Amazon has a hosted VDI in beta. There are other companies that do it, but a lot of them don't allow you to install software. If you google "run Windows on ipad" you'll probably find them all, as that seems to be the usual use case. (Typical example: http://www.nytimes.com/2012/02/23/technology/personaltech/onlive-desktop-plus-puts-windows-7-on-the-ipad-in-blazing-speed-state-of-the-art.html?pagewanted=all) – Katherine Villyard Jan 25 '14 at 16:32

7 Answers7

87

I've managed large numbers of workstations without AD. I had power tools (Altiris Deployment Solution), but it still hurt in certain situations:

  1. Security auditor comes in and says that our default workstation password policy isn't good enough. In order to change password complexity and expiration, etc., on 5,000 machines, we had to write a (nontrivial) script and schedule that to run on all machines. (Good luck catching the laptops, by the way!)
  2. Mapping department printers. Sure, we could use the IP number. That means that if Department A and Department B get into a printer war, the remedy involves staking out the printer and then following the offender back to their workstation to remove the printer from their workstation. (I suppose you could buy print management software instead.) Also, how did that printer end up on their workstation in the first place if they're not supposed to use it, and how will you prevent it from ending up there again?
  3. There are registry keys for WSUS, so you technically don't need AD for patch management. However, if you include those registry keys in the image, you need to make sure and delete a couple of keys (SusClientID and PingID) or else they will never get updates ever. Or, to be more specific and accurate, only one of them will get updates.
  4. Software installs. You can do these with power tools (LANdesk, Altiris, etc.), but that's extra money.
  5. "Poison" printer drivers. I've seen a couple of these. The best remedy was a print queue with an updated driver.
  6. Windows 7 printing would have epic tantrums unless we set allowed forest/allowed hosts in point and print restrictions. Perhaps this wouldn't be a big deal if all printers were ip-only, as long as User1 never wants to use User2's local printer. Without AD, our techs had to either use gpedit on the workstation or on the master image.
  7. You're assuming cloud Exchange, but I'm also going to add that email migrations and other large infrastructural changes without AD are painful on the client end. I scripted the "remove software from old failed migration/add workstation to AD/migrate user's profile from local to domain/demote user from admin to power user/make changes to firewall" jobs and ran them through Altiris. (The Microsoft consultants were suggesting we hire temps with thumb drives until I showed them my kung-fu.)

Also, there are software vendors who look at you like you have three heads when you tell them you have workgroups rather than domains. Altiris runs in workgroups, but your desktop techs are never allowed to change their passwords, for example. (Okay, okay. They can change their password. But they also have to swing by your cube and type their new password into the server, or tell you what their new password is.)

What I'm getting at is: You can manage lots of workstations without AD, but you may need to buy replacement software, and even with nice software you'll run into painful things.

Katherine Villyard
  • 18,510
  • 4
  • 36
  • 59
  • 16
    I wish I could upvote this answer twice. It's rewarding to read an experienced description of this particular and rare trench. – ErikE Jan 24 '14 at 23:35
  • 3
    Out of curiosity, what were the business reasons behind an environment of that size without AD? –  Jan 25 '14 at 00:38
  • 2
    My predecessor and I both asked for AD repeatedly. We were usually told that we were so large that it would be too hard to do this year and maybe we can do it next year, and besides, you have Altiris. One year, our ancient, dying mail server trumped us (the failed migration). The next year, a VP decided we needed Exchange, and we had to have AD to do Exchange. Numfar, do the dance of joy! – Katherine Villyard Jan 25 '14 at 02:23
  • What's a "poison" printer driver? One that deliberately deletes everyone else's documents from the queue on print, or crashes the printer, or something like that? – Rup Jan 25 '14 at 11:50
  • I don't know that it was intentional, but there were a couple of drivers that did things like crash Word. Generally they would work when installed, and then a Microsoft update would cause them to crash instead. – Katherine Villyard Jan 25 '14 at 13:14
  • 6
    +1 - I have one small Customer who doesn't have AD and it's _excruciating_ to work with them. My take on AD is similar to my take on DHCP-- you need it when you have more that zero client computers. – Evan Anderson Jan 25 '14 at 14:15
  • 4
    I have to admire your fortitude in dealing with such a horrible environment w/o AD. I think I would have quit, or deployed a Samba domain if worse came to worse. (I also like your bit about scripting fu in that last bit. I'm sick to death of "sysadmins" who can't automate away basic operations. It's a sad state of affairs when consultants set their expectations so low, too.) – Evan Anderson Jan 25 '14 at 16:27
  • Well, I'm not there any more, but... Yeah. I ended up there after a layoff, and stayed longer than most people would have under those circumstances because I liked my coworkers and my manager so much. But I can have lunch and/or board game night with those people and make more money elsewhere in a better environment. :) Also, in the consultants' defense, I think they thought we were crazy until they saw my kung fu. "How many domains do you have?" "None." "(*deer in headlights stare*)" – Katherine Villyard Jan 25 '14 at 16:48
  • 1
    I've seen workgroups in smaller organizations that work "OK", but not great. One example is a branch office for a client. The main office had AD, but it wasn't cost effective at the time to set up a proper VPN from the branch office in order to authenticate against the domain, so the branch office with 4 computers and 2 printers was on a workgroup. Once they got off their 1mb ISP, we could push for better infrastructure. :) – Thomas Jun 17 '15 at 17:15
13

AD and GPO will still handle management of workstations. Without it, you're paying for a 3rd party application or really really really trusting your users.

If you're doing something like strictly BYOD, or distributing only stateless VMs for working, then this doesn't apply as much.

mfinni
  • 35,711
  • 3
  • 50
  • 86
8

The central point of this issue depends on what you see AD as doing for you. If it's only being used as the central store for SSO credentials that are only used to authenticate to cloud apps then of course it can be replaced with another central store.

But AD can do a lot more than that:

  • Software deployment.

  • OS Deployment.

  • Printer Management.

  • User profile management (e.g. using roaming profiles or UE-V to allow users to log in anywhere and keep their local data and customisations). I think this still matters even when all your services are in the cloud, because data can still be local and client machines still break down or get replaced.

  • Scalability: I'd rather manage the provisioning and ongoing management of my thousands of user accounts via ADUC & 'local' powershell scripting, etc. than purely via Office 365.

  • Integration with non-standard applications - e.g. we have a RFID-based ID card system that integrates with AD and I really wouldn't fancy trying to make it talk to Azure-based ADFS.

Of course, not all of these things will be relevant every time - the reverse of my comment about scalability is that a small business with only a few users could certainly just buy Office 365 or Google Apps, plus whatever laptop is on sale this week at the nearest supermarket, for each new hire if they decide this is less painful for them.

Rob Moir
  • 31,664
  • 6
  • 58
  • 86
8

The Cloud is just another ISP

While exciting, any Cloud is just another outsourcing provider - a company trying to offer flexibility for your infrastructure and operations, often at lowered cost, and (hopefully) better reliability. Sure, the Cloud is targeted at simplifying common sought out service objectives like scalability, reliability and performance - but it's still just a hosting option

You require an Identity and Access Management platform, and Active Directory fits that need on-premise or at your hosting provider already you say?

Changing the physical location of your network services doesn't change your requirements.

Active Directory is highly extensible, even with a large number of systems not directly dependent on AD DS, you can still utilize it to manage "stand-alone" infrastructure components, hosted in the Cloud or anywhere else.

If you continue to utilize the Windows platform and Microsoft middleware, the sheer level of support for Active Directory authentication in the Cloud begs for Active Directory Domain Services, even more than on-premise.

Cloud all the way

Still really keen on moving everything to the Cloud? Do it! Virtualize your Domain Controllers, it's not a show stopper. It's just another outsourcing solution :-)

I think the real question is whether you can move your MS-centric "Windows shop" to the Cloud without AD DS

Mathias R. Jessen
  • 24,907
  • 4
  • 62
  • 95
  • Isn't this essentially a less precise way of iterating the original question? I have read the answer several times because I wish to see your point, but can't. Is it possible to clarify? (and isn't the 'requirements not changing' part missing the whole sourcing debacle? Both functional and non-functional requirements come under strong scrutiny and frequently see change in a sourcing project). – ErikE Jan 25 '14 at 12:49
  • Your last statement is exactly my point, sorry for the vague phrasing. The Cloud aspect is not different from any other sourcing project in that your *business requirements* does not transform significantly should you choose cloud over any other housing/hosting/virtualization solution. That being said, your right, my answer is cowardly void of any real meaningful advice in relation to sourcing – Mathias R. Jessen Jan 25 '14 at 14:25
  • My impression is that the notion of business requirements not changing significantly is a typical *selling point* of cloud vendors. *Buying points* do not necessarily conform with that notion. *Example01:* data storage and processing may need regulatory evaluation as to where (which country) it may be done. *Example02:* the Snowden affair reveals the cloud as an active threat regarding confidentiality and integrity. Sweden actually got an evidence based warning about foreign state industrial cloud espionage years prior: http://www.svd.se/naringsliv/myndighet-slar-larm-om-it-lackor_5909395.svd – ErikE Jan 25 '14 at 23:56
  • ...there's a coincidence: the Swedish newspaper article just got a minor follow-up, even if it is comparatively scant on information: http://www.theguardian.com/world/2014/jan/26/edward-snowden-nsa-industrial-sabotage My point is simply that the business requirements evaluation criteria tend to grow when external housing/hosting/cloud vendors are alternatives under consideration. Naturally, the explicit business requirements see more or less change due to this, in some cases significantly so. – ErikE Jan 26 '14 at 21:54
  • 1
    +1 for this line: "Changing the physical location of your network services doesn't change your requirements." – Thomas Jun 17 '15 at 17:21
5

Could you? Yes. Would you want to? I don't think so. All of the hosted solutions you mentioned support AD Federation, and since you want SSO everywhere the only universal way of accomplishing that is going to be AD.

And products like LastPass are a password vault, not SSO.

longneck
  • 22,793
  • 4
  • 50
  • 84
  • While true that LastPass isn't SSO, for the end user it's irrelevant. All they know is they don't have to remember multiple passwords. OneLogin is the better example here. Taken the other side of the debate for a second (I'm on your side, just debating)...maybe you don't want to deal with the licensing/overhead/etc. of having AD around once you've gone 100% cloud. Maybe a 3rd party SSO option is a viable alternative to AD? – TheCleaner Jan 24 '14 at 21:31
  • If it's purely about licencing cost then OpenLDAP would satisfy your needs but the cost of maintenance / time would probably outstrip the cost of licencing. – James Snell Jan 25 '14 at 10:00
3

Aside from some really good answers, I'd like to reverse the question: what's the point in not having Active Directory if you are running a Microsoft shop? You can get around to use and manage Microsoft products without AD, but they are just designed to work with it, and native AD integration will always be better than any workaround you can throw in.

Less complexity? Not having AD actually adds more complexity to your environment, because you have to find suitable alternatives for everything AD would have done out-of-the-box; having AD adds... what? A couple of domain controllers (which may very well be VMs, thus not even requiring additional hardware)? Any junior Windows admin can manage a small AD, and all senior ones can manage a large one. If you are proficient enough on Microsoft products to be able to find and implement workarounds for not having AD, you are definitely skilled enough to actually use it.

Costs? Which costs? You already said you are going full cloud, so a couple additional Azure VMs will not even be able to make a small dent in your budget; not even a couple Windows Server licenses for physical DCs would, given what you are already spending in online services (not to mention client Windows and Office licenses, which you still need for all your users).

TL;DR: all in all, I really don't see any point in not having AD, given how trivial is to implement it (even on a large scale) and how much you gain by having it.

Massimo
  • 68,714
  • 56
  • 196
  • 319
  • I agree with this and it is similar to some of the other answers and their key points/takeaways. I think we all agree that most offerings can take advantage of AD a lot easier than forcibly living without it. In addition (to go with my OP), now that Azure offers ADaaS with tight integration to O365, if you were to go down the Azure/O365 only path for a small shop putting everything in the "cloud" then it would be more of a pain to NOT use AD. – TheCleaner Sep 15 '16 at 13:37
-2

You don't "need" AD, but it will make your life easier. Depending on your size make sure you have 2 Servers, 1 primary, 1 backup, otherwise if you lose your AD server (and only have 1) you'll need to rebuild a domain, unless your backups are SOLID.

tkrabec
  • 300
  • 1
  • 6