Benefits to keeping an On-Premises Active Directory DomainAlex Fields
I have seen an alarming trend in the small business market–as more and more companies offload their IT infrastructure to cloud-based applications and services (which is great in many cases), many of them are also starting to abandon older tools and platforms such as on-premises Active Directory.
This I cannot agree with, for multiple reasons.
When every computer is just in a “workgroup,” they are acting as independent islands. Workgroups only make sense in micro-businesses–they simply don’t scale up. Therefore, I do not recommend running your main work machines in a workgroup setting, unless you’re just running like a small “from home” operation with you and your spouse, or something like that. For example (and this should be intuitive/obvious): it is just more difficult and time consuming to setup and then maintain a bunch of machines when you have to repeat every desired install/change/update for every individual device. How do you keep track of this? And this leads right into point #2…
How do you even know what state a computer is in at any given moment? Did you deploy that update to all 30 machines? Are you sure? Or, maybe you had a checklist, so you feel pretty confident. And you know for sure that you set something up one way a week ago–but now a user is calling you to complain that it isn’t working again… hm, you think: “Is there any guarantee that setting is still in place?” Well, you may ask, “Who else would have changed it–if it wasn’t me, who else was it?” That’s a great question, Sherlock…and it brings me to my next point:
Maybe someone else is owning your environment, and you have no idea about it.
If you have an on-premises AD domain, you get some fairly powerful tools that help you maintain the security of the user identities and devices that are part of your network. For example: you have centralized auditing and security logs. You have the ability to quickly lock out access or change passwords when a device is stolen, or if an account is compromised or a user is terminated. You can manage identities. You can manage computers and access to those computers.
Beyond the users and the endpoints themselves, you can also manage shared resources and permission structures, centrally. You can even extend this capability to the cloud using Azure AD Connect–and now you have control over on-premises and cloud-based resources from your original on-prem tool-set.
You also have group policy, which is an important friend and ally for locking down endpoint settings, and knowing that they will stay in place, as you originally set them. No cloud equivalent to this yet exists.
You have control over DNS lookups, which is a good thing. You should also be blocking DNS outbound for any devices except your managed AD/DNS servers.
Finally, you can manage and push software updates, which are also an important part of security.
And there are probably other things in this heading that I’m forgetting because it is past my bedtime.
4. User experience
Here is what I have seen happen in offices where between 15-40 users, for example, try to move into a workgroup scenario:
They hate it.
Why? Because IT support gets more complicated: different machines have different settings, and problems crop up that are harder to trace/correct. Computers fall behind in updates, and users have less restrictions, so they tend to get infected more frequently and have other performance issues. The IT helpdesk spend goes up, user satisfaction goes down.
Since anything that is shared on the network cannot be centrally managed and resolved by friendly DNS names, you have people pointing to shared devices like printers or Network Attached Storage by IP address, and again: the setup/install for these connections has to be done manually on every machine, and every problem with it is potentially a different issue. Stupid. It’s like people drank the Cloud Kool-Aid, then just started taking idiot pills on top of that, and then forgot why they had a domain to begin with: to securely share and centrally maintain their network resources.
So a technology provider suggested that you eliminate all of your servers, and just use cloud-based apps like Office 365, DropBox, Salesforce, Quickbooks Online, or whatever. Well, that’s great. No more server in your little office’s network closet–hooray!
But guess what you traded away? Scalability, visibility, security and user experience. Congratulations! You just went back in time to 1995 and the gun-slinging Wild West days of the early Internet. Hope you’re prepared for the worst, because the worst is definitely prepared for you.
I’m telling you: I have fixed a few of these scenarios in the past year, because good companies that were sold a Cloudy set of dreams found out (the hard way) that those dreams were indeed empty lies. They came crawling back home to Active Directory’s loving arms, and life is magically good again. Gasp–why am I the only one who is not surprised?
Look, we live in a hybrid world right now. That’s just the way it is for the time being. But I’m sure as technology keeps evolving, the cloud (especially the Microsoft cloud) will have solutions that mirror and/or replace the kinds of things that on-premises Active Directory has provided historically.
I know, I know what you’re thinking: “But Alex, what about Azure AD Domain Services?!”
Yep, but guess what? It’s not there yet, at the time of this writing at least, I can say that with confidence. I want it to be, badly! But it’s just not ready. Not yet.
And don’t get me wrong–if you can find another product or set of products that can do everything Active Directory does, and you’re able to successfully manage, monitor and maintain the endpoint state & overall security of the environment, more power to you! But I haven’t found it, at least not in this market.