Active Directory was a mainstay of enterprise computing environments for many years.
As a scalable system for account, credential, policy and resource management, it was revolutionary when launched alongside Windows Server 2000. But it was designed in a different era: 20+ years ago, enterprise computing mostly happened in the office – sometimes in well-purposed datacenters (and equally-likely in repurposed supply closets). It was housed on servers owned and operated by the organization, connected to networks installed in office buildings where employees commuted to work 5 days per week to access the network resources from their ubiquitous Windows-based PCs.
This paradigm worked well from the 1990s through the mid-2000s. But time, technology and the way many people work have all evolved. Today’s workforce expects to be able to collaborate, communicate and to get work done from anywhere, and not just from Windows PCs. Modern identity management solutions, such as Azure Active Directory and complimentary tools like Microsoft Endpoint Manager, now provide cloud-native versions of the functions that Active Directory and Group Policy previously provided.
Organizations saw clear advantages from these cloud-native solutions, and many have begun modernizing their infrastructure, a move that accelerated dramatically during the COVID-19 pandemic and the remote work revolution. Bridging technologies, like Azure AD Connect, allowed organizations to have both systems co-exist while migrations take place.
Curiously, “stalled” migrations are a common finding among our new clients. While many organizations made great progress in moving their workloads to the cloud, a significant percentage still retain and synchronize legacy Active Directory systems alongside more modern solutions.
Certainly, there are situations for which it makes sense to maintain both old and new systems concurrently, but this “dual stack” approach adds risk and cost in several ways, some more obvious than others.
Here are my top 3 reasons why you should rethink your “dual stack” solution (and hopefully I can make the case to convince you to retire it completely).
#1: Active Directory can be a cybersecurity nightmare
Active Directory can be a cyber criminal’s best friend. Its underlying architecture is over 20 years old, and while Microsoft’s commitment to backwards-compatibility is commendable, it brings with it insecure legacy protocols and default settings intended for a different era. It can be difficult to properly secure, and if not done correctly, a determined attacker can mount scripted attacks on legacy Active Directory systems and recover passwords stored within it (or cached locally on workstations). Once an Active Directory account is compromised, the underlying architecture (Kerberos) makes it easy to enumerate and log into all the data and domain services accessible with the compromised account. If the affected account is a domain administrator or similarly-privileged account, the whole Windows domain may be compromised very quickly. If you’re synchronizing your Active Directory accounts to the cloud, the compromised accounts may lead to compromised cloud services as well.
Cloud solutions aren’t perfect – they still need to be configured correctly and monitored regularly to ensure they are as secure as possible – but wouldn’t you rather deal with just one set of challenges?
#2: You’ve increased your complexity and administrative overhead
You’ve duplicated your identity management solutions, you’ve duplicated your policy management solutions, and now you have a patchwork of policies, devices and services that’s somehow supposed to achieve your organization’s IT policy goals. Let’s not forget about the daily, weekly and monthly maintenance tasks like checking logs and performing backups that you still need to do as long as you maintain your Active Directory environment. Most of these still exist, even if you’ve moved your Domain Controllers to the cloud.
#3: You’ve increased your software licensing costs
Windows Server licenses and their associated client access licenses (CALs) must still be purchased and maintained if you are running on-premises versions of Windows Server, like Active Directory. Maintaining these Windows Server licenses and their associated CALs can add thousands of dollars to your IT spend.
So, why are people still using it?
When we ask IT professionals what’s preventing them from moving away from Active Directory entirely, their answers usually come down to a few themes:
- “I’ve got applications that don’t support modern authentication.”
You may have an old, legacy application that relies on connectivity to Active Directory, perhaps a legacy line of business application that looks up security permissions and account authentication via LDAP. Certainly, depending on the complexity of the application, you may need to co-exist for a period until a more modern solution can be developed.
- “I still use Windows File Shares.”
You may have old Windows File Shares, but you should evaluate whether a more modern solution like SharePoint or Teams can help you accomplish the same thing. Chances are, you are already paying for one of these solutions if you are using some of the popular Microsoft 365 licensing options, and you’ll get the added collaboration benefits.
- “I’ve got Wi-Fi or VPN security (802.1X, RADIUS) that doesn’t support modern authentication.”
We’ve seen clients keep Active Directory around to handle Wi-Fi or VPN authentication. If you’re using 802.1X (or something similar) to authenticate your enterprise Wi-Fi, consider switching to certificate-based solutions. If you’ve gone fully to the cloud, you may no longer even need your VPN.
- “We’ve been meaning to get around to it, but we don’t have the time.”
With competing IT priorities, getting executive buy-in to spend time and resources on retiring legacy infrastructure isn’t always easy, especially for IT departments accustomed to “doing more with less”. Inertia and outdated processes can sometimes play a part. We’ve seen cases where IT people created accounts in Active Directory and synchronized them to Azure AD because that’s how they’d always done it. If this is you, you should consider the true cost to properly install, administer, back up and otherwise maintain your legacy systems, and consider how much recurring effort will go away once Active Directory is retired.
To wrap it up, Active Directory has served us well and underpinned much of the world’s IT infrastructure for the last two decades. It’s now time to thank it for its service, and let Active Directory enjoy its retirement. If you really can’t retire it yet, be clear-eyed about the reasons you need to keep it around and work with your decision makers to map out a path to its eventual retirement. In the meantime, consider the steps you can take to minimize its footprint, such as consolidating domain controllers and joining your endpoints to the cloud-based directory only.
Of course, if you need help in retiring your Active Directory environment, consider reaching out to Infracore for help. We’d love to help you identify your blockers, evaluate solutions and get you to a better place.