tag line

moving school IT to the cloud with service not servers

Saturday, 10 January 2015

Active Directory: Goodbye Old Friend.

Any discussion relating to a school going “serverless” has to address the issue of Directory Services sooner or later. In many respects this is the ‘elephant in the server room’, a tricky and sometimes emotional issue that creates a stumbling block for this approach.

In the UK at least, the idea that a school could operate without Active Directory (AD) is practically unthinkable, a proposal close to IT heresy. But it can be done and there are many schools worldwide that work this way.

The problem with Active Directory is not with the directory service itself but with the tendency to expand the solution to embrace the whole suite of Microsoft services as soon as AD becomes available. Its hard to introduce AD and keep things simple. Even at a very basic level AD requires at least two servers which also need to be backed up, patched and virus protected. You can try and keep it simple but you are soon back with same complex system you had before. This the Dilemma of On-Premise Servers.

What does Active Directory provide that you actually need ?

Most importantly it creates a security context for staff and students. It identifies users through a username/password system and grants access to network resources such as email, documents and print based on membership of various security groups or organisational units. It also provides a mechanism for security and configuration policies to be applied to both users and devices as well as installing and managing software and security certificates. There is no doubt that this all essential to any network but it’s not the only way it can be done.

However important it may appear AD is never the primary user database for any school. That accolade belongs to the schools MIS/SIS system, whatever that might be. Active Directory is just the overlay that control access to network resources and it can be replaced.

Take an example of a school running Google Apps for Education (GAFE). Like Active Directory GAFE maintains a user directory protected by a username/password system that also has a simple hierarchy of groups and organisational units. Being cloud-based there is no local hardware to support and the security context provided by GAFE is available everywhere not just on the school network. Google provides a system to link the schools MIS/SIS system to GAFE so that user accounts and groups can be automatically maintained. A user account added to the schools MIS can automatically create a GAFE network account setting up mail, drive space and other services. The relationship between students and the staff is automatically maintained through additional class groups.

As well as GAFE there are other options to AD such as the Linux School Project which would be viable alternative if the school wished to maintain an onsite directory service similar to AD.

The role that Active Directory takes with respect to configuration and software deployment is an interesting one. Active Directory was designed to support Microsoft OS clients but as schools look to support a far wider range of device types how appropriate is this ?

For many schools the primary client management tool is now the MDM (Mobile Device Manager) a software tool, normally provided as SaaS that controls Apple iPads, Android Tablets, MacOS laptops. Have we reached a point where it just might just be easier to use this as the primary management tool and incorporate Windows clients as well ?

And then there’s software deployment. How many new educational titles will be published this year as Window installs to be deployed through Active Directory. The answer to that question might be close to zero.

New software is distributed through the Apple/Google app stores or delivered as SaaS services, none of which are controlled through Active Directory. That's not to deny that AD can't be bent and molded to do some of these things - but can be done simply without adding even more complexity ?

Removing Active Directory from a large school where it’s deeply embedded would be a challenge and may prove impractical but creating a school without AD is a real option.