Monday 19 September 2016

Active Directory - it’s death was exaggerated.

An earlier post examined the ‘dilemma of on-premise servers’ and the role of Microsoft Active Directory might play in a school that adopts a SaaS approach.

The basic proposal was that maintaining on-premise Active Directory carried a significant overhead which could be reduced or even replaced by a new model that manages devices though an MDM suite using a cloud based directory driven from the the school's MIS system.

“The problem with Active Directory is not with the directory service itself but with the tendency to expand the solution to embrace the whole suite of Microsoft services as soon as AD becomes available.  Even at a very basic level Active Directory requires at least two servers that have to be be backed up, patched and virus protected. You can try and keep it simple but you are soon back with same complex system you had before. This the Dilemma of On-Premise Servers.”

That was over a year ago and in the intervening period Microsoft has made some movements towards the cloud based approach described on the original blog. For this reason the future of Active directory is looking less like a funeral and more like a grand resurrection. Let's see how this might work.


A Microsoft cloud based directory has been around for a long while. It’s called Windows Azure Active Directory (WAAD) and every user of Office365 already runs an instance of this service. It provides a simple account database for organizations that don’t need the complexity of AD and are happy to run everything in the cloud.

Unfortunately Windows Azure Active Directory is a misleading name for this service because although it runs as part of Azure (the Microsoft cloud platform) it doesn’t provide an Active Directory service to users nor does manage Windows devices. In fact it's not the Active Directory we all know and love at all.  Confused, well you're not alone. We’ll get back to this later.

Until the recently the only way of delivering a true active directory cloud service has been to create a domain controller running as virtual machine on the Azure platform.  You could link this back to onsite services using a VPN but the end result is architecturally the same as  the old on-premise solution with the difference that at least one controller runs on Azure.

Last month a new service moved out of preview Azure Active Directory Domain Services (AADDS). What this offers is essentially “Active Directory as a Service”.  In the same way that Office365 gives you a mailbox without having to manage Exchange, AADDS delivers Active Directory with running any domain controllers.
Can you see a pattern emerging here  - the servers are disappearing. 
But probably the most interesting development is the ability of Windows10 clients to be managed without a traditional domain join at all. In this case the device enrolls directly with Windows Azure Active Directory. Remember that cloud directory that wasn’t quite AD and could only hold users accounts well now it can hold computer accounts as well. This process is called an Azure domain join. Devices are managed not through GPO’s but policies delivered through the Microsoft MDM InTune into which your Windows10 laptop can be automatically enrolled during the Azure domain join process. Of course in the future everything is mobile so your Microsoft platform will also be capable of managing Android and Apple through the same InTune interface.

Well that’s fine but how do I deploy and manage my local Windows applications without SCCM and all the layers of software that surround that
Haven’t you been following this blog!
The future for applications is SaaS backed up by an app store deployment model. Your school doesn’t deploy applications directly to iPads you get them from the Apple Store managed through an MDM. In the future the same model will apply to Windows devices with patched delivered directly though the new model.

The user experience will simplified by a Single Sign-On system that's already in place as part of WAAD with the user account management for all these different SaaS service handled by the emerging SCIM standard. Create a user account in WAAD and an account will be automatically provisioned in the relevant SaaS service.

Just like your Android phone the whole solution will be location independent, your Windows device will operate in exactly the same way and have access to all the same resources so long as it has an internet connection.

If you think this a bit far fetched all the constituent parts are active and running as of now. Also remember that Microsoft about to update it's EDU licencing model to increase the cost of running on-premise services so you really don't need a crystal ball to see where things are going.

It’s all a bit new and shaky at the moment but you can be sure that Microsoft are betting the business on this model and WAAS and not AD will be the senior Microsoft directory service for the future.

So resurrecting AD for a brief period I seem to have buried it again. Oh well !
Serverless School