Why On-Premises Active Directory Still Matters in a Cloud-Connected World
With all the talk about stampeding to the cloud, I get asked fairly regularly if I think Active Directory will be going away. No, AD isn’t becoming obsolete; it’s evolving. And as it evolves, I’d argue that it matters more than ever.
Within Microsoft ISSD (Identity and Security Services Division), the folks that bring you all the products with the words Active Directory in them, the Active Directory Domain Services (AD DS) / Azure Active Directory hybrid identity system is referred to as One AD. It’s not Azure AD with the long tail of AD DS. Their vision is to build a seamless, comprehensive identity and access management system that spans on-premises datacenters to Azure and provides a wide range of capabilities for both. It’s not there yet, but they are building it at breakneck speed. In Microsoft’s development strategy, certainly, the center of gravity has shifted to the cloud.
But the titanic mass of on-premises identity in AD DS around the world (93% of the Fortune 1000 run Active Directory) means, for the foreseeable future, it will remain the central identity store of the corporate world. And the range of services that this corporate world uses has grown astronomically in the last five years.
What I’m referring to, of course, is software as a service (SaaS), offered up to anyone that has a web browser and a credit card or purchase order. Though the shadow IT of individually-held subscriptions to SaaS applications still runs rampant, the most scalable and secure method to log on to SaaS apps is to use a company’s existing user credentials from its own identity store: AD DS. This federated single sign on (SSO) technology is fundamental for cloud identity, and the vast majority of medium and large enterprises use it in one form or another, whether as part of Microsoft’s One AD solution or with third party solutions.
This means that not only does a wide array of existing on-premises applications rely on AD DS, but a vast range of web services now also relies on it.
As a result, far from becoming obsolete, AD DS will only become more critical to the enterprise not less and you must have your four-legged support platform in place. Ensuring that the directory service is healthy and monitored is one leg of this AD DS support platform. Having an object recovery plan in place, using Active Directory Recycle Bin for accidentally deleted items and directory snapshots for corrupted items, is another. Backing up the system state in every domain (and a few domain controllers just to be sure) is the third leg. And finally (as I said in my last blog post <linked here>), don’t shy away from putting together and testing a solid domain and forest recovery plan.
If software is eating the world, as Marc Andreeson famously said in 2011, identity has become the key control point that determine access to this new world. And in the corporate world that means AD DS.