You are looking to lose your dependency on Active Directory (AD), and you need to tackle infrastructure technical debt, but there are challenges:
- Legacy apps that are in maintenance mode cannot shed their AD dependency or have hardware upgrades made.
- You are unaware of what processes depend on AD and how integrated they are.
- Departments invest in apps that are integrated with AD without informing you until they ask for Domain details after purchasing.
Our Advice
Critical Insight
- Remove your dependency on AD one application at a time. If you are a cloud-first organization, rethink your AD strategy to ask “why” when you add a new device to your Active Directory.
- With the advent of hybrid work, AD is now a security risk. You need to shore up your security posture. Think of zero trust architecture.
- Take inventory of your objects that depend on Kerberos and NTML and plan on removing that barrier through applications that don’t depend on AD.
Impact and Result
Don’t allow Active Directory services to dictate your enterprise innovation and modernization strategies. Determine if you can safely remove objects and move them to a cloud service where your Azure AD Domain Services can handle your authentication and manage users and groups.
Legacy Active Directory Environment Research & Tools
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
1. Legacy Active Directory Environment Deck – Legacy AD was never built for modern infrastructure. Understand the history and future of Active Directory and what alternatives are in the market.
Build all new systems with cloud integration in mind. Many applications built in the past had built-in AD components for access, using Kerberos and NTLM. This dependency has prevented organizations from migrating away from AD. When assessing new technology and applications, consider SaaS or cloud-native apps rather than a Microsoft-dependent application with AD ingrained in the code.
- Legacy Active Directory Environment Storyboard
Further reading
Legacy Active Directory Environment
Kill the technical debt of your legacy Active Directory environment.
Analyst Perspective
Understand what Active Directory is and why Azure Active Directory does not replace it.
It’s about Kerberos and New Technology LAN Manager (NTLM).
 |
Many organizations that want to innovate and migrate from on-premises applications to software as a service (SaaS) and cloud services are held hostage by their legacy Active Directory (AD). Microsoft did a good job taking over from Novell back in the late 90s, but its hooks into businesses are so deep that many have become dependent on AD services to manage devices and users, when in fact AD falls far short of needed capabilities, restricting innovation and progress. Despite Microsoft’s Azure becoming prominent in the world of cloud services, Azure AD is not a replacement for on-premises AD. While Azure AD is a secure authentication store that can contain users and groups, that is where the similarities end. In fact, Microsoft itself has an architecture to mitigate the shortcomings of Azure AD by recommending organizations migrate to a hybrid model, especially for businesses that have an in-house footprint of servers and applications. If you are a greenfield business and intend to take advantage of software, infrastructure, and platform as a service (SaaS, IaaS, and PaaS), as well as Microsoft 365 in Azure, then Azure AD is for you and you don’t have to worry about the need for AD. John Donovan |
Insight Summary
Legacy AD was never built for modern infrastructure |
When Microsoft built AD as a free component for the Windows Server environment to replace Windows NT before the demise of Novell Directory Services in 2001, it never meant Active Directory to work outside the corporate network with Microsoft apps and devices. While it began as a central managing system for users and PCs on Microsoft operating systems, with one user per PC, the IT ecosystem has changed dramatically over the last 20 years, with cloud adoption, SaaS, IaaS, PaaS, and everything as a service. To make matters worse, work-from-anywhere has become a serious security challenge. |
|---|---|
Build all new systems with cloud integration in mind |
Many applications built in the past had built-in AD components for access, using Kerberos and NTLM. This dependency has prevented organizations from migrating away from AD. When assessing new technology and applications, consider SaaS or cloud-native apps rather than a Microsoft-dependent application with AD ingrained in the code. Ensure you are engaged when the business is assessing new apps. Stop the practice of the business purchasing apps without IT’s involvement; for example, if your marketing department is asking you for your Domain credentials for a vendor when you were not informed of this purchase. |
Hybrid AD is a solution but not a long-term goal |
Economically, Microsoft has no interest in replacing AD anytime soon. Microsoft wants that revenue and has built components like Azure AD Connect to mitigate the AD dependency issue, which is basically holding your organization hostage. In fact, Microsoft has advised that a hybrid solution will remain because, as we will investigate, Azure AD is not legacy AD. |
Executive Summary
Your Challenge |
Common Obstacles |
Info-Tech’s Approach |
|---|---|---|
You are looking to lose your dependency on Active Directory, and you need to tackle infrastructure technical debt, but there are challenges.
|
|
|
Info-Tech Insight
Don’t allow Active Directory services to dictate your enterprise innovation and modernization strategies. Determine if you can safely remove objects and move them to a cloud service where your Azure AD Domain Services can handle your authentication and manage users and groups.
The history of Active Directory
The evolution of your infrastructure environment
From NT to the cloud
| AD 2001 | Exchange Server 2003 | SharePoint 2007 | Server 2008 R2 | BYOD Security Risk | All in Cloud 2015 |
|---|---|---|---|---|---|
|
|
|
|
|
|
Organizations depend on AD
AD is the backbone of many organizations’ IT infrastructure
73% of organizations say their infrastructure is built on AD.
82% say their applications depend on AD data.
89% say AD enables authenticated access to file servers.
90% say AD is the main source for authentication.
Source: Dimensions research: Active Directory Modernization :
Info-Tech Insight
Organizations fail to move away from AD for many reasons, including:
- Lack of time, resources, budget, and tools.
- Difficulty understanding what has changed.
- Migrating from AD being a low priority.
Active Directory components
Physical and logical structure
Authentication, authorization, and auditing
Active Directory has its hooks in!
AD creates infrastructure technical debt and is difficult to migrate away from.
Info-Tech Insight
Due to the pervasive nature of Active Directory in the IT ecosystem, IT organizations are reluctant to migrate away from AD to modernize and innovate.
Migration to Microsoft 365 in Azure has forced IT departments’ hand, and now that they have dipped their toe in the proverbial cloud “lake,” they see a way out of the mounting technical debt.
AD security
Security is the biggest concern with Active Directory.
Neglecting Active Directory security
98% of data breaches came from external sources.
Source: Verizon, Data Breach Report 2022
85% of data breach took weeks or even longer to discover.
Source: Verizon Data Breach Report, 2012
The biggest challenge for recovery after an Active Directory security breach is identifying the source of the breach, determining the extent of the breach, and creating a safe and secure environment.
Info-Tech Insight
Neglecting legacy Active Directory security will lead to cyberattacks. Malicious users can steal credentials and hijack data or corrupt your systems.
What are the security risks to legacy AD architecture?
- It's been 22 years since AD was released by Microsoft, and it has been a foundational technology for most businesses over the years. However, while there have been many innovations over those two decades, like Amazon, Facebook, iPhones, Androids, and more, Active Directory has remained mostly unchanged. There hasn’t been a security update since 2016.
- This lack of security innovation has led to several cyberattacks over the years, causing businesses to bolt on additional security measures and added complexity. AD is not going away any time soon, but the security dilemma can be addressed with added security features.
AD event logs
84% of organizations that had a breach had evidence of that breach in their event logs.
Source: Verizon Data Breach Report, 2012
What is the business risk
How does AD impact innovation in your business?
It’s widely estimated that Active Directory remains at the backbone of 90% of Global Fortune 1000 companies’ business infrastructure (Lepide, 2021), and with that comes risk. The risks include:
- Constraints of AD and growth of your digital footprint
- Difficulty integrating modern technologies
- Difficulty maintaining consistent security policies
- Inflexible central domains preventing innovation and modernization
- Inability to move to a self-service password portal
- Vulnerability to being hacked
- BYOD not being AD friendly
AD is dependent on Windows Server
- Even though AD is compliant with LDAP, software vendors often choose optional features of LDAP that are not supported by AD. It is possible to implement Kerberos in a Unix system and establish trust with AD, but this is a difficult process and mistakes are frequent.
- Restricting your software selection to Windows-based systems reduces innovation and may hamper your ability to purchase best-in-class applications.
Azure AD is not a replacement for AD
AD was designed for an on-premises enterprise
- Despite Microsoft’s Azure becoming prominent in the world of cloud services, Azure AD is not a replacement for on-premises AD.
- In fact, Microsoft itself has an architecture to mitigate the shortcomings of Azure AD by recommending organizations migrate to a hybrid model, especially those businesses that have an in-house footprint of servers and applications.
- If you are a greenfield business and intend to take advantage of SaaS, IaaS, and PaaS, as well as Microsoft 365 in Azure, then Azure AD is for you and you don’t have to worry about the need for AD.
"Azure Active Directory is not designed to be the cloud version of Active Directory. It is not a domain controller or a directory in the cloud that will provide the exact same capabilities with AD. It actually provides many more capabilities in a different way.
That’s why there is no actual ‘migration’ path from Active Directory to Azure Active Directory. You can synchronize your on-premises directories (Active Directory or other) to Azure Active Directory but not migrate your computer accounts, group policies, OU etc."
– Gregory Hall,
Brand Representative for Microsoft
(Source: Spiceworks)
The hybrid model for AD and Azure AD
How the model works
Note: AD Federated Services (ADFS) is not a replacement for AD. It’s a bolt-on that requires maintenance, support, and it is not a liberating service.
Many companies are:
- Moving to SaaS solutions for customer relationship management, HR, collaboration, voice communication, file storage, and more.
- Managing non-Windows devices.
- Moving to a hybrid model of work.
- Enabling BYOD.
Given these trends, Active Directory is becoming obsolete in terms of identity management and permissions.
The difference between AD Domain Services and Azure AD DS
One of the core principles of Azure AD is that the user is the security boundary, not the network.
Kerberos is the default authentication and authorization protocol for AD. Kerberos is involved in nearly everything from the time you log on to accessing Sysvol, which is used to deliver policy and logon scripts to domain members from the Domain Controller.
Info-Tech Insight
If you are struggling to get away from AD, Kerberos and NTML are to blame. Working around them is difficult. Azure AD uses SAML2.0 OpenID Connect and OAuth2.0.
| Feature | Azure AD DS | Self-managed AD DS |
|---|---|---|
| Managed service | ✓ | ✕ |
| Secure deployments | ✓ | Administrator secures the deployment |
| DNS server | ✓ (managed service) | ✓ |
| Domain or Enterprise administrator privileges | ✕ | ✓ |
| Domain join | ✓ | ✓ |
| Domain authentication using NTLM and Kerberos | ✓ | ✓ |
| Kerberos-constrained delegation | Resource-based | Resource-based and account-based |
| Custom OU structure | ✓ | ✓ |
| Group Policy | ✓ | ✓ |
| Schema extensions | ✕ | ✓ |
| AD domain/forest trusts | ✓ (one-way outbound forest trusts only) | ✓ |
| Secure LDAP (LDAPS) | ✓ | ✓ |
| LDAP read | ✓ | ✓ |
| LDAP write | ✓ (within the managed domain) | ✓ |
| Geo-distributed deployments | ✓ | ✓ |
Source: “Compare self-managed Active Directory Domain Services...” Azure documentation, 2022
Impact of work-from-anywhere
How AD poses issues that impact the user experience
IT organizations are under pressure to enable work-from-home/work-from-anywhere.
- IT teams regard legacy infrastructure, namely Active Directory, as inadequate to securely manage remote workloads.
- While organizations previously used VPNs to access resources through Active Directory, they now have complex webs of applications that do not reside on premises, such as AWS, G-Suite, and SaaS customer relationship management and HR management systems, among others. These resources live outside the Windows ecosystem, complicating user provisioning, management, and security.
- The work environment has changed since the start of COVID-19, with businesses scrambling to enable work-from-home. This had a huge impact on on-premises identity management tools such as AD, exposing their limitations and challenges. IT admins are all too aware that AD does not meet the needs of work-from-home.
- As more IT organizations move infrastructure to the cloud, they have the opportunity to move their directory services to the cloud as well.
- JumpCloud, OneLogin, Okta, Azure AD, G2, and others can be a solution for this new way of working and free up administrators from the overloaded AD environment.
- Identity and access management (IAM) can be moved to the cloud where the modern infrastructure lives.
- Alternatives for printers using AD include Google Cloud Print, PrinterOn, and PrinterLogic.
How AD can impact your migration to Microsoft 365
The beginning of your hybrid environment
- Businesses that have a large on-premises footprint have very few choices for setting up a hybrid environment that includes their on-premises AD and Azure AD synchronization.
- Microsoft 365 uses Azure AD in the background to manage identities.
- Azure AD Connect will need to be installed, along with IdFix to identify errors such as duplicates and formatting problems in your AD.
- Password hash should be implemented to synchronize passwords from on-premises AD so users can sign in to Azure without the need for additional single sign-on infrastructure.
- Azure AD Connect synchronizes accounts every 30 minutes and passwords within two minutes.
Alternatives to AD
When considering retiring Active Directory from your environment, look at alternatives that can assist with those legacy application servers, handle Kerberos and NTML, and support LDAP.
- JumpCloud: Cloud-based directory services. JumpCloud provides LDAP-as-a-Service and RADIUS-as-a-Service. It authenticates, authorizes, and manages employees, their devices, and IT applications. However, domain name changes are not supported.
- Apache Directory Studio Pro: Written in Java, it supports LDAP v3–certified directory services. It is certified by Eclipse-based database utilities. It also supports Kerberos, which is critical for legacy Microsoft AD apps authentication.
- Univention Corporate Server (UCS): Open-source Linux-based solution that has a friendly user interface and gets continuous security and feature updates. It supports Kerberos V5 and LDAP, works with AD, and is easy to sync. It also supports DNS server, DHCP, multifactor authentication and single sign-on, and APIs and REST APIs. However, it has a limited English knowledgebase as it is a German tool.
What to look for
If you are embedded in Windows systems but looking for an alternative to AD, you need a similar solution but one that is capable of working in the cloud and on premises.
Aside from protocols and supporting utilities, also consider additional features that can help you retire your Active Directory while maintaining highly secure access control and a strong security posture.
These are just a few examples of the many alternatives available.
Market drivers to modernize your infrastructure
The business is now driving your Active Directory migration
What IT must deal with in the modern world of work:
- Leaner footprint for evolving tech trends
- Disaster recovery readiness
- Dynamic compliance requirements
- Increased security needs
- The need to future-proof
- Mergers and acquisitions
- Security extending the network beyond Windows
Organizations are making decisions that impact Active Directory, from enabling work-from-anywhere to dealing with malicious threats such as ransomware. Mergers and acquisitions also bring complexity with multiple AD domains.
The business is putting pressure on IT to become creative with security strategies, alternative authentication and authorization, and migration to SaaS and cloud services.
Activity
Build a checklist to migrate off Active Directory.
Discovery |
Assessment |
Proof of Concept |
Migration |
Cloud Operations |
|---|---|---|---|---|
| ☐ Catalog your applications.
☐ Define your users, groups and usage. ☐ Identify network interdependencies and complexity. ☐ Know your security and compliance regulations. ☐ Document your disaster recovery plan and recovery point and time objectives (RPO/RTO). |
☐ Build a methodology for migrating apps to IaaS. ☐ Develop a migration team using internal resources and/or outsourcing. ☐ Use Microsoft resources for specific skill sets. ☐ Map on-premises third-party solutions to determine how easily they will migrate. ☐ Create a plan to retire and archive legacy data. |
☐ Test your workload: Start small and prove value with a phased approach. ☐ Estimate cloud costs. ☐ Determine the amount and size of your compute and storage requirements. ☐ Understand security requirements and the need for network and security controls. ☐ Assess network performance. ☐ Qualify and test the tools and solutions needed for the migration. |
☐ Create a blueprint of your desired cloud environment. ☐ Establish a rollback plan. ☐ Identify tools for automating migration and syncing data. ☐ Understand the implications of the production-day data move. |
☐ Keep up with the pace of innovation. ☐ Leverage 24/7 support via skilled Azure resources. ☐ Stay on top of system maintenance and upgrades. ☐ Consider service-level agreement requirements, governance, security, compliance, performance, and uptime. |
Related Info-Tech Research
Manage the Active Directory in the Service Desk
- Build and maintain your Active Directory with good data.
- Actively maintaining the Active Directory is a difficult task that only gets more difficult with issues like stale accounts and privilege creep.
SoftwareReviews: Microsoft Azure Active Directory
- The Azure Active Directory (Azure AD) enterprise identity service provides SSO and multifactor authentication to help protect your users from 99.9% of cybersecurity attacks
- Don’t think about the cloud as an inevitable next step for all workloads. The cloud is merely another tool in the toolbox, ready to be used when appropriate and put away when it’s not needed. Cloud-first isn’t always the way to go.
Bibliography
“2012 Data Breach Investigations Report.” Verizon, 2012. Web.
“2022 Data Breach Investigations Report.” Verizon, 2012. Web.
“22 Best Alternatives to Microsoft Active Directory.” The Geek Page, 16 Feb 2022. Accessed 12 Sept. 2022.
Altieri, Matt. “Infrastructure Technical Debt.” Device 42, 20 May 2019. Accessed Sept 2022.
“Are You Ready to Make the Move from ADFS to Azure AD?’” Steeves and Associates, 29 April 2021. Accessed 28 Sept. 2022.
Blanton, Sean. “Can I Replace Active Directory with Azure AD? No, Here’s Why.” JumpCloud, 9 Mar 2021. Accessed Sept. 2022.
Chai, Wesley, and Alexander S. Gillis. “What is Active Directory and how does it work?” TechTarget, June 2021. Accessed 10 Sept. 2022.
Cogan, Sam. “Azure Active Directory is not Active Directory!” SamCogan.com, Oct 2020. Accessed Sept. 2022.
“Compare Active Directory to Azure Active Directory.” Azure documentation, Microsoft Learn, 18 Aug. 2022. Accessed 12 Sept. 2022.
"Compare self-managed Active Directory Domain Services, Azure Active Directory, and managed Azure Active Directory Domain Services." Azure documentation, Microsoft Learn, 23 Aug. 2022. Accessed Sept. 2022.
“Dimensional Research, Active Directory Modernization: A Survey of IT Professionals.” Quest, 2017. Accessed Sept 2022.
Grillenmeier, Guido. “Now’s the Time to Rethink Active Directory Security.“ Semperis, 4 Aug 2021. Accessed Oct. 2013.
“How does your Active Directory align to today’s business?” Quest Software, 2017, accessed Sept 2022
Lewis, Jack “On-Premises Active Directory: Can I remove it and go full cloud?” Softcat, Dec.2020. Accessed 15 Sept 2022.
Loshin, Peter. “What is Kerberos?” TechTarget, Sept 2021. Accessed Sept 2022.
Mann, Terry. “Why Cybersecurity Must Include Active Directory.” Lepide, 20 Sept. 2021. Accessed Sept. 2022.
Roberts, Travis. “Azure AD without on-prem Windows Active Directory?” 4sysops, 25 Oct. 2021. Accessed Sept. 2022.
“Understanding Active Directory® & its architecture.” ActiveReach, Jan 2022. Accessed Sept. 2022.
“What is Active Directory Migration?” Quest Software Inc, 2022. Accessed Sept 2022.