The thought or idea of retiring Active Directory did not come over night, but developed over time.
As we moved more and more services into the cloud we needed an authentication mechanism that allowed us to control access to those resources and an efficient means for our employees to gain access, rather than supplying a separate login for each of them.
We needed a solution that could do in the cloud (SSO, identity management) what Active Directory did for our on-premise resources. Okta was / is that solution for us.
Integrating Okta into our infrastructure was easy – it did not require any drastic changes in the way things were set up, plays nicely alongside Active Directory and required very little training for our employees. Okta comes out of the box with pre-built authentication for thousands of web and cloud-based services (continuously expanding) along with modern MFA and strong security. We continued to maintain AD. Any user/group related AD changes are synced to Okta, so we did not need to maintain two separate directory services. To make this work, all that was required were one or multiple (for redundancy) Okta-AD agent servers which ran/run on existing hardware we already had.
Moving services into the cloud along with a cloud based identity service like Okta allowed our employees to work from the office or anywhere else without the need for VPN or other cumbersome connectivity mechanisms.
Fast forward and Covid-19 home-bound remote working became the new normal. The few AD controlled services that employees depended on in the office (e.g. Wifi authentication, printer access, and a few others) suddenly did not matter anymore.
However, what does matter is that the ultimate source of control for authentication – even for our cloud-based services – was still Active Directory, as any sign-on to Okta is verified via the Okta-AD Agents by Active Directory.
With nobody in the office on a regular basis and the server room and its climate controls left to themselves, this (AD) became for our little IT team the achilles heel for our accessing our (all) cloud-based resources.
A power outage in one of our small satellite offices, that took out one of our domain controllers and an Okta-AD agent, highlighted this vulnerability. It became clear that it doesn’t make sense anymore for us to maintain an AD infrastructure over multiple physical office locations, just for the sake of a few on-premise services that at the moment and the foreseeable future do not matter. Tighter restrictions for operational costs due to Covid-19 made another argument to retire AD.
We started making a list of services that depend on AD in order to see if removing AD would be feasible and to get an idea of what would be involved.
Once we had that list, the idea of removing AD did not look so outlandish anymore. Yes, there are some services (e.g. Wifi authentication/Radius, internal DNS print management) for which replacement we haven’t figured out the details yet, but this is one of the nicer Covid-19 side-effects, in that we do not have to have a solution for everything all at once, but that we can do this in stages.
For this there are cloud-based directory service solutions like JumpCloud and others that we started to explore to possibly take over some of the on-premise tasks done by AD, with the promise of additional functionality and without incurring any new hardware and associated maintenance contracts and costs. More about this later.