ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    If LAN is legacy, what is the UN-legacy...?

    Scheduled Pinned Locked Moved IT Discussion
    188 Posts 13 Posters 91.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • scottalanmillerS
      scottalanmiller
      last edited by

      Oh, we could do a case study pretty easily, though. @ntg does this and has kind of stepped through the "best of breed" network design for a modern company over the years so we are good for that.

      I've worked at several companies that have done this, as well, so I have some decent insight into what others are doing, not just one company.

      wirestyle22W 1 Reply Last reply Reply Quote 0
      • wirestyle22W
        wirestyle22 @scottalanmiller
        last edited by

        @scottalanmiller I have a serious lack of knowledge that I am fervently attempting to make up for so please excuse any misinformation.

        Currently we are set-up with a primary Domain and a VM secondary replicated domain at the same site (as well as a few remotely replicated domains for our bigger sites). A file Server, SQL Server using Financial Edge/Blackbaud, A terminal server for remote sites to access e-mail as well as the Network Share, etc. My question would be how would Active Directory look with this? I'm assuming I would I be able to actually connect all of my remote sites to a remote domain with something like this and everything would be managed through the cloud?

        Any information at this point is very appreciated 🙂 Thank you as always.

        scottalanmillerS 3 Replies Last reply Reply Quote 0
        • DashrenderD
          Dashrender
          last edited by

          @wirestyle22 I'd like to take a crack at this.

          There are three approaches that I can currently see for you.

          1. LAN/WAN (VPN or dedicated site to site links) to connect all devices "privately" - what you are doing today.
          2. Pertino/ZeroTier - this would involve installing Pertino/ZT on every device in your environment and using that network to interconnect all of your equipment. The physical network is more or less a way for devices to get on the internet (yes I'm making an assumption here that the SDN will work on the internet) so they can connect to the SDN.
          3. Use something like Azure AD (only supports Windows 10 endpoints) and other services (OwnCloud/Office 365/DropBox, etc) that assume connections are all coming from untrusted sources and acts according.
          wirestyle22W 1 Reply Last reply Reply Quote 0
          • wirestyle22W
            wirestyle22 @Dashrender
            last edited by

            @Dashrender That makes a lot of sense. Thank you.

            Wouldn't every piece of software (especially Financial Edge/Blackbaud--SQL) need to support that? Also, how is this going to access files and run queries? Is it still going to be based on the Local IP/Mac Address or is it going out and then back in? I'm sorry if these are stupid questions.

            DashrenderD 1 Reply Last reply Reply Quote 0
            • scottalanmillerS
              scottalanmiller @wirestyle22
              last edited by

              @wirestyle22 said:

              Currently we are set-up with a primary Domain and a VM secondary replicated domain at the same site (as well as a few remotely replicated domains for our bigger sites).

              I'm assuming that you mean Active Directory domain here?

              wirestyle22W 1 Reply Last reply Reply Quote 0
              • wirestyle22W
                wirestyle22 @scottalanmiller
                last edited by wirestyle22

                @scottalanmiller Yes sir. Sorry for the lack of clarification.

                1 Reply Last reply Reply Quote 0
                • DashrenderD
                  Dashrender @wirestyle22
                  last edited by

                  @wirestyle22 said:

                  @Dashrender That makes a lot of sense. Thank you.

                  Wouldn't every piece of software (especially Financial Edge/Blackbaud--SQL) need to support that? Also, how is this going to access files and run queries? Is it still going to be based on the Local IP/Mac Address or is it going out and then back in? I'm sorry if these are stupid questions.

                  Support? sorta. What would be really nice is if every service (your financial package, OwnCloud, etc) all support Azure AD authentication. Then the user would only have to remember one username and pasword.

                  As for how those systems work, they each would connect to you via a secure tunnel, via TLS, SSH, SSL, whatever... and they would all prompt you for a username and password.

                  They would all work on a similar principal as the internet at large. Every website you go you, you need to create a secure connection to (hopefully) and then give logon credentials.

                  1 Reply Last reply Reply Quote 1
                  • scottalanmillerS
                    scottalanmiller @wirestyle22
                    last edited by

                    @wirestyle22 said:

                    My question would be how would Active Directory look with this?

                    So the real question is... why would you have Active Directory?

                    I'm not saying that you can't, but AD is a LAN-based concept. Although Microsoft has already decoupled those concepts in Windows 10 with Azure AD which no longer uses the LAN for AD authentication. But when moving to a new paradigm you often leave things behind. One of the big ones often, but not always, being left behind is AD. Traditional AD has no place in a LAN-less architecture. It requires a LAN (a real one or a LAN-like SDN infrastructure like ZeroTier or Pertino provide, or a complex VPN setup) to work. But there is no reason that AD is a need, lots of businesses don't use AD and increasingly fewer do.

                    dafyreD 1 Reply Last reply Reply Quote 1
                    • scottalanmillerS
                      scottalanmiller @wirestyle22
                      last edited by

                      @wirestyle22 said:

                      I'm assuming I would I be able to actually connect all of my remote sites to a remote domain with something like this and everything would be managed through the cloud?

                      Not really. Maybe as Azure AD becomes more robust. But the idea is moving to a new design, not trying to shoehorn LAN artefacts into a LAN-less system.

                      wirestyle22W 1 Reply Last reply Reply Quote 1
                      • wirestyle22W
                        wirestyle22 @scottalanmiller
                        last edited by

                        So this is a somewhat slow migration away from AD as much as possible currently. It's very interesting. I'll have to read some documentation on Azure + Windows 10 as well as Pertino/ZeroTier.

                        Thank you both for all of the information provided. I really appreciate it.

                        1 Reply Last reply Reply Quote 0
                        • DashrenderD
                          Dashrender
                          last edited by

                          If you're considering moving away from AD completely, might as well move away from Windows completely.

                          wirestyle22W 1 Reply Last reply Reply Quote 0
                          • wirestyle22W
                            wirestyle22 @Dashrender
                            last edited by

                            @Dashrender If only I could. I'd much rather be learning Red Hat right now but my hands are tied. Some of our users do not retain the information provided or understand concepts unfortunately (typically the much older employees) and with the medical documentation they are expected to do now I just can't ever see my executive director approving it.

                            DashrenderD 1 Reply Last reply Reply Quote 0
                            • DashrenderD
                              Dashrender @wirestyle22
                              last edited by

                              @wirestyle22 said:

                              @Dashrender If only I could. I'd much rather be learning Red Hat right now but my hands are tied. Some of our users do not retain the information provided or understand concepts unfortunately (typically the much older employees) and with the medical documentation they are expected to do now I just can't ever see my executive director approving it.

                              As you can move more and more things to cloud/web based services, the easier that will be in the future. Once you don't have the need for any locally installed apps, you could probably move to pure iPads, or some other tablet or a Chromebook, etc.

                              Printing is the bane of my existence in these cases.

                              wirestyle22W 1 Reply Last reply Reply Quote 0
                              • dafyreD
                                dafyre @scottalanmiller
                                last edited by dafyre

                                @scottalanmiller said:

                                @wirestyle22 said:

                                My question would be how would Active Directory look with this?

                                So the real question is... why would you have Active Directory?

                                Actually @scottalanmiller -- My question would be why would you NOT want AD -- or any other centralized authentication platform -- especially if your organization is large enough to need active directory?

                                scottalanmillerS 1 Reply Last reply Reply Quote 0
                                • scottalanmillerS
                                  scottalanmiller @dafyre
                                  last edited by

                                  @dafyre said:

                                  Actually @scottalanmiller -- My question would be why would you NOT want AD -- or any other centralized authentication platform -- especially if your organization is large enough to need active directory?

                                  Cost. Complexity. AD ties you to a costly infrastructure. It means that you are paying for servers, CALs and more per user. It means you have to manage internal DNS. I means that you have to either design your entire business around very limited use cases and/or you have to do things like Pertino or ZeroTier or built a hub and spoke VPN model or similar to make people able to connect.

                                  It's starts off easy enough, we want password management. Makes sense. But it comes with a lot of caveats: cost, complexity, performance impacts, overhead, connectivity issues. AD made tons of sense in its time, and it still makes an awful lot of sense a lot of the time. But I think that many businesses overlook just how many other decisions are made, or assumptions are made, based around AD. Remove AD, and suddenly you have a lot of freedom to consider different things. AD might be impacting you more than you think.

                                  dafyreD 1 Reply Last reply Reply Quote 0
                                  • dafyreD
                                    dafyre @scottalanmiller
                                    last edited by

                                    @scottalanmiller said:

                                    @dafyre said:

                                    Actually @scottalanmiller -- My question would be why would you NOT want AD -- or any other centralized authentication platform -- especially if your organization is large enough to need active directory?

                                    Cost. Complexity. AD ties you to a costly infrastructure. It means that you are paying for servers, CALs and more per user. It means you have to manage internal DNS. I means that you have to either design your entire business around very limited use cases and/or you have to do things like Pertino or ZeroTier or built a hub and spoke VPN model or similar to make people able to connect.

                                    It's starts off easy enough, we want password management. Makes sense. But it comes with a lot of caveats: cost, complexity, performance impacts, overhead, connectivity issues. AD made tons of sense in its time, and it still makes an awful lot of sense a lot of the time. But I think that many businesses overlook just how many other decisions are made, or assumptions are made, based around AD. Remove AD, and suddenly you have a lot of freedom to consider different things. AD might be impacting you more than you think.

                                    I should have clarified in my last comment that I was speaking to using Azure AD, instead of a local instance.

                                    IE: If AD ads all that complexity, why is NTG Using it?

                                    scottalanmillerS 2 Replies Last reply Reply Quote 0
                                    • scottalanmillerS
                                      scottalanmiller @dafyre
                                      last edited by

                                      @dafyre said:

                                      IE: If AD ads all that complexity, why is NTG Using it?

                                      We aren't, we dropped it. Couple of months ago.

                                      DashrenderD 1 Reply Last reply Reply Quote 1
                                      • scottalanmillerS
                                        scottalanmiller @dafyre
                                        last edited by

                                        @dafyre said:

                                        I should have clarified in my last comment that I was speaking to using Azure AD, instead of a local instance.

                                        Limited to Windows 10. That's pretty big. 🙂

                                        1 Reply Last reply Reply Quote 1
                                        • dafyreD
                                          dafyre
                                          last edited by

                                          So now @NTG is pretty much using SSH keys for authentication into the lab environments, etc?

                                          No other centralized authentication system at all now?

                                          scottalanmillerS 1 Reply Last reply Reply Quote 0
                                          • DashrenderD
                                            Dashrender @scottalanmiller
                                            last edited by

                                            @scottalanmiller said:

                                            @dafyre said:

                                            IE: If AD ads all that complexity, why is NTG Using it?

                                            We aren't, we dropped it. Couple of months ago.

                                            But you are using AAD, right?

                                            scottalanmillerS 1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 3
                                            • 4
                                            • 5
                                            • 9
                                            • 10
                                            • 1 / 10
                                            • First post
                                              Last post