If LAN is legacy, what is the UN-legacy...?
-
@wirestyle22 said:
My question would be how would Active Directory look with this?
So the real question is... why would you have Active Directory?
I'm not saying that you can't, but AD is a LAN-based concept. Although Microsoft has already decoupled those concepts in Windows 10 with Azure AD which no longer uses the LAN for AD authentication. But when moving to a new paradigm you often leave things behind. One of the big ones often, but not always, being left behind is AD. Traditional AD has no place in a LAN-less architecture. It requires a LAN (a real one or a LAN-like SDN infrastructure like ZeroTier or Pertino provide, or a complex VPN setup) to work. But there is no reason that AD is a need, lots of businesses don't use AD and increasingly fewer do.
-
@wirestyle22 said:
I'm assuming I would I be able to actually connect all of my remote sites to a remote domain with something like this and everything would be managed through the cloud?
Not really. Maybe as Azure AD becomes more robust. But the idea is moving to a new design, not trying to shoehorn LAN artefacts into a LAN-less system.
-
So this is a somewhat slow migration away from AD as much as possible currently. It's very interesting. I'll have to read some documentation on Azure + Windows 10 as well as Pertino/ZeroTier.
Thank you both for all of the information provided. I really appreciate it.
-
If you're considering moving away from AD completely, might as well move away from Windows completely.
-
@Dashrender If only I could. I'd much rather be learning Red Hat right now but my hands are tied. Some of our users do not retain the information provided or understand concepts unfortunately (typically the much older employees) and with the medical documentation they are expected to do now I just can't ever see my executive director approving it.
-
@wirestyle22 said:
@Dashrender If only I could. I'd much rather be learning Red Hat right now but my hands are tied. Some of our users do not retain the information provided or understand concepts unfortunately (typically the much older employees) and with the medical documentation they are expected to do now I just can't ever see my executive director approving it.
As you can move more and more things to cloud/web based services, the easier that will be in the future. Once you don't have the need for any locally installed apps, you could probably move to pure iPads, or some other tablet or a Chromebook, etc.
Printing is the bane of my existence in these cases.
-
@scottalanmiller said:
@wirestyle22 said:
My question would be how would Active Directory look with this?
So the real question is... why would you have Active Directory?
Actually @scottalanmiller -- My question would be why would you NOT want AD -- or any other centralized authentication platform -- especially if your organization is large enough to need active directory?
-
@dafyre said:
Actually @scottalanmiller -- My question would be why would you NOT want AD -- or any other centralized authentication platform -- especially if your organization is large enough to need active directory?
Cost. Complexity. AD ties you to a costly infrastructure. It means that you are paying for servers, CALs and more per user. It means you have to manage internal DNS. I means that you have to either design your entire business around very limited use cases and/or you have to do things like Pertino or ZeroTier or built a hub and spoke VPN model or similar to make people able to connect.
It's starts off easy enough, we want password management. Makes sense. But it comes with a lot of caveats: cost, complexity, performance impacts, overhead, connectivity issues. AD made tons of sense in its time, and it still makes an awful lot of sense a lot of the time. But I think that many businesses overlook just how many other decisions are made, or assumptions are made, based around AD. Remove AD, and suddenly you have a lot of freedom to consider different things. AD might be impacting you more than you think.
-
@scottalanmiller said:
@dafyre said:
Actually @scottalanmiller -- My question would be why would you NOT want AD -- or any other centralized authentication platform -- especially if your organization is large enough to need active directory?
Cost. Complexity. AD ties you to a costly infrastructure. It means that you are paying for servers, CALs and more per user. It means you have to manage internal DNS. I means that you have to either design your entire business around very limited use cases and/or you have to do things like Pertino or ZeroTier or built a hub and spoke VPN model or similar to make people able to connect.
It's starts off easy enough, we want password management. Makes sense. But it comes with a lot of caveats: cost, complexity, performance impacts, overhead, connectivity issues. AD made tons of sense in its time, and it still makes an awful lot of sense a lot of the time. But I think that many businesses overlook just how many other decisions are made, or assumptions are made, based around AD. Remove AD, and suddenly you have a lot of freedom to consider different things. AD might be impacting you more than you think.
I should have clarified in my last comment that I was speaking to using Azure AD, instead of a local instance.
IE: If AD ads all that complexity, why is NTG Using it?
-
@dafyre said:
IE: If AD ads all that complexity, why is NTG Using it?
We aren't, we dropped it. Couple of months ago.
-
@dafyre said:
I should have clarified in my last comment that I was speaking to using Azure AD, instead of a local instance.
Limited to Windows 10. That's pretty big.
-
So now @NTG is pretty much using SSH keys for authentication into the lab environments, etc?
No other centralized authentication system at all now?
-
@scottalanmiller said:
@dafyre said:
IE: If AD ads all that complexity, why is NTG Using it?
We aren't, we dropped it. Couple of months ago.
But you are using AAD, right?
-
@dafyre said:
So now @NTG is pretty much using SSH keys for authentication into the lab environments, etc?
No other centralized authentication system at all now?
Azure AD to the pure Windows 10 back office people. Other than them, no central password account management. Like many companies, once we played around with not using it, we found that we weren't getting much out of it.
-
@Dashrender said:
But you are using AAD, right?
For the Windows 10 office people like @ataylor14 and @jenuinecase yes.
-
@scottalanmiller said:
@Dashrender said:
But you are using AAD, right?
For the Windows 10 office people like @ataylor14 and @jenuinecase yes.
So I refer you to my previous question... If Azure AD (AAD?) adds that much complexity -- why keep it around?
-
@scottalanmiller said:
@Dashrender said:
But you are using AAD, right?
For the Windows 10 office people like @ataylor14 and @jenuinecase yes.
Now the question is - is the SSO worth it even for those who choose to still be on Windows?
-
@dafyre said:
So I refer you to my previous question... If Azure AD (AAD?) adds that much complexity -- why keep it around?
It doesn't, we were talking about AD, not Azure AD which are completely different mechanisms.
Azure AD has no servers, no licensing and is already there and completely included in things we already own. We do nothing for it. All we do is sign in with it and ta da, it is there. Zero overhead.
-
@Dashrender said:
@scottalanmiller said:
@Dashrender said:
But you are using AAD, right?
For the Windows 10 office people like @ataylor14 and @jenuinecase yes.
Now the question is - is the SSO worth it even for those who choose to still be on Windows?
Yes, because there is really zero overhead, no LAN dependency, no location dependency, no cost and it provides additional management through a channel we have to manage already so no additional work for free authentication benefits.
-
@scottalanmiller said:
@dafyre said:
So I refer you to my previous question... If Azure AD (AAD?) adds that much complexity -- why keep it around?
It doesn't, we were talking about AD, not Azure AD which are completely different mechanisms.
Azure AD has no servers, no licensing and is already there and completely included in things we already own. We do nothing for it. All we do is sign in with it and ta da, it is there. Zero overhead.
Ok, that is where I was getting confused.
