There’s this one thing that is commonly found in business networks which no user ever thinks about. As long as it works, of course.
It’s the Active Directory. To me, the question whether you need it or not never crossed my mind. Until a few months ago, when I was asked why an Active Directory was necessary.
The reasoning behind this question is as follows:
- we’ve only got a small network with less than a hundred PCs and a limited amount of services
- our documents are managed using SVN (indeed)
- there’s not supposed to be a file server
- most users are more or less adept at working with computers and as such are expected to be capable of administrating their own PCs
- we want to keep our internal IT as slim and trim as possible
Which is all very well, in a way. But are those reasons really valid and do they necessarily mean that Active Directory is just overcomplicating things?
I would argue that no, it’s not. Mainly because Active Directory exists to simplify administrating larger networks – and it would probably have long been dismissed if it didn’t do a good enough job at that.
So here’s why I (still) think that an AD is basically a must have for any business with more than say 5 employees: It simplifies my day-to-day work. And that’s something that can’t be rated highly enough – time’s short and spending it with repetetive tasks such as doing the same laptop setup over and over again or installing programs to employee laptops is just not what I consider to be fulfilling.
What I do have a knack for and enjoy doing is automating things. Such as building an automated, pre-configured image that I roll out over a network share (PXE environment). Invest time into building the image and setting up the appropriate servers to save time every time something has to be setup. So far, so good.
Once the laptop is setup, you also need users. You could either setup the user on the laptop and – if the laptop breaks – do it all over again next time, or create the user in an AD and if his/her computer breaks, just take one out the cupboard and they’re set. And that’s just the basics.
Imagine you’re running a virtual environment containing a few servers. There’s probably servers that are highly specialized and contain sensitive data which you don’t want to be accessible to everyone. Without AD, you’d have to configure every server once and add or remove users as needed. And, of course, the user would then have to remember another password. And change it according to policy rather regularly. Imagine how secure those passwords will be.
Using AD, you can just create the necessary organizational units and the typical settings those servers need. Create a security group – say „smart users“ and tell AD to add this group to the local server administrators. Done. And should they leave the company, access is revoked within 5 minutes – instead of 5 per server, which can quickly add up.
Imagine you’ve got sensitive data on the company laptops and you’ve told your users time and again that those have to be encrypted. Now what about the Bitlocker keys (should you use BL)? What if the employee loses them? In that case, you’d have to start from scratch! Or just save those keys in the Active Directory – automagically! The time this can save (and work that might otherwise be lost forever).
Speaking of users. Not every user is a born administrator. You might think that nowadays especially the younger generation grew up with computers and are probably really tech-savvy. And you’d be wrong. There’s about the same amount of stupid users around that there was a few years ago. Maybe more. Technology is complicated to many and outright magical to the uninitiated – and don’t you ever forget that, administrative guru that you are. So some users should stay limited to being users for their sake and for that of your company’s fileshares, sensitive documents and your administrator’s uninterrupted, blissful sleep at night.
Imagine there’s services such as FTP, Exchange, file shares, your company cloud or whatever you like. Without AD, this would mean one account per service. With AD, you can just use the same account for every system.
I could go on giving examples for hours, but you probably got the point and are already bored to bits. So let me mention one last thing: security. Equipped with a modern firewall, the right switches and some tidy network management, you’re able to secure your company network by using VLANS and other mechanisms, but to make sure that not only is access to the network secured but also to the servers, computers and services on said network, AD is probably the most convenient and reliable solution. With modern firewalls, you can even restrict routes to more and less sensitive areas of your network based on the user’s access rights defined per user or group. And since you probably don’t want just anyone poking around your network, this is something you might want to consider.
But isn’t it really complicated and producing a lot of overhead, you might still ask yourself? And I’d say that no, actually it doesn’t. It saves the administrator more time than it costs and while not exactly intuitive and easy in every respect, it’s probably much easier to learn to work with its peculiarities than to remember all those accounts and computer settings that without good old group policy would be hard to track and even harder to evaluate for security risks. Plus you can always adapt your employee’s PC’s settings to new policies without having to plan weeks for updating.
So yeah, there’s overhead, especially initial overhead, but it’ll start saving time rather quickly.
Bonus tip: Read up about tombstones before running a virtualized Active Directory (which is not exactly best practise if you ask VMWare, but works surprisingly well if you’re aware of the drawbacks).