My previous article focused on migrating Exchange into Microsoft's cloud, but there is more to Office 365 than just Exchange. Single Sign On (SSO) between Office 365 and your local Microsoft domain can be a bit tricky. A proper implementation has high minimum requirements, and there are very good arguments against cutting …
How about how to get rid of MS Proprietary Clunky products like Exchange and SSO needing to support MS authentication and use lighter weight, multi-platform alternatives?
The Domain Server architecture and Exchange are horrors. Especially for smaller offices.
After using MS Server since NT 3.5 (1994?) I'm migrating to Linux and abandoning MS Windows Update Server.
Migrated LONG ago from MS Mail, then Outlook + Exchange to MDaemon on Windows and a succession of mail clients. Yes I know Outlook and Exchange do appointments etc.
I don't miss Sharepoint either.
I used to install MS Solutions, had MCP cert, wrote and gave training course in NT Admin etc. No longer.
In my experience, Exchange and AD work quite well in the Small Business Server setups. And WSUS too. And the only time I had problem with sharepoint was a hardware crash.
Not yet idiot proof, but fairly easy for a small business admin to handle. Though a brief bit of culture shock for me moving from SBS on Server 2003 to latest SBS on 2008.
Re: Or SBS
SBS = MS Crippleware versions of MS Server Applications
Practically all companies use AD - I've worked with and for FTSE100 companies for the last fifteen years - many even use it for mainframe to desktop authentication. It really is one of very few products that do the job properly and basically essential if you use Windows workstations. A few companies that I have worked at have had a bridge setup so that the Windows AD can replicate with a generic LDAP implementation on UNIX, but Win AD really is quite good and about the only product that can facilitate true single sign on.
If you are using Exchange...
...you have already failed.
Re: If you are using Exchange...
So the majority of the top 100 companies have failed?
R i g h t!
W O W
Re: If you are using Exchange...
Yes, that's what the AC is saying and I'm inclined to agree.
Re: If you are using Exchange...
That is all
Carrot and Stick
""the more difficult you make things, the more likely your users are to disregard security". Economic arguments should also be considered: fewer passwords to remember and reset equals fewer support calls."
BUT:even with SSO the issue of passwords and password security is still not resolevd!
What has this to do with Acorn's Advanced Disk Filing System? ;)
I consider exchange to be a rather advanced disk filling system.
(yes, there are 2 L's in filling)
Not quite: the disk filling is done by users who use their mailboxes as file repositories (unless you enforce proper mailstore policies of course).
Disk filling is done by Exchange, thanks to no more single instance store. :sadface.jpg:
So by trying to save money, time and energy on maintaining a small Exchange server, you're now maintaining four AD boxes?
I appreciate the redundancy etc aspects, and I doubt they'd need as much maintenance as Exchange (though if you set things up right, an Exchange box for small business really doesn't need much time spent on it) but this to me seems the opposite of what cloud computing is supposed to achieve!
Large organisations can have dozens of Exchange servers. Branch office mail stores, edge servers, etc. Heck, a "proper" exchange deployment even with only one mail store has three servers in Exchange 2010! That's before you get into the UC stuff to tie in Lync, federation, etc...
Of course you would not actually ever use internaldomain.local but rather internaldomain.anythingelse would you? After all .local is reserved for use by zeroconf and you break all sorts of things if you use .local for your windows domain. Sure microsoft used to have an example in their documentation that used .local, but they changed that years ago and even wrote a domain rename tool to help repair the damage, not that anyone seems to ever get around to fixing this mistake. Instead the mac and linux users and anyone else that has a system that supports zeroconf just have to suffer.
'supports' zeroconf? surely you mean 'poisoned by'
chkconfig avahi-daemon off
nozeroconf=yes (in each ethN file)
I like Exchange
Moving on, thanks for the article, but does this mean SSO for small businesses using SBS 2011 for example is a no-go? I thought the whole point of SBS 2011 was that it federated with Microsoft's cloud based services.
I can't see many small businesses having an ADFS cluster so they can simplify their O365 usage.
It's great to have these articles on the Reg, but it's always aimed at enterprises. Perhaps there aren't enough of us chaps supporting small businesses to make research for small business solutions worthwhile?
They don't actually need to cluster it at all, adfs can be installed on one server. The recommend configuration of course starts at running a small cluster on the two domain controllers (you do have two, right ;) ) And goes up from there. I currently use it between our internally hosted exchange server and Lync online. Same user account, same password, works great.
Um...is there a browser cache issue on my end? the last three paragraphs read as follows to me:
As you can tell, we left Small and Medium Enterprises (SMEs) behind a long time ago. This is major infrastructure: in many cases more than all of an SME's currently deployed server estate.
A practicable alternative exists. The Microsoft Online Services Sign-In Assistant (MOS SIA) was made to help bridge the gap. While each of your users will have two sets of credentials (local corporate and cloud-based), with the MOS SIA, you only have to sign in once.
While not SSO, MOS SIA is a freely downloadable tool that is "close enough" in practice. While useful and convenient, Office 365 SSO in its current form just doesn't make sense for SMEs. ®
As to "articles on the Reg being aimed at enterprises," that actually hurts my feelings. I'm an SME admin myself. I spend roughly half my day screaming at large corporations all across the globe to keep SMEs in mind. I try very hard to write my articles with SMEs in mind...even when describing a technology that by and large targets enterprises exclusively.
Sorry it didn’t work out this time. :(
Sorry Trevor, my bad :*o
I do appreciate your articles and must have been having a bad day not reading to the end.
Hope you've grabbed yourself a cold one for your efforts!
Is friesday today. CAN HAS BEER O'CLOCK. <3
You take the Exchange servers, the four 'redundant' ADFS servers, the corporate website and for the hack of it the corporate SQL Server too, virtualise the lot onto a single piece of tin. If you haven't heard something similar from your business beancounters, do not quit - you're already in the best job out there.
SSO is not a holy grail
"fewer passwords to remember and reset equals fewer support calls."
Sure, but it doesn't matter if your AD forces people to change their password every month for no reason other than 'just because'.
In any large company I've worked for that uses AD for everything such enforcement leads people to shortcuts like subtly changing passwords in very minor ways or using things like 'November12345' and then 'December12345' and so on.
Sorry but these sysadmin blogs read more like Microsoft literature than anything else these days.
This isn't SSO
This is not SSO, this is just linking ones AD account to their Office365 account, a user still needs to type their username / password in twice to gain access.
The SSO for Office365 still requires use of certificates and a bodged web address which just redirects them.