back to article There's more to life than Windows

When you run a corporate IT infrastructure, the chances are you run Active Directory underpinning a predominantly Windows-based array of servers, desktops and laptops. And that's fine: it probably serves 90 per cent of the kit you have and is a secure, easy-to-use way of authenticating user logins. But it's very unusual to …

  1. Anonymous Coward
    WTF?

    That article summed up.

    There is different kit and now it's easier to connect.

  2. Steve Davies 3 Silver badge

    Can we have?

    Articles on how to get rid of AD once and for all?

    Given the footguns that MS seem to be firing these days there will be sites that want to ditch everything from Redmond. If they run AD then they are locked inside the MS Walled Garden, or are they?

    1. Lee D Silver badge

      Re: Can we have?

      Trouble is, what to replace it with. It's no good decrying something unless you have valid replacements.

      And the replacements are:

      Samba (still wouldn't trust a DC on this, sorry).

      Red Hat Directory Server.

      And so you end up with problems because you either have to use Windows management tools and basically replaced the "no front end" servers with something else that's probably more unreliable (so nobody but you will care, and all your users will scream the moment something doesn't work as expected), or with a system that involves quite a lot of replacement and messing around.

      And, at the end of the day, the killers are not AD. AD is a good idea, works well, or we wouldn't use it. No, the killer is things like Exchange (no viable, cheap, compatible replacement that I'm aware of) and other things that plug into AD.

      The problem is not AD, you can run AD on linux now with no microsoft software involved. It's the programs that tie into it and that you use to manage it which are the problem.

      I speak as someone who has set up a school entirely on the Google Apps platform, as someone who hates Exchange with a vengeance, who has deployed Linux machines and LibreOffice in a school and always has several Linux VMs for certain jobs no matter where I work. I'd love to do it. What stops you is not the back end stuff like AD, which is usually just fine to run on a Windows server and forget about all those compatibility worries. It's the stuff that plugs into it. And the stuff users want to use.

      You can wean users off. And if you had the power to solely dictate what the users must use, you wouldn't have this problem in the first place. But that's the sticking point.

    2. Anonymous Coward
      Anonymous Coward

      Re: Can we have?

      Samba offers now its own implementation of AD - you can also use your combination of Kerberos and LDAP, just it will require more work to setup and maintain it.

      Linux distros should agree on an AD competitor easy to setup up and use, but it looks nobody is really interested in it. Why I can't explain.

      Maybe graybearded Linux admins are afraid to lose their job if Linux becomes too easy to administer in larger setups... <G>

      1. PNGuinn
        Trollface

        Re: Can we have?

        "Linux distros should agree on an AD competitor easy to setup up and use, but it looks nobody is really interested in it. Why I can't explain."

        Isn't that part of systemd now?

        >>Ducks back under sysvinit bridge quick<<

    3. Daniel B.

      Re: Can we have?

      LDAP. It's what most companies do. Pretty much any authentication platform has LDAP integration and thus can use LDAP as their main authentication registry.

      AD is basically the usual renegade Microsoft implementation of usually open protocols, in this case it's LDAP and Kerberos v5.

  3. jake Silver badge

    It's late. I'm up with a whelping Greyhound. I shouldn't post ... but ...

    "When you run a corporate IT infrastructure, the chances are you run Active Directory underpinning a predominantly Windows-based array of servers, desktops and laptops."

    I'll fade that bet ... Not a snowball's chance in hell, in fact.

    "And that's fine: it probably serves 90 per cent of the kit you have"

    Nope.

    "and is a secure"

    Post proof, or retract.

    "easy-to-use way of authenticating user logins."

    Easy is secure? Since when?

    1. PrivateCitizen

      Re: It's late. I'm up with a whelping Greyhound. I shouldn't post ... but ...

      "When you run a corporate IT infrastructure, the chances are you run Active Directory underpinning a predominantly Windows-based array of servers, desktops and laptops."

      I'll fade that bet ... Not a snowball's chance in hell, in fact.

      If you took that bet, you'd probably lose as all he says is the "chances are" - not that you "are." This means your experience of a different environment isnt enough to falsify his statement.

      The reality, for better or worse, is that the majority of corporate environments will use Active Directory to manage a server farm where most devices have a little windows logo.

      1. jake Silver badge

        Re: It's late. I'm up with a whelping Greyhound. I shouldn't post ... but ...

        "If you took that bet, you'd probably lose as all he says is the "chances are" - not that you "are." This means your experience of a different environment isnt enough to falsify his statement."

        I took the bet. He was wrong. Ergo ...

        ::fades to black::

    2. Anonymous Coward
      Anonymous Coward

      "Post proof, or retract."

      AD is built upon Kerberos and other technologies which are regarded secure.

      What is your proof it isn't secure? And with what more secure technology would you replace it?

      Or feel free to retract...

      1. WolfFan Silver badge

        Re: "Post proof, or retract."

        AD is built upon Kerberos and other technologies which are regarded secure.

        What is your proof it isn't secure? And with what more secure technology would you replace it?

        Or feel free to retract...

        It's jake. He doesn't do retractions.

        1. jake Silver badge

          Re: "Post proof, or retract."

          "It's jake. He doesn't do retractions."

          Yes, actually, I do.

          http://forums.theregister.co.uk/post/search/?q=jake+%2B%22mea+culpa%22

      2. jake Silver badge

        Re: "Post proof, or retract."

        "What is your proof it isn't secure?"

        Constantly B0rken Redmond based systems? Don't you read the news?

        "And with what more secure technology would you replace it?"

        DYOFDW.

  4. WraithCadmus
    Happy

    Linux AD integreation - Less shit than once it was

    I've been quietly impressed with the realmd stuff in RHEL/CentOS 7, it does feel incredibly natural once it's set up.

  5. Novex

    Externally Facing Devices

    I'm fairly sure things like externally facing routers and the like shouldn't be AD aware. If they get pwned, then there's the potential for your whole AD infrastructure to get pwned...?

    1. Anonymous Coward
      Anonymous Coward

      Re: Externally Facing Devices

      Nowhere is said you should have a single domain managing everything.

      For the perimeter stuff you could setup a dedicated domain - you still get the benefit of centralized management of accounts (instead of having them replicated on every device, probably with the same password stored locally...), while keeping the domain segregated from the internal network.

      1. Lee D Silver badge

        Re: Externally Facing Devices

        One-way domain trusts.

        Done.

        But the next question: How would you stop people joining any-random-device to your networks if you're not using things like RADIUS, that authenticate your port against things like AD?

        1. Anonymous Coward
          Anonymous Coward

          Re: Externally Facing Devices

          I was a bit surprised the article talks about TACACS+ and not RADIUS. It is true the former should be more secure than the latter, but it is also less supported. Both can be anyway integrated with AD, and perform thing like putting the user - after authentication - on the correct VLAN regardless where it connects to (wired or wireless).

  6. Anonymous Coward
    Anonymous Coward

    «Why would you have centralised authentication on your computers and mobile devices and then a load of distributed user databases on your LAN kit?»

    Because when said LAN kit can't talk to the AD for whatever reason, I want to still be able to connect to it and fix it?

    The idea is not completely impossible to envision, but it's a rather bolder step than this sentence make it sound.

    1. Anonymous Coward
      Anonymous Coward

      That doesn't mean you should not have a few, very few, local users with very strong passwords for emergency situations. What you should avoid is having lots of users, many of which maybe no longer active, maybe with weak passwords on each device.

  7. Anonymous Coward
    Anonymous Coward

    Just. if you use AD, setup a proper AD...

    Rarely a single domain fits the needs of medium and large companies. Sometimes, you'll need a forest and proper trusts to ensure authentication (and authorization) happens the correct way while trying to get more elevated privileges is not so easy from "less" trusted domain. I.e. the network gear administration domain should not accept blindly users - and even administrators - form the sales one.

    Also, use delegation to make some common tasks available to other people without giving them full administrator permissions.

  8. Daniel B.

    LDAP

    Chances are that if you're managing a corporate IT network, that's the real main repository.

  9. shd

    I agree with Steve Davies 3 (actually my namesake) - having never used AD, I'm sweating on keeping an aging Netware system going (it pretty much "just works") in the hope that I can find a viable alternative to Microsoft products on the server for a small business.

    Given my push to have more Linux on the desktop (thanks to Windows 10) it would be ironic to have to use Microsoft on the server.

    Samba looks to be a reasonable starting point, but I haven't found time to bone up on what else is needed yet.

  10. Down not across

    Can we not dumb everything down, and talk of things as they are?

    There's another problem: AD does more than just authenticate users. It defines what groups they're in (which, really, is just another aspect of authentication), but more importantly, it does all that good stuff like applying policies to the users and the devices that are connected to it.

    You'll generally have policies applied to your Windows machines (even if it's only basic stuff like defining default printers, or disabling the "Shut Down" menu option on servers to stop numpties like me inadvertently hitting it when I really mean to log out).

    No, that's not "really just another aspect of authentication". It's more like the second A, authorization.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like