In a meeting recently, I was quite taken aback to hear a reason given for not moving to 2012 R2 forest functional level—a reason to which I hadn’t previously been privy. The stated reason was, “in a few years, the Windows domain won’t be relevant anymore.” As someone who cut his IT teeth on Windows NT domains and has become intimately familiar with the Novell-inspired beast that we all know as Active Directory, I found the concept of an IT function without a domain backbone quite strange. Is there any mileage in the supposition that Windows domains will be irrelevant in the space of merely a few years?
It’s worth considering what Windows domains were used for in the first place. Administrative domains were first used simply as authentication points, but with the Windows domain—and the servers and workstations that were members of it—you gained the capability to manage the devices. Software packages, patches, configuration items—all of these could be deployed and managed centrally. Active Directory added features like OUs and GPOs that extended the management beyond devices and on to the user experience itself. DNS, DHCP, email, and other services tied in to the domain as well, meaning that the Windows domain became firmly entrenched in IT departments as the de facto backbone for most enterprise environments.
Over the last few years, though, we have started to concentrate on managing the user, rather than the device, thanks to new technologies and bring-your-own-device (BYOD) initiatives. Users access virtual applications and virtual desktops. They use SaaS applications directly from the Internet. They can use these applications from personal mobile phones and tablets that are beyond the scope of IT’s remit, devices that we wouldn’t want to manage at all because of the administrative overhead and headache. Some companies use appliances and security scanners that allow them to check devices accessing their corporate apps for a minimum compliance level, but beyond that, there is little or no interest in bringing a multitude of user-owned devices under the roof of the IT department.
Also, not every service is directly tied in to the domain any more. Many companies use virtual or hardware appliances—such as NetScalers, to pull up an example I see a lot of—to provide critical functionality, but they don’t directly join the domain, requiring only network addressing and DNS service in order to function. DNS and DHCP, although commonly found on Windows domain controllers or member servers, can be provided equally well by other software or appliances. Even Exchange, so long bound closely to the AD structure, can now be replaced by offsite email such as Outlook.com or even Google Mail for business, reducing the heavy reliance on the domain backbone even further. Even cloud storage solutions wear away at AD’s overall reach, replacing the concept of the home drive and the management of the shares and permissions associated with it.
But do all of these considerations actually mean that the domain is going to go away, or, as the guy in the meeting stated, become “irrelevant”?
Let’s not forget that Windows forests and domains are very, very deeply rooted in modern IT architecture and designs. Many systems administrators the world over simply couldn’t comprehend an IT infrastructure without them. Replacing all the functionality inherent in the domain with other solutions would be complex—and probably unnecessary, unless Windows servers themselves were being phased out.
Also, there will always, without any doubt, be a need for authentication. I’d be very surprised—at this present moment, anyway—if anyone was ready (or willing) to hand over authentication responsibilities to an online service such as Microsoft, Google, Amazon, or Facebook. At least not entirely.
So, I doubt very much that the domain will become irrelevant or unnecessary over the next few years; but certainly, the Active Directory as we know it will change. Rather than being about managing systems, the user experience, mailboxes, and permissions, Active Directory domains will become about authentication, SSO, federated access, and maybe even replication with your online (Azure?) hybrid cloud services.
An indication of this future direction is provided by Microsoft’s Workplace Join features. Instead of “joining” the domain and falling fully under the remit of the corporate IT department, users will register their non-domain device in AD, receive a certificate, and from there be trusted to access corporate resources. This is an extension of ADFS (Active Directory Federated Services) and, rather interestingly, also supports Apple iOS mobile devices.
In summary, I don’t think that the Windows domain model will be removed any time soon, or even fade into obscurity. But the way we use it will change, as it evolves to meet the new needs of the workplace. The adaptability of Active Directory could well prove to be one of its greatest strengths as we move toward a changing technological future.
This is a really interesting post. I personally do see AD going away – and I think the reason is that the zeitgeist has changed. It pushed authentication and configuration into the same bucket, and people no longer think they belong together.