Active Directory, Azure

Active Directory & Authentication–The past, present and future

Hey folks, this is the first post of a series of blog posts I am planning to write which discuss the various infrastructure requirements when designing and configuring a VDI or DaaS infrastructure.  I will discuss stuff like Active Directory, Authentication, Networking, Storage,  Profile Management, VM Specs etc etc.

I will try to keep it as generic as possible so it applies to all but as my main focus is Citrix & Azure, so  any specific walk throughs will be using Citrix & Azure as an example,  and maybe others it time permits.

Happy reading!

Introduction to Active Directory

When Windows 2000 Server Edition was released on the 17th February 2000 it contained a feature called Active Directory.  Active Directory was a LDAP Directory Service which primarily provided authentication to users and held user account information, AD security groups, computer accounts etc.   All the information was held inside a database which was called the ntds.dit

Image result for ACTIVE DIRECTORY WINDOWS 2000

With every Windows Server release (the latest being 2019) since then Active Directory has constantly evolved with new features being added and improvements made.  If you walk into any Fortune 500 Company today I can guarantee you that their Windows domain runs on Active Directory (unless they are a UNIX/LINUX shop that is!)

Image result for ACTIVE DIRECTORY WINDOWS 2019

If Active Directory breaks,  you have no domain, and if you have no domain you have no authentication. if you have no authentication then you don’t have anything – no access to your files, no GPO’s, no email, no intranet – that is how critical Active Directory is.

Active Directory in a Cloud World

Historically companies have deployed Active Directory Domain Controllers on-prem inside Data Centers, and as close to the devices accessing them as possible. This meant that any authentication or LDAP queries were super quick so providing a good experience for the end users.  

This all changed with the introduction of Cloud Computing.  Now we had resources  performing LDAP queries and authentication requests that were hosted inside Azure & AWS Datacenters onto your on-prem network.  Some applications can generated hundreds of LDAP queries a second so slow responses back can be a real problem.

To fix this problem some companies deployed a domain controllers running as virtual machines inside Azure and then treated them as any other domain controller.  You can then configure AD Sites & Services to configure any Azure hosted resources to use your Azure hosted VM as its local domain controller.

However, this can be expensive depending on how many domain controllers you have as you need them running 24×7.

On the 8th April 2013 Microsoft also released a service called Azure Active Directory. 

image

This was an Azure hosted service where you could sync your On-prem Active Directory into Azure.  Any Azure services (and also non-Azure servies) could then use that Azure AD as authentication without requiring access to your on-prem network. This is how it looked back then:

SyncADtoAzureAD0

In September 2014 Microsoft released the first version of Azure AD Sync, v1.0.419.0911.  This tool was responsible for taking specific AD Objects which you specify from your domain and syncing them with Azure AD.

The rise of SaaS apps & services requiring authentication

Before Cloud Computing was a thing your Active Directory was generally responsible for providing authentication and LDAP requests for your internal users only (apart from external VPN users).  This all changed when companies starting to introduce SaaS applications which in most cases used your UPN (Your Active Directory user account) as authentication and authorisation to use the services.

The diagram below shows the typical configuration of what we see out there today.  All those SaaS applications, Office 365, your internal apps and many other things use Azure Active Directory for authentication and identity.

Image result for AZURE ACTIVE DIRECTORY

Why am I telling you this?

Active Directory historically  has always been hugely hugely important in any environment and continues to evolve and become an even more critical part of your infrastructure.

If you look at any DaaS offering out there today one of the key requirements is a configured Directory Service, Azure Active Directory being the choice most of them.  Some examples of this are:

  • Windows Virtual Desktop
  • Citrix Cloud
  • Amazon Workspaces
  • VMware Horizon Cloud

When you are designing and implementing a VDI or DaaS solution security should be one of the most important things to think about as you are potentially exposing your environment to the whole wide world so you want to make sure that your authentication and security policies are as strong as possible.

Using Azure Active Directory gives us access to multiple authentication methods that we can leverage in our VDI & DaaS implementations.  Examples of this are MFA, security questions, hardware tokens, SMS messages. I am sure you will agree they are a lot more secure than a password!

We are at a stage now where we don’t even need passwords anymore.  We are able to use MFA or SMS messages to authenticate against Azure AD. 

Authentication methods in use at the sign-in screen

In the next post we shall setup and configure Azure AD and then setup a sync with an on-prem domain controller.

Leave a Reply

Your email address will not be published. Required fields are marked *