I’ve tried to write out my thoughts about this a few times but I always end up being overwhelmed by the ever widening scope of related things that end up being pulled in. What I’m hoping to do, and this may never be read by another human and/or web robot, is use my cane to tap around the perimeter of this vexing problem that I’ve faced at nearly every place I’ve worked: Active Fucking Directory.
At the moment I’m completely mired in the weird middle space between wanting to switch completely over to something that functions less like a needlessly complicated wrapper around LDAP and more like a secure-ish authentication method that performs a bunch of single sign on functions. It would also be nice if maintaining this shiny new solution didn’t become my full time job as well. The short answer, in my situation at least, is that an answer that simple and comforting doesn’t exist at all.
Here are the problems:
1. This needs to meet all of the requirements of the eleventy billion master service agreements that we’re supposed to hit. These are constantly changing and some of them we just sign off and ignore until one of our customers proposes an audit. Some of these requirements would be better left to a capable MDM solution but …
2. My budget for such a solutions is, well, um, if you could just cut checks to my company for using your solution that is about the only that would make it through our finance department. The finance folks are not looking to invest money in anything ever so that becomes a rabbit hole I’m not going to willingly crawl into.
3. To make things absolutely and utterly disaster-tastic we also just hired a CTO who seems like a cool enough guy but wants to have more input into the infrastructure we’re implementing. The real rub here is that he really just wants to implement a SaaS solution that is the namesake of the company he just jumped ship from and I have heard nothing but gnashing teeth and the sound of hope anally escaping the human body from other folks I know that still do infrastructure work. So, I’m in a holding pattern right now while I fervently hope that one of the interviews I’ve had recently bears fruit and I can hit the ejector seat button thus escaping with a few tatters of my sanity intact. Maybe I’ll get budget approval for something more expensive than anything I’m proposing and doesn’t work either? Splendid.
4. Another thing that happened in the midst of all of this was an office move, a company rebrand, a phone system replacement, and a few other ball crushing tasks that I might be defensively forgetting. Just a few minor things that need to happen all at once and posthaste. Our IT department, at least for anything that doesn’t live in AWS or Salesforce, is poor old me and I report up through 2 levels of managers. The usual song and dance occurred after the move was sprung on us/me; we’ll just have an MSP come in and do some of that work for us because that is always painless. I got a few things out of that: some new networking hardware (Meraki because the techs were either morons or thought we/me were morons) and a new server to host the software used to manage badging and security cameras. Like most security and monitoring software it requires me to install components from Windows Server 2000 to get it successfully running so I’m completely okay with isolated that garbage onto its own server and away from any infrastructure that actually matters. It did not get me any new server hardware that I could because there’s much money to be made reselling software licensing, of course. The MSP folks built us a sort of functioning Active Directory server in AWS but didn’t do most of the grunt work before their contract budget was consumed. Thanks guys! I was hoping to spend a couple weeks running hastily written Powershell scripts on a production machine. This also sounds amazing!
5. Here’s the punchline to all this: The server that really, really needs to be replaced is a 7-8 year old Dell PowerEdge that has been outside of a service contract for several years and spent most of its life in a switch closet/sauna basically the size of a closet with no real cooling. It is obviously a ticking time bomb despite having a backup domain controller even older that takes more than 15 minutes to reboot when I do something terrifying like rebooting it. Oh, yeah, and this is hosted on a Windows Server 2008 SBS box. Yeah, it really is that grim. The message from on high is that I need to somehow keep this incredibly robust and reliable machine running for a unspecified period of time until there is a decision and budget available for a cloud solution that will likely do measurably worse job of handling authentication and won’t serve any policy at all. Maybe that means I’ll finally get some budget for MDM? Probably not.
We are an Office 365 shop (this is what that service is called no matter what stupid renaming convention they try to employ) so everyone in the company that has absolutely no fucking idea what they’re talking about immediately tells me how we should just migrate on over to Azure Active Directory. This, of course, is more telling of how much coverage Microsoft pays for in trade magazines than anything else and has caused me to explain far too many times that (cue the theme music) Azure Active Directory is not fucking Active Directory in any meaningful sense.
At the end of this highly purgative post, I’m left with some questions that mostly should be posed at the huge corporations that create the software I’m supposed to keep things up and running with because cruel and unusual is industry standard. One very, very important question is: why the fuck isn’t Azure Active Directory analogous to Active Directory? That’s the most painful question. Look, I know it’s blindfolded brain surgery dangerous to expose an AD server to the internet, right? That’s been pounded into our heads since Active Directory was a relatively new thing. Don’t ever allow your AD server out into the world without galoshes and a rainsuit. That’s IT canon. BUUUUUT, the other Microsoft product that was absolutely, positively unsafe to expose to anything but a RADIUS-backed VPN was Exchange and now Exchange or at least a distant cousin of it is out there on the web eating apples full of razor blades and taking Tylenol from open packages all willy nilly. Obviously O365 isn’t the most secure platform in the world but it only seems to roll over dead a couple of times a week. Why can’t Microsoft spend a few cycles on that sort of work for AD? Oh, because all the data transmitted between a client and the AD server is full of delicious data that isn’t well protected. Extra fabulous!
The other non-option would be something like Direct Access which is already deprecated, requires the very most expensive edition of both the client and server pieces that it would run on, and only runs on Windows which is not real world useful unless you’ve landed a sweet gig at Contoso or Margie’s Travel. That leads me back, all the way back, to the always on/pre-logon VPN issue which means more expensive software seats and more moving parts that I can absolutely guarantee will break each and every time the wind picks up because I’ve foolishly made decisions like that in the past. In the end, I have no fucking answers and I’m feeling like one of those sad photo-op polar bears stranded on a melting mass of ice with nothing to do but wait until the sea eventually consumes me bringing on the sweet oblivion that erases all of this fuckery.