Rethinking Active Directory, Microsoft centric networks and everything


There’s still a lot of confusion about what a network should look like when there’s no longer a need for a server. Historically businesses bought a server when they found themselves with the need to share and standardize. But if you’ve moved to an Office/Microsoft 365 suite and you’ve got Windows 10 computers what should the new network look like? It’s time for a rethink on network design.

The network today

For the sake of this article let’s say you manage a business who is using an Office/Microsoft 365 Business or Enterprise plan, all of their major applications are in the cloud and it’s now just Active Directory, files, printers and policies that occupy the server. Businesses that have reached this state are probably small and are using Quickbooks or another common accounting package. As most businesses around the world are small, some 90+% of them, this scenario is the most common one out there.

traditional network design

In the picture above we see a pretty standard network where the firewall separates the outside from the inside. It’s how most well managed networks are designed.

We used to joke about businesses that are setup like giant home networks for their lack of organization, planning, features and security. Obviously the IT department (if they had one) didn’t understanding basic networking standards. But now those standards have changed. We’re not headed into home networking but instead toward a new concept of cloud enabled business infrastructure.

Changing our minds

We are creatures of habit and comfort. So the inclination is to simply look at what you’ve got and assume that you need it. But the world of IT infrastructure is new again. We must look at this with eyes wide open to new concepts of how the cloud works and what it means for managed networks.

Microsoft has built Azure from the ground up and not tried to build on-premises networks in the cloud like a simple hosting solution might. Therefore what you’re going to find is that there is not a direct one-to-one feature set when you take a look at how you’re going to move things to the cloud. I’ve seen people try and they end up with a forced expensive situation. The cloud was not built for individual businesses to run servers in. The better course is to adopt what it is and modernize your approach to infrastructure. When you signed on for the Office/Microsoft 365 suite you agreed, perhaps unintentionally, but you agreed to chart a new very particular course.

Our new networks look more like the image below where everything is connected directly to the Internet and the security and management happens in the cloud.

Following the course that’s been set

In our example, let’s say that we’ve moved our email up as the first part of the migration. This means that we’re modified DNS, Outlook is using Autodiscover to configure itself, we have a lot of new applications available to our users, and Azure AD is actively authenticating our users at least for Outlook.

The next steps in the plan then will be to get those files migrated and this is usually when the IT staff has that awakening moment of realizing that there’s no group policy, no mapped drives and they stumble or stop because a managed network can’t possibly exist without those things.

But it can.

Mapping the old ways to the new

Keeping in mind that we aren’t recreating the on-premises network in the cloud but are instead adopting the ways of the cloud. Let’s map out where our tools are.

Join domain = Connect to Azure AD Only Windows 10 devices can connect to Azure. Since Azure AD is all about authentication, this allows Azure to authenticate that your devices are who they say they are.

Mobile devices are phones and tablets = Everything is mobile Most small businesses have historically ignored mobile devices so managing them is a new concept. This may be hard to fathom but Microsoft considers Windows 10 to be a mobile platform. So everything is considered mobile and is managed as such. Once you can internalize this the decentralization of management begins to make a lot more sense.

Updates are managed = updates happen This naturally follows once you adopt the concept that all Windows 10 devices are mobile devices. With your applications in the cloud incompatibilities should be rare. Microsoft does offer a couple of update frequencies but with the rate that malware writers are going these days you’ll do best to adopt the fastest cadence possible.

Printers are Mapped = Printers are discovered Windows 10 will automatically discover printers on the network it is attached to, install the drivers and remember to set as default the printer you last used on that network.

Group Policy = Intune Using Intune you can push software (including MSI, EXE, apple and android), set baseline security and configuration policies. You can use their policy wizards or make your own registry changes, push scripts or a mix of all of the above.

Mapped Drives = Sync or Connect Mapped drives give users that warm fuzzy that they know everything is kept in the M drive (for example) but starting with Windows 7 and the introduction of libraries, users no longer had to be concerned with where something was they just needed access to it. So they no longer needed a drive letter or several drive letters to get to something. Today it’s SharePoint document libraries are connected, OneDrive folders are sync’d from their own collection or others.

Redirected Folders = Known Folder Sync Many businesses redirected folders to be sure to capture data that users might leave on the desktop or save to their documents folder. OneDrive for Business now captures that data through Known Folder Sync.

My network is secured at the edge = My network is secured by authentication Windows has had its own firewall that is very good at keeping the outside out for many years. But now that your data isn’t on premises where is the edge? It’s your users. The very people that we’ve long considered to be the weakest link. Luckily Azure has some new tricks that have pumped up authentication to mean not only the username and password, but also the device, the location,  and other indicators that match a users normal pattern of activity. And it has new tricks that keep the password from being passed between the directory and the devices.

Which brings me to security. Anyone who is worried about security in the cloud hasn’t taken a good look around. The cloud has brought so many additional security features that figuring out which ones to implement is more the problem that deciding how you are going to protect individual items. Between encrypted files, email, authentication enhancements, file protections, and layers of malware detections our new networks are many layers more secure than they ever were on-premises.

The biggest hurdle yet

The biggest hurdle that I see in the redesign of these networks is awakening business owners, managers and staff to the necessity of training. It’s not just IT staff that needs to rethink how they go about their work, learn new tools and change their behavior. The staff needs to do the same. This new world puts them at the forefront of protecting the intellectual property of the business. It’s a role that they haven’t had to put much thought into previously. The work was done for them but now they need to understand the difference in safety of different network connection types, how to keep personal and business data separate in an era of BYOD, how to encrypt concept and place it in the correct context.

There’s a lot of work to be done on all fronts. Migrating to the cloud isn’t a simple as it first seems but neither is it daunting. With the right leadership coming from IT businesses will be set to reap the benefits that the cloud promises.

_________________

Make your IT business better than the competition. IT Pro Helpdesk, TechYourBooks, Super Secret News, Women in IT Scholarship program, Ransomware Prevention Kit and more. https://www.thirdtier.net

Leave a comment

Your email address will not be published. Required fields are marked *