AD turns 17 this year. That’s a long darn time for a directory service, and you might wonder how much life it’s got left in it. Oh, I don’t mean as in, “Windows Server 2018 is going to eliminate AD!!!!” No. Whatever happens with AD will be an evolution, not a revolution. And I’m not even sure Microsoft has a firm marching plan on this – I think they’re kind of playing it by ear.
But it’s fun to look at what they’re doing, and guess where they might go next.
First, Microsoft has increasingly been breaking down larger, monolithic services into smaller, point services. AD today performs a variety of functions – authentication, a degree of authorization, a kind of configuration management, a literal directory, and so on. I could definitely see those being broken out.
Configuration management is the easiest one to imagine. Rip Group Policy right out and replace it with Desired State Configuration. Oh, not the DSC you know today – no, no. DSC with a smarter Pull Server that can assemble multi-part configurations based on of-the-moment criteria – just like Group Policy does as it assembles GPOs today, but with far greater reach than just the registry and handful of other things GPPs can touch. This wouldn’t even be all that noticeable to users, and barley noticeable to admins. Slap a nice Policy Editor GUI on top of it all, and you’d never need to really know that the policies were in a MOF file instead of an ADMX or whatever. This’d be easy.
Next I think you’ll see your on-prem domain controllers become subordinate to your in-the-cloud Azure Active Directory. That is, you’ll manage your directory in the cloud, which will then replicate down to the office for people to authenticate against. Very small businesses might opt out of an on-prem DC entirely. Yeah, there’ll still be some edge cases that need an offline, on-prem DC for whatever reason (“we don’t have Internet in the coal mine”), but those are called “edge cases” for a reason. This main-directory-in-the-cloud will make identity federation a lot easier and more transparent, since Microsoft will do all the hard work to make it function. Again – largely transparent to users, minimal changes daily processes for admins, but an important structural change. It’s kind like when Apple switched from the Mac being the “digital hub” to their cloud being your hub, and your Mac simply being another device attached to the hub, rather than the center.
Various on-prem options could be brought into play for integration. Deploy an on-prem agent to sync local HR data to Azure AD, for example. That kind of thing. You’d never need to worry about “losing” your directory, because it’d live in a highly resilient cloud. Schema extensions? So 10 years ago. Like, I think even Exchange Server wishes it hadn’t gone that route. Something like an on-prem AD AM could be deployed to accommodate that, if needed.
This certainly fits the model Microsoft has been moving toward: C&C in the cloud, telling on-prem resources what to do. Microsoft’s gone all-in on “hybrid,” that way, to a degree that other cloud vendors haven’t. And, truthfully, can’t.
As the centerpiece of your network, AD plays a crucial role that we all too often don’t think about, because it more or less “just works” all the time. So it’s interesting, for me, to think about where it might go next. Yeah, there’re challenges to be solved – PII issues, for example – but those are solvable. Remember, we’re not looking at what Azure AD is today; we’re thinking about what it, and AD itself, might become.
What do you think might happen?