想象一个没有Active Directory的世界

What is AD?

什么是广告？

If you live in my world of Tech, Microsoft’s Active Directory (AD) is the cornerstone which underpins your entire Windows Estate. For those of you lucky souls not in the know it’s a place where user accounts, computer accounts, server accounts, user groups, device groups and policies live. We use it in order to access networks (wired and wireless), assign permissions to access share drives or Linux Groups. It stores encryption keys for devices. Without it you can’t connect to the office network, and there may be software or servers you can’t get access to. When it works I sleep like an old dog after a long walk in the countryside, when it doesn’t I develop a thousand yard stare.

如果您生活在我的技术世界中，则Microsoft的Active Directory(AD)是整个Windows资产的基础。 对于您中那些幸运的灵魂，他们不知道这里是用户帐户，计算机帐户，服务器帐户，用户组，设备组和策略存在的地方。 我们使用它来访问网络(有线和无线)，分配访问共享驱动器或Linux组的权限。 它存储设备的加密密钥。 没有它，您将无法连接到办公室网络，并且可能有某些软件或服务器无法访问。 当它起作用时，我在乡下走了很长一段路后便像一只老狗一样睡觉，而当它不起作用时，我会凝视一千码。

Previously on…

以前在…

When we started 2020 we had some fairly low-level objectives to look into, mainly a world where we needed to lose AD. The reasons for having AD are slowly diminishing. Our tech is changing and evolving. For example, people now enjoy Google Drive with a hefty wedge of storage as an alternative to traditional file shares, and that doesn’t require AD Credentials to access.

2020年年初时，我们有一些相当低层的目标需要研究，主要是我们需要失去广告的世界。 患有AD的原因正在逐渐减少。 我们的技术在不断变化和发展。 例如，人们现在喜欢使用具有大量存储空间的Google云端硬盘来代替传统文件共享，并且不需要访问AD凭据。

If I’m being honest, I thought that we’d already put some of our legacy issues to bed by migrating services into AWS, but as some are still AD Dependent, we’re having to re-think those as well.

如果说老实话，我认为我们已经通过将服务迁移到AWS来解决了一些遗留问题，但是由于有些仍然依赖于AD，因此我们也必须重新考虑这些问题。

The issue

问题

If I told you that thinking about a world without AD was a priority for us this year I’d be lying through my teeth. Then something happened in Wuhan and it’s completely changing the way we think about everything. AD is regarded now, for us anyway, as something of a legacy luxury. It’s not that AD is bad, but the problem is the lack of a constant connection to it for around 90% of our End Users, because only 10% of them will be connecting in our corporate network via VPN on a regular basis. In real terms this is something like 1300 Windows Devices that don’t talk to AD on a regular basis.

如果我告诉你，考虑到没有广告的世界是今年对我们来说的优先事项，那我会through之以鼻。 然后，武汉发生了一些事情，这完全改变了我们对一切事物的看法。 无论如何，对于我们来说，AD现在被认为是一种古老的奢侈品。 并不是说AD不好，而是问题在于约90％的最终用户缺乏与它的持续连接，因为只有10％的最终用户会定期通过VPN在我们的公司网络中进行连接。 实际上，这类似于1300 Windows设备，它们不会定期与AD通讯。

A world without AD?

没有广告的世界？

That’s not to say that I can’t imagine a world without AD. When I first came into IT in 1999 Active Directory didn’t even exist. The company I used to work for used something called Novell Netware which was once a big hitter in the IAM, Server OS and Network Management world. At its zenith it controlled 63% of the market. Their technology helped move IT in general away from Mainframe Computing and towards Local Area Networks.

这并不是说我无法想象没有广告的世界。 当我1999年第一次进入IT领域时，Active Directory甚至不存在。 我曾经工作过的公司使用了一种称为Novell Netware的产品，该产品曾经是IAM，服务器操作系统和网络管理领域的佼佼者。 在其顶峰时期，它控制了63％的市场。 他们的技术帮助IT整体上从大型机计算转移到局域网。

Gradually though, Novell lost ground to Microsoft and even at one stage they were even forced to make a Novell Client for Windows, such was their admission of defeat. Ever since about 2000 my life has had AD in it, and no I am not Judge Dredd.

但是逐渐地，Novell输给了Microsoft，甚至在某个阶段，他们甚至被迫为Windows制作Novell Client，这就是他们承认失败。 从2000年左右开始，我的生活中就有AD，而且我不是Dredd法官。

But a world without AD? Basically it meant that we have to start thinking about AD a lot more, and more importantly, how we were going to bypass it if most machines can’t contact it. In the short to medium term we needed a way for machines to live and thrive without it. In the longer term we really need to forget it even exists.

但是，没有AD的世界呢？ 基本上，这意味着我们必须开始更多地考虑AD，更重要的是，如果大多数机器无法联系到AD，我们将如何绕开它。 在中短期内，我们需要一种无需机器就能生存和发展的方法。 从长远来看，我们真的需要忘记它甚至存在。

The Cold Facts

冷事实

We have around 1500 Active Windows devices (not including our Server Estate) at the FT and these machines, when connected to the FT’s Internal network, talk to AD constantly for things like…

金融时报大约有1500台Active Windows设备(不包括服务器资产)，这些机器连接到金融时报的内部网络后，就不断与AD交流，例如……

• Network Authentication, wired or wireless
  有线或无线网络认证
• File Shares and Printers
  文件共享和打印机
• Permissions on hosted applications (Citrix etc)
  托管应用程序的权限(Citrix等)
• User Policies
  用户政策
• Password Expiry Policies
  密码到期政策
• FT Logon Disclaimers
  FT登录免责声明
• Screensaver lock out times
  屏幕保护程序锁定时间
• Computer Policies
  电脑政策
• Network Time Syncing
  网络时间同步
• Software Installation Restrictions
  软件安装限制
• Operating System Activation via a VAMT Server
  通过VAMT服务器激活操作系统
• Client Management (SCCM)
  客户管理(SCCM)
• Windows Patching
  Windows补丁
• Application Installation
  应用安装
• Application Scoping for Self Service
  自助服务的应用范围
• Application Removal
  删除应用
• Lifecycle Maintenance
  生命周期维护

All of these things are done silently in the background each and every time an employee connects to the FT’s Internal Network. It makes things run smoothly and keeps me sane.

每当员工连接到《金融时报》的内部网络时，所有这些事情都会在后台静默进行。 它使事情运行顺利并使我保持理智。

In the current world, very few machines enjoy this luxury and it poses us some annoying interesting challenges

在当今世界，很少有机器能享受这种奢侈，这给我们带来了一些烦人的有趣挑战

For challenging times, make it Suntory times…

对于充满挑战的时代，请使其成为三得利时代…

The current situation means that we certainly can’t take AD for granted anymore, especially constant access to it. Everyone now works from home with dogs, cats, kids and dinosaurs who are fought to the death during Google Hangouts by wilful 3 year olds, schooled on a semi-dangerous diet of Neo-Liberal parents, Anzac Biscuits and Tekken.

当前的情况意味着我们当然不能再将AD视为理所当然，尤其是不断获得它。 现在，每个人都在家中与狗，猫，孩子和恐龙一起工作，这些狗，猫，孩子和恐龙是在Google环聊中被3岁的任意年龄的孩子打死的，他们接受了新自由派父母，Anzac饼干和《铁拳》的半危险饮食。

Not everyone connects in via VPN. The FT has a limit of 500 concurrent connections and we estimate that only 10% of Windows users connect via VPN at any given time.

并非所有人都通过VPN连接。 FT有500个并发连接限制，我们估计在任何给定时间只有10％的Windows用户通过VPN连接。

From mid March this year pressing and immediate challenges we had were…

从今年三月中旬开始，我们面临的紧迫和紧迫挑战是……

• How do you enforce policies? Once everyone was working from home, we changed some policies as they seemed to be far more relevant when people where in the office — but to do that, we needed to be able to apply the changes:
  您如何执行政策？ 一旦每个人都在家工作，我们便更改了一些政策，因为它们似乎在办公室中的人们相处时更为相关，但是要做到这一点，我们需要能够应用更改：
• Screensaver lockout was extended from 5 minutes to 20 minutes
  屏幕保护程序锁定时间从5分钟延长至20分钟
• User password expiry policy was extended from 90 days to 180 days
  用户密码有效期从90天延长到180天
• Setting time on machines without them getting the time from on site domain controllers
  在机器上设置时间，而无需从现场域控制器获取时间
• How do you install new software?
  您如何安装新软件？
• How do you re-invent software installs that reference internal servers or are scoped via AD User groups?
  您如何重新发明引用内部服务器或通过AD用户组确定范围的软件安装？
• How can you work without VPN?
  没有VPN怎么办？
• How do we patch machines off the network?
  我们如何将计算机从网络上打补丁？
• How can we do this without the luxury of local distribution caches?
  没有本地分发缓存，我们如何做到这一点？
• What else to do we need to consider?
  我们还需要考虑什么？
• What automated maintenance tasks need to be reviewed and modified? For example SCCM itself, being a server, still talks to AD regularly and imports computer objects from. It also deletes inactive ones. What makes an active device an inactive one, you ask? 90 days of not talking to AD.
  需要审查和修改哪些自动化维护任务？ 例如，作为服务器的SCCM本身仍定期与AD对话并从中导入计算机对象。 它也删除不活动的。 您问什么使活动设备变为非活动设备？ 90天不与AD交谈。

We are luckier than most companies that at the FT we have spent good money on a couple of good Client Management Tools. We have SCCM for Windows and JamF for Macs.

我们比大多数公司都幸运，因为我们在《金融时报》上已经花了很多钱买了几个优秀的客户管理工具。 我们有适用于Windows的SCCM和适用于Mac的JamF。

We also have a public facing SCCM Management Server (which we thankfully fixed with Microsoft’s help in Mid March) as well which lets us serve and control the flow of Microsoft Updates (the part that was broken) and software installations without the need for computers to connect to our internal network. Did we ever think it was capable of serving up to 1300 Windows machines? No.

我们还拥有面向公众的SCCM管理服务器(谢天谢地，在3月中旬我们通过Microsoft的帮助对其进行了修复)，它使我们无需计算机即可提供和控制Microsoft Update(已损坏的部分)和软件安装的流程。连接到我们的内部网络。 我们是否曾经认为它能够支持多达1300台Windows计算机？ 没有。

Ordinarily we’d package up updates and Software in the traditional manner. To an extent we still do but now we don’t send this out to all distribution points to save on bandwidth.

通常，我们会以传统方式打包更新和软件。 在某种程度上我们仍然会这样做，但是现在我们不将其发送到所有分发点以节省带宽。

The biggest issue we really faced was how we deliver policies to our computers. In the end the broken SCCM Internet Facing server pointed us in the right direction as it was still serving Software Updates. We created registry modifications and packaged them as Applications which were then delivered in SCCM and scoped to a Device Collection of machines that don’t connect to the FT via VPN subnets. We’ve learned to love SCCM a little bit more since lockdown. We’ve even become much better at creating SQL Queries.

我们真正面临的最大问题是如何向计算机交付策略。 最后，坏掉的SCCM Internet Facing服务器为我们指明了正确的方向，因为它仍在提供软件更新。 我们创建了注册表修改，并将其打包为应用程序，然后将其打包到SCCM中，并运用于未通过VPN子网连接到FT的计算机的设备集合。 自锁定以来，我们已经学会了更爱SCCM。 我们甚至在创建SQL查询方面变得更加出色。

Future Times

未来时代

So what does the future hold for AD at the Financial Times? It’s obviously still going to be around in some form as the FT still runs many services that are dependent on AD, that aren’t dying off anytime soon, or where the end user has to be in a particular group in order to use applications hosted on internal servers and/or in the Cloud. But we need to plan for Remote Working as the new norm. This includes reviewing recently migrated services which have been “Clouded” but still have that all important link back to AD.

那么在《金融时报》上广告的未来将如何发展？ 显然，它仍然会以某种形式出现，因为FT仍然运行许多依赖于AD的服务，这些服务不会很快消失，或者最终用户必须位于特定的组中才能使用托管的应用程序在内部服务器和/或云中。 但是我们需要计划将远程工作作为新规范。 这包括查看最近迁移的服务，这些服务已经“云化”，但仍然具有所有重要链接回AD。

We want to swap Microsoft SCCM for Microsoft Intune (as it can host machine and user policies) and Microsoft Autopilot (so we can host our OS Builds in the cloud and configure laptops just from entering a user name and password). That needs a directory service in the Cloud so that might well be Okta. For magazine file shares we’d be looking at Adobe Cloud rather than the current proposed solution of EC2 and EBS in AWS. There will come a time when FT employees will be logging into their Mac or Windows device with an Okta logon prompt.

我们希望将Microsoft SCCM换成Microsoft Intune(因为它可以托管计算机和用户策略)和Microsoft Autopilot(以便我们可以在云中托管OS Build，并只需输入用户名和密码即可配置笔记本电脑)。 那需要在云中的目录服务，所以很有可能是Okta。 对于杂志文件共享，我们将关注的是Adobe Cloud，而不是当前在AWS中提出的EC2和EBS解决方案。 有时，FT员工会使用Okta登录提示登录其Mac或Windows设备。

That’s where we’re heading eventually. It might take a tactical hybrid solution implementation along the way, but we’ll get there.

那就是我们最终要去的地方。 在此过程中可能需要战术混合解决方案的实施，但我们会到达那里。