Comment by stego-tech
9 days ago
As someone who built an IT career on Microsoft’s entire suite, only to recently (past six years or so) migrate wholesale to macOS (endpoint) and Linux (server), I can definitely say MS’ best days are behind it. 2000 was rock solid, Server 2003 had some growing pains (mainly the transition to x64 and multi-core processors), and 2008 fully embraced the long march into irrelevance even as it tried to shake up the hypervisor space. Now the company is so obsessed with arbitrary and unnecessary feature creep and telemetry-as-surveillance that I’m loathe to recommend it when I don’t have to.
Honest to god, if an IdP like Okta made an Active Directory replacement that ran via container instead of a full-fat VM or appliance template, I’d gladly toss ADDS out the window with all its stupid CALs. Basic directory functionality in 2025 shouldn’t require a bloated ADDS/LDAPS virtual machine to run, especially with the move to cloud providers for identity. If you make it easier to do identity without ADDS, you remove Microsof’s major trojan horse into the enterprise - and M365’s as well.
> Honest to god, if an IdP like Okta made an Active Directory replacement that ran via container
https://goauthentik.io/ can run in docker. It can be paired in with openldap containers, too.
If Okta made an AD replacement, they’d charge for each extra attribute beyond fullName, firstName, surName, and drink.
Identity Admins don’t let Identity Admins buy into Okta.
You’re not wrong, but depending ln the org size those charges are still cheaper than Windows Server + CALs.
Ideally though, it’d be like Okta in that its core directory is in the cloud, but also like ADDS/LDAP in that local servers/objects can join to a domain via local containers posing as domain controllers.
Yes, I know modern device management and cloud-based IdP means the need for a directory is decreasing by the day, but Enterprises still want it for ease of user and computer management via a centralized database of sorts. Having someone, anyone offer me a leaner way of achieving this without a crusty LDAP deployment or expensive Windows Server + CALs, would be hugely appreciated.
Okta was going to charge us $6/user/month just for MFA. So I migrated my company to Azure AD with free MFA. We still had AD DS in the mix, but endpoint management was moving to cloud w/ Autopilot + Intune.
An on-prem AD DS is going to be difficult to move away from. From a management cost perspective, it is still cheaper than every other LDAP + Kerb + endpoint policy solution out there. And since a CAL is provided with every copy of Windows Enterprise, thinking about CALs for clients is a non-issue.
1 reply →