• Riskable@programming.dev
    link
    fedilink
    English
    arrow-up
    7
    ·
    11 months ago

    The granularity of AD doesn’t scale though. I work for a huge bank and trying to get something changed in Group Policy is basically impossible. Making it even the tiniest bit bigger (e.g. adding a single new rule) will slow down every goddamned PC and VM in the entire organization. It adds up to real money lost real fast.

    Not only that but some changes to GPOs can break things that you didn’t foresee so the general wisdom is, “don’t ever change it.” Rendering that whole “granularity” argument moot. What good is granularity if you can’t even use it?

    Also, getting AD to scale to the size required the help of Microsoft. They had to change AD for us many times because the way it replicated certain things just does not scale past around 20,000 desktops (if memory serves). They gave us custom DLLs that run on our DCs to keep things operating reasonably smoothly but their lack of support on non-Windows platforms is a perpetual problem.

    If literally every single computer in your company is Windows you’ll be fine. However, as soon as you start trying to connect your Linux servers to AD everything starts getting really fucking complicated and troublesome real fast.

    Microsoft made a lot of mistakes when they were designing AD but the biggest one was making it intentionally proprietary in so many ways. It prevents us from adopting it more. If AD actually worked with everything we’d be paying Microsoft a lot more in licenses every year.

    Aside: Their second biggest mistake with AD was allowing groups to be placed in other groups. This made it so that “simple” administration of your policies and access controls goes from a single lookup to a lookup to the power of n groups. It doesn’t scale at all and exponentially increases network traffic and load on domain controllers.

    LDAP + Kerberos running on Linux servers doesn’t have this problem because it doesn’t allow it (intentionally, because it’s stupid).

    Oh man, I’m thinking about it now and AD just makes me so upset, haha. It’s such a poorly engineered product. Don’t give it more credit than it’s due. It works fine for small organizations but that does not mean it’s a good product.