Top Seven Challenges with Active Directory

Microsoft Active Directory (AD) is a reliable, scalable solution for managing users, resources and authentication in a Windows environment. However, like any software tool, it has limitations that can be difficult to overcome. Here are the top seven challenges with Active Directory and some options for addressing them:

Challenge #1. Active Directory depends on Windows Server.

Although Active Directory is compliant with Lightweight Directory Access Protocol (LDAP), there are many enhancements, extensions and interpretations of the LDAP specification. Software vendors sometimes choose to implement optional aspects of LDAP that are not supported by Active Directory, so using their products in an AD environment is difficult. For example, it is technically possible to implement Kerberos on Unix and then establish trusts with Active Directory, but the process is difficult and missteps are frequent. As a result, many organizations feel forced to limit themselves to Windows-based systems.

Challenge #2. High license and maintenance cost.

Microsoft uses client access licenses (CALs) for the Windows Server OS that underlies Active Directory. Since Windows Server 2016, Microsoft moved to per-core licensing: Pricing now starts at $6,156 for servers with two processors with eight cores each; the cost doubles if you use processors with 16 cores. That can be hard to swallow, especially given that Open LDAP and ApacheDS are both free of charge.

Challenge #3. Inconvenient logging and auditing.

Many things in Active Directory need proper logging, monitoring and analysis. For example, you need to be able to stay on top of critical errors and changes to AD objects and Group Policy, since they can affect both performance and security. But AD logs are very technical in nature, and finding the data you need requires tedious manual searching and filtering or advanced PowerShell scripting skills. Similarly, alerting and reporting is possible only through a combination of complicated PowerShell scripts and Task Scheduler. Each event log is capped at 4GB, which can lead to fast log overwrite and loss of important events. Finally, the PowerShell search engine is outdated so its performance is poor; for instance, every time you read records filtered by time, it reads the entire event log sequentially, record by record, until it finds the record you requested. This forces companies to integrate SIEM and Active Directory auditing solutions in order to ease log storage and analysis processes, spending money on things that could have been included in AD by design.

Challenge #4. AD crashes lead to network downtime.

When your AD is offline, you will experience the following issues:

  • Users will be disconnected from file shares as soon as their authentication session expires, usually within a few hours.
  • Software or hardware that relies on Active Directory authentication (such as IIS sites and VPN servers) will not let people log in. Depending on the setup, it will either immediately kick current users off or keep existing sessions until logout.
  • Users will be able to log in to computers they used recently, because they will have a cached password or authentication ticket. However, anyone who hasn’t used a given PC before, or last used it a long time ago, won’t be able to log in until the connection to the DC is restored. Eventually, nobody will be able to log in with a domain account, because the cached authentications will expire within a few hours.
  • Active Directory servers often play the role of DNS and DHCP servers. In that case, while AD is offline, computers will have trouble accessing the internet and even the local network itself.

To avoid these issues, best practices recommend having at least two Active Directory DCs with failover in place. That way, if one dies, you can just reinstall Windows Server on it, set it up as a new DC in an existing domain, and replicate everything back, with no downtime at all. However, this does incur extra expense for both hardware and AD licensing.

Challenge #5. AD is prone to being hacked.

Because Active Directory is the most popular directory service, there are a lot of techniques and strategies to hack it. Since it cannot be located in a DMZ, the AD server usually has an internet connection, which gives attackers the opportunity to get at the keys to your kingdom remotely. One particular weakness is that Active Directory uses the Kerberos authentication protocol with symmetrical cryptography architecture; Microsoft has already patched many of its vulnerabilities, but new ones continue to be discovered and exploited.

Challenge #6. AD lacks GUI management capabilities.

Microsoft bundles several utilities with AD, such as Active Directory Users and Computers (ADUC) and Group Policy Management Console (GPMC), to help organizations manage data and policies within the directory, but these tools are quite limited. For example, inserting object parameters in bulk requires PowerShell scripting; there is no alerting; and reporting is limited to exporting to a .txt file. AD delegation capabilities are also limited, so organizations often resort to splitting up domains to create boundaries for administrative access, which creates a directory infrastructure that is cumbersome to manage. To work around these issues, organizations often use third-party solutions that enable them to manage AD in bulk and control who can administer what in a more granular manner than the native AD tools. This gives them better control over identity and object access management and account management. Third- party AD management tools can automate operations around the creation, removal, modification of accounts, groups and Group Policy, as well as help with account lockout investigations.

Challenge #7. AD does not provide a self-service portal for end users.

It often makes sense to allow users to perform certain actions themselves, such as editing their own profiles and resetting their passwords if they forget them. However, Active Directory requires administrative access for these operations, so employees are forced to call the IT help desk to resolve their minor problems, which delays business workflows and drives up helpdesk costs. All these problems can be resolved via additional self-service management tools, but this is another item in the budget, on top of what you have already paid for AD.

Active Directory is a great tool, and it is still evolving, albeit slowly. If you want to integrate Active Directory into your environment, know that you will spend a big chunk of your budget on it, and even more if you want better AD management and reporting functionality. Obviously, system administrators can write custom scripts or programs to work around the shortcomings of native tools, and automate and improve AD management using scripting interfaces and frameworks provided by Microsoft or other parties. However, it takes advanced skills and a fair amount of time to write, maintain and run the scripts, and to work through their output to get actionable intelligence, which can lead to delayed response to serious security issues. And of course you’re still subject to basic AD limitations like log file overwrites and lack of delegation. Turnover.

As a result, many organizations turn to third-party solutions that improve and automate AD auditing, management and reporting. Look for a solution that delivers visibility across your entire infrastructure, including not just AD but Exchange, file servers and SharePoint, and also integrates with SIEMs and Unix and Linux systems. Be sure it enables you to control who can administer what in a more granular manner than native AD tools, and automates operations around the creation, removal, modification of accounts, groups and Group Policy. Add bonus points if the solution offers self-service capabilities. And of course make certain it can capture and store a complete audit trail for years to support security investigations and comply with regulatory requirements.