[tichiian]

> There's a reason virtually everyone uses AD.

The reason everyone uses AD is that you can have a functional Linux client in AD. But you cannot have a Windows client in any Linux-based LDAP+Kerberos setup.

The problem isn't that there isn't a good solution for Linux in big organisations, the problem is that Windows is only compatible with AD, nothing else, so the more compatible system (Linux) gets shoved into AD.

[BikiniPrince]

Every large organization that I have worked at has a solution for desktop and server Linux. The downside is you typically have a password hash stored in ad or a separate service. Ultimately, it isn’t terrible, but you do have a lot of enforcement at the border. So trouble can surprisingly appear when you connect remotely.

[briHass]

AD is also better and more feature complete. It was born out of necessity, but it's had decades of refinement in thousands of deployments that the OSS solutions haven't had.

[Zardoz84]

So, why does Microsoft want to kill AD and move everything to their cloud ?

[tichiian]

Because AD is a security nightmare. It is a collection of ~30 distinct protocols, e.g. bastardized versions of LDAP, Kerberos, DNS, DHCP, X.509 and a few RPC protocols that are all weirdly intertwined, with 30 year old designs. Every few months there is another CVE like 'oh, we forgot to checksum and sign that one field over there, please install this incompatible patch or you will have unauthed RCE'. Since all those patches make things break, there is a lot of vulnerable AD installations out there because most people need to be on "compatibility settings" that are insecure. And even the "secure" settings drop a CVE every few months.

[briHass]

They want you to move everything to the cloud, for obvious reasons. However, if you have on-prem/non-cloud servers, AD is still in the mix. They actually recommend running an AD DC as a VM in the cloud as a backup and to integrate cloud resources in scenarios that are more complex than Entra and Intune can handle.