The poor Director server role. No longer needed by Teams, its primary function usurped by Azure AD for Office 365…Microsoft’s march into the future seems to have passed right by it.

Now, this is not the first time Microsoft has left a server by the digital wayside. But I have a special place in my heart for Directors. I like the concept, and what it embodies, Looking at the Skype for Business/Teams ecosystem now, I thought Directors would join Microsoft Bob and Small Business Server on the trash heap.

But I found a little light instead…one instance where it does still make sense to deploy Directors in today’s world. Let’s find out what that is!

What a Director Does, and How Skype for Business Changed Around It

I first wrote about the Director way back in 2012: What’s the Director For?
I characterized it as a sentry on the castle walls. Permitting only legitimate Lync/Skype for Business users entry.
That’s what a Director does—it provides authentication for users, so the Front End Server/Pool doesn’t have to. The Front End carries on with facilitating calls, Meetings, etc. while the Director handles authentication.

Now, the Front End CAN handle authentication requests as well. It never needed the Director. Having a Director server/pool helped in two ways:

  1. Ease congestion on the Front End Server/Pool, which often translates to better call quality & Meeting stability.
  2. Defend against DoS attacks targeting the Skype for Business Server. Not a common threat, but a growing one in recent years.

So the analogy still holds. You can still use a Director as a sentry, defending your Skype for Business deployment.

The Director Role and Offloading Authentication in Skype for Business 2015 – IT Pro Today

Director as Authentication Sentry
You shall not pass! …unless you brought me a treat!
Photo by Kenan Süleymanoğlu on Unsplash

But what if the deployment structure changes?

Which is what Microsoft’s done. By first offering a Hybrid deployment option with Office 365, then introducing Teams and beginning to fold Skype for Business Online into it, Microsoft’s slowly pulling the rug out from under Directors.

What about authentication requests though? How will Teams and Office 365 manage all those requests in your tenants?

Skype for Business Hybrid and Teams: Director’s Role Usurped

Since Office 365 tenants handle authentication through Microsoft’s cloud-based Azure Active Directory, they don’t need on-prem authentication from a Director. But what about hybrid deployments?

In most hybrid configurations, authentication’s done through on-prem Active Directory and Azure AD. Azure AD syncs to your on-prem Active Directory server, providing a built-in failsafe. Directors become superfluous.

However, Directors are still mentioned as a possible hybrid topology component on Microsoft’s Plan hybrid connectivity between Skype for Business Server and Skype for Business Online page:

To configure your deployment for hybrid with Skype for Business Online, you need to have one of the following supported topologies:

  • A mixed Lync Server 2013 and Skype for Business Server 2015 deployment with the following server roles in at least one site running Skype for Business Server 2015:
    • At least one Enterprise Pool or Standard Edition server
    • The Director Pool associated with SIP federation, if it exists
    • The Edge Pool associated with SIP federation
  • A mixed Lync Server 2010 and Skype for Business Server 2015 deployment with the following server roles in at least one site running Skype for Business Server 2015:
    • At least one Enterprise Pool or Standard Edition server
    • The Director Pool associated with SIP federation, if it exists
    • The Edge Pool associated with SIP federation for the Site
  • A mixed Lync Server 2010 and Lync Server 2013 deployment with the following server roles in at least one site running Lync Server 2013:
    • At least one Enterprise Pool or Standard Edition server in the site
    • The Director Pool associated with SIP federation, if it exists in the site
    • The Edge Pool associated with SIP federation for the site

“If it exists.” In other words, the Director is not critical to these hybrid topologies.

What about Teams? Since Teams will absorb Skype for Business Online anyway, does Teams need a separate authentication server?

No. It’s not designed that way. Even if it was, as a fully cloud-based application, Azure AD will handle the authentication. A Director isn’t listed anywhere in the Teams dependencies for guest access…only Azure AD.

(Whether or not Azure AD handles guest accounts & user expansion WELL is up for debate…but we’ve talked about that already.)

Director on guard duty
Yeah, the fence keeps people out. But I still hang out here, in case someone climbs over it…
Photo by Elizabeth French on Unsplash

It’s safe to say that for Office 365 and Teams, Azure AD usurped the Director’s role. That leaves us with one other potential use: the upcoming Skype for Business Server 2019.

Directors Going Away? Not Quite. Not Yet.

The Director sees a tidbit of salvation in our next on-prem Skype for Business Server. Ever-knowledgeable Tom Arbuthnot hints at the Director staying in Skype4B Server 2019, citing it under the 2019 System Requirements on his blog: Skype for Business Server 2019 Public Preview, What’s New, What’s Gone? – Tom Talks

Edge Servers, standalone Mediation Servers, and Director: 6-core, 2.4 gigahertz / 16GB RAM / 8 or more 10000 RPM disks or SSD / Gig NIC/ dual Gig NIC for Edge

These may seem steep. But they’re almost identical to Front End Server requirements; the only exception is that Front End needs 64 GB RAM.

I can see many admins using requirements to justify dropping Directors from their 2019 deployments. In truth, our IT Consulting team hasn’t installed a Director in any Skype for Business deployments (on-prem or hybrid) since early 2017.

However, after some discussion and brainstorming, I realized the Director is in Server 2019 for a reason. One Skype for Business topology does exist where a Director helps.

The One Deployment Topology Where a Director (Still) Makes Sense: Director on Guard

Here’s my “Director On Guard” topology. The deployment must meet all of the following characteristics:

  • Enterprise business
  • Installing Skype for Business Server 2019
  • Fully on-prem
  • More than 2 office locations
  • 1,000+ users
  • The company has suffered a cyberattack in the past

Why these? I’m so glad you asked.

  1. An enterprise business will want the control and security they can exert over data trafficked within Skype for Business. This also gives them control over their phone system.
  2. More than 2 locations means branch servers to maintain the call network. More than 1,000 users means thousands of authentication requests every single day.
  3. A cyberattack? Nothing makes cybersecurity more important than suffering a cyberattack. (I wish this on NOBODY, but it’s a tragic reality of our world.)

In this case, the Director serves a purpose. It performs its original function of handling authentication requests, taking load off the Front End pool and preserving bandwidth. All worthwhile performance goals, which makes IT look good to the budget-conscious C-suite.

A Director also provides additional guard against cybercriminals. Post-cyberattack security improvements go a long way toward securing the network, and user workstations. The Director performs a similar role within the Skype for Business ecosystem—a central component of the enterprise business’ communications.

It’s doing its time-honored job…being a silent sentinel, ready to admit those who have authorization, and defend against those who do not. Hence my terming it, “Director on Guard.”

If we don’t get an on-prem Skype for Business version after 2019, it’s likely the Director role will fade with it. That’s okay…it’s done its job. But for now, don’t count the Director out yet. With cyberattacks on an upward swing, all systems need protection. Including Skype for Business.

Do you still use a Director in your Skype for Business deployment?

 

Do We Still Need the Skype for Business Director? In One Instance, Yes!
Facebooktwittergoogle_plusredditlinkedinmail

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.