This is the ultimate FAQ for Microsoft Active Directory — built to answer all of the most frequently asked questions about the legacy, on-prem directory service. We’ll get into the what, when, why, who, and how of Microsoft Active Directory — otherwise known as AD or MAD.
AD is both widely used and widely misunderstood. Developed by Microsoft in the late 1990s, AD is the world’s most well-known on-prem directory service or often referred to as an identity provider (IdP). AD ushered in the era of modern identity management in the early 2000s, but with a shifting IT landscape there are a number of questions that IT admins and organizations have about just what AD is, how it works, and why it matters.
We’ve identified some of the most common questions about Active Directory and answered them below.
Active Directory Basics
What is Active Directory?
Active Directory is a directory service / identity provider that enables administrators to connect users to Windows-based IT resources. Further, with AD, IT can manage and secure their Windows-based systems and applications. AD stores information about network objects (e.g. users, groups, systems, networks, applications, digital assets, and many other items) and their relationship to one another.
Admins can use AD to create users and grant them access to Windows laptops, servers, and applications. They can also use AD to control groups of systems simultaneously, enforcing security settings and software updates.
Access and controls are done using the concept of a domain. The domain concept is essentially a concept of inclusion and exclusion. Traditionally, this approach was leveraged for physical locations. Historically, many IT resources were hosted on-prem and as a result they were a part of the domain – i.e. internal network – and when a user was in the physical location they would have access to all of their requisite resources on-prem. If a user was off-prem, they would need to VPN in to make it appear that they were on-prem. This approach worked well when IT resources and people were in the same physical proximity.
AD is part of the wider Identity and Access Management (IAM) space and is often supplemented with single sign-on (SSO) or MDM (mobile device management) solutions among many others. JumpCloud Directory Platform is a cloud-based alternative to Active Directory.
Get a more in-depth definition of Active Directory with “What is Active Directory, Anyway?”
When was Active Directory released?
Microsoft first introduced the world to Active Directory in 1999 and released it alongside Windows® 2000 Server edition.
What protocols does AD use?
Active Directory takes advantage of the networking protocols for DNS/DHCP and the Lightweight Directory Access Protocol (LDAP), alongside Microsoft’s proprietary version of Kerberos for authentication.
Many people ask why AD doesn’t natively support more protocols, such as SAML and RADIUS. We won’t speculate on their reasoning, but we do believe that a multi-protocol approach is the future of IAM. Support for protocols such as SAML and RADIUS can be accomplished through Microsoft add-on solutions as well as third party solutions.
Why is Active Directory called active?
Our best guess is that AD is called Active Directory because it actively updates information stored in the directory. For example, when an administrator adds or subtracts a user from the organization, Active Directory automatically replicates that change to all of the directory servers. This happens at a regular interval so that the information always remains up-to-date and synchronized.
Today, this “active” type of behavior is expected in IT systems. But, before the era of computerized directory services, the concept of a directory that kept itself up to date was pretty innovative. Keep in mind that when the Active Directory moniker was coined, physical encyclopedias were still commonly used and the “active” Wikipedia hadn’t yet launched.
Who uses Active Directory?
Generally speaking, when an organization leverages Active Directory, every single employee uses Active Directory every day without even knowing it. People use Active Directory when they log in to their work machines and when they access apps, printers, and file shares.
But the primary users of Active Directory are the admins. These people actually operate, manage, and configure AD. AD admins likely include all of the IT team and may also include members of the security, DevOps, or engineering teams.
Virtually all organizations around the world use a solution such as Active Directory or other identity provider. Enabling and controlling access to IT resources is one of the most important aspects of operating an organization in modern times. Solutions such as directory services enable organizations to be productive.
Why does Active Directory matter?
Whether people realize it or not, Active Directory has been making the business world go ‘round since the turn of the century. AD is in place at almost every large organization and many small ones. It’s just such a foundational tool (always humming away quietly in the background) that many people who use AD every day don’t even realize what AD is—or that it’s the key to their secure access to their laptop, applications, network, and even files. In short, a directory service is what connects users to their IT resources, and AD has done that for users to their Windows resources for almost two decades.
Looking for a more in-depth answer? We also have a full blog covering why AD is important.
Active Directory Definitions
What are Active Directory objects?
An object is the generic term for any unit of information stored within Active Directory’s database. Objects can include users, laptops, servers, and even groups of other objects (explained below).
What are Active Directory groups?
AD enables admins to manage sets of multiple objects and these sets are known as groups. Using GPOs (group policy objects), an admin can make a change on one group and have that change apply to all objects within that group. They’re often used to segment users or systems by department or clearance.
The bottom line is that group-based management makes IT administration more efficient.
What are forests, trees, and domains in Active Directory?
A forest is the most top part of Active Directory’s logical structure, which also includes objects, trees, domains, and organizational units (OU). A forest describes a collection of trees, which denote a collection of domains. So, what are trees and domains?
Well, a domain is a collection of users, computers, and devices that are part of the same Active Directory database. If an organization has multiple locations, they may have a seperate domain for each one. For example, an international organization could have a domain for their London office, another one for their New York office, and a third one for their Tokyo office.
A tree could be used to group all three of those domains as branches belonging to the same tree, so to speak. An organization that has multiple trees could then group them into a forest.
This is a core concept of Active Directory and can be complicated. If you have questions, drop us a note and we’d be happy to help you work through what type of AD structure makes sense for your organization.
What is a domain controller?
A domain controller is any server that is running Active Directory Domain Services. At least one domain controller is necessary to use Active Directory, though most organizations have at least two per location. Large, multinational organizations may require dozens of domain controllers across each of their physical locations in order to ensure high availability for their AD instance. Generally, DCs are thought of being tied to a physical office, which in the current remote work environment can be challenging.
Individual users and their systems are connected to the domain controller through the network. When users request access to objects within the Active Directory Database, AD processes that request and either authorizes or prevents access to the object.
Once within the domain, a user doesn’t need to put in another username and password to gain access to domain-bound resources that they have rights to. The authentication and access occurs seamlessly. That’s the beauty of the domain. But this concept begins to fall apart as non-Windows resources are introduced. It also struggles if users are remote and not physically attached to the domain – in this case, the end user will need to VPN into the network and be authenticated by the DC in order to gain access to their on-prem, Windows-based resources.
Note that Microsoft has also extended the concept of a domain to Azure. Organizations can create a separate domain at Azure through Azure AD DS. This domain is separate and distinct from the on-prem domains, although the two can be bridged through a variety of connective technology including Azure AD Connect and Azure AD.
We should also note that there is a new concept called the Domainless Enterprise, which is taking the approach of eliminating the domain concept, but still retaining the idea of securely and frictionlessly accessing IT resources wherever they may be. This concept is especially helpful for organizations that leverage web applications, cloud infrastructure, and non-Windows platforms (e.g. macOS, Linux).
What is Active Directory Domain Services (AD DS)?
AD DS basically sets up the database of objects that serves as the foundation for AD management. AD DS isn’t the only server role associated with Active Directory, but you could argue that it’s the server role that corresponds most directly to the core functionality that people associate with AD.
How does Active Directory work?
When Active Directory Domain Services is installed on a server, it becomes known as a domain controller. This server stores the Active Directory Database, which contains a hierarchy of objects and their relationship to one another.
Active Directory is managed by an admin through a thick-client GUI (graphical user interface) that resembles the file manager in Windows (pictured above). This application runs on a Windows server and is not a modern browser-based application. Admins can point, click, and drag objects within AD and adjust their settings by right-clicking with the mouse and accessing the dropdown menu.
AD can also be controlled via the command line and through tools that leverage PowerShell, Microsoft’s language for automation and API-level tasks.
What is Azure® Active Directory?
The biggest misconception around Azure AD is that it’s Active Directory in the cloud. But the truth is that Azure AD wasn’t built to be a standalone AD in the cloud. Instead, Azure AD has been designed to extend an existing Active Directory instance to the cloud.
To better understand the AD and AAD relationship, Microsoft’s reference architecture diagram can be helpful.
The concept can be a great deal of work with a lot of moving parts: synchronize your on-prem AD with Azure AD Connect and you can connect your existing database of user identities and groups to Azure cloud-based resources. Of course, you need Azure AD and then if you would like to create a domain within Azure, the Azure AD DS product as well.
Azure AD can actually do many things that AD can’t (e.g. it has an integrated web application single sign-on component)—and the wider umbrella of Microsoft’s Azure platform spans functionality so broad that you can think of it as Microsoft’s competitor to Amazon Web Services. But don’t be fooled into thinking that means that Azure AD can do everything that on-prem Active Directory can.
What is Azure AD Connect?
Azure AD Connect is a tool used to federate on-prem Active Directory identities to resources that are hosted within the Azure platform through Azure Active Directory. These resources could include Office 365™ and Azure systems, servers, and applications.
What AD Is & Isn’t
Is Active Directory Single Sign-On (SSO)?
You could say that Active Directory was SSO before SSO existed. By that, we mean that AD can provide a single sign-on experience for users by centralizing access to all Windows-based resources within the database. Further, those resources were all on-prem or at minimum connected to the domain.
That said, what the industry conventionally considers to be SSO (web app SSO) is very different from AD—and in fact, conventional SSO arose out of AD’s inability to authenticate users into web apps during the mid-2000’s. Today, many organizations still supplement their Active Directory with a browser-based web application SSO tool.
However, new business requirements have driven the concept of SSO to now extend to devices, networks, file servers, and more, so the modern concept of SSO goes beyond just access to Windows resources or even web applications. The concept of True SSO is even more expansive and highly relevant for modern organizations where users and their IT resources may be all over the world.
Is Active Directory software?
Yes, Active Directory is software developed by Microsoft that is installed, maintained, and updated on Windows-based server hardware. The AD software is licensed through a concept called CALs (client access licenses) among other mechanisms. Licensing for AD software can be quite complex, so discussing with a Microsoft reseller is your best bet.
Further, the AD software and hardware is not a complete solution. You’ll need to procure other components to help make AD run including solutions for security, high availability, back-up, VPN, and more.
Is Active Directory a server?
Not exactly. That said, Active Directory requires a Windows server in order to function. A server running Active Directory Domain Services software is known as a domain controller – whether that server is physical hardware located on-prem or virtualized.
Is Active Directory a database?
It would be more accurate to say that Active Directory contains a database. The Active Directory database is the store of all the users, groups, systems, printers, and policies within the network. These are known as objects and can be manipulated by admins using Active Directory.
Is Active Directory open source?
No. Active Directory was developed privately by Microsoft and its code has not been made available to the public like an open source tool. The primary open source alternative to Active Directory is OpenLDAP (others include FreeIPA, Samba, 389 Directory, and others). You can learn more about the difference between OpenLDAP and AD.
Is Active Directory LDAP?
Active Directory isn’t LDAP, but it uses LDAP. AD is a directory service that is capable of communicating through the LDAP protocol and managing access to LDAP-based resources. AD’s primary protocol is a Microsoft proprietary version of Kerberos.
Active Directory Functionality
What do you need to operate Active Directory?
Generally, to operate AD, you’ll need a server, a backup, data center space, and VPNs. That’s just to get through the basics, but for most organizations you’ll also need to figure out security, load balancing / high availability, data back-up, and much more. You’ll also need an IT admin who is technically adept enough to install, manage, and maintain AD.
That said, the hardware and software requirements necessary to operate Active Directory are unique to each organization. Some aspects you need to consider when determining what you’ll need to operate AD include the following:
- number of users
- number of systems
- level of RAM required
- network bandwidth needs
- file storage capacity and performance demands
- processing power
Accurately assessing your IT environment is crucial for effective use of Active Directory, and taking shortcuts could result in performance issues down the line. For more information, consider checking out Microsoft’s capacity planning article. You’ll also want to talk to Microsoft resellers regarding licensing as it can be complex. Those licensing requirements can include the server software, client access licenses, and more.
Of course, if you have non-Windows systems, applications, file servers, and network infrastructure, you’ll need to purchase add-ons as well such as web applications SSO, multi-factor authentication, privileged access management, governance and auditing, and more.
What Are Active Directory’s Limitations?
Yes, there are limits in Active Directory. From maximum number of objects to maximum number of GPOs applied, Active Directory has its restrictions. Here are a few of them:
- A domain controller can create “a little bit less” than 2.15 billion objects during its lifetime
- Users, groups, and computer accounts (security principals) can be members of a maximum of approximately 1,015 groups
- You can apply a limit of 999 Group Policy Objects (GPOs) to a user account or a computer account.
- You should avoid performing more than 5,000 operations per LDAP transaction when writing scripts or applications for an LDAP transaction.
You can read more about Active Directory limitations here. From a practical standpoint, there are limitations due to server hardware capacity, bandwidth, performance latency, and more. IT admins will need to understand their entire infrastructure to understand how their users are impacted by these types of limitations.
Why backup Active Directory?
Take a moment and think about all of the hard work you’ve put into creating a secure, seamless IT environment. You’ve nailed providing users with just the right amount of access in all of the IT resources they need to get work done. You’ve got all the right GPOs in place. Your logical structure is pristine.
With no backup, you run the risk of having to start all over.
Not only is it a pain to set everything up again, but the rest of the company will be significantly delayed in getting back to work. Employees won’t be able to access their IT resources until you’ve rebuilt your Active Directory setup. So, having a backup strategy for your Active Directory instance can save a lot of pain and time in the event you experience a failure or disaster. For advice on what to consider for your disaster recovery plan, consider reading this r/sysadmin Reddit post.
Of course, backing up AD is only one of the disaster scenarios that you’ll need to account for. Internet connections can be severed, hardware can fail, human errors can occur as well, and more. Those will all need to be accounted for as well. As IT admins know, authentication services are generally a 100% uptime initiative.
When is it time to replace Windows Server?
The estimated lifespan for a server is generally about five years. After that, you’re on borrowed time. If you’re still using Windows Server 2003 or Windows Server 2008, then you should definitely be thinking about getting a new domain controller. The EOL for Windows Server 2003 occurred in July 2015 and the EOL for Windows Server 2008 was January 14, 2020.
Are there any Active Directory best practices?
Yes. When building out Active Directory infrastructure, there are some best practices that can help you maintain strong security and also avoid configuration issues. Here are a few recommendations:
- Change the default security settings: Attackers have a good understanding of the default security settings within AD, so it’s best to change these from their defaults (BeyondTrust).
- Utilize principles of least privilege in AD roles and groups: By giving employees the least amount of access that they need to do their jobs, you reduce the attack surface for intruders (BeyondTrust).
- Control administration privileges and limit accounts in the Domain Admins group: Similar to the point above, you want to minimize who has superuser access (BeyondTrust).
- Don’t use a domain controller like it’s a computer: In other words, don’t install software or applications on a domain controller. It is best if a domain controller is a server dedicated solely to this function. Generally, admins follow the concept of one server, one function (Iperius Backup).
- Patch AD regularly: Attackers can also easily exploit unpatched applications, OS, and firmware on AD servers. Avoid giving them this foothold by regularly patching (BeyondTrust).
- Monitor and audit AD health: Doing so will enable you to troubleshoot outages and other issues more quickly (Active Directory Pro).
- Define a naming convention at the beginning: This will go a long way in keeping AD organized as you scale (Active Directory Pro).
- Clean up AD regularly: Remove obsolete users, computers, and group accounts on a regular cadence. Doing so will help maintain security and organization (Active Directory Pro).
- Get your domain time right: Having the right time on all domain controllers, member servers and machines is important for Kerberos authentication and for making sure changes are distributed correctly (Active Directory Pro).
How do you secure Active Directory?
Many of the best practices listed above get to the heart of this: keep your AD instance patched, up-to-date, and utilize principles of least privilege. Don’t use your domain controller for anything other than the roles required for domain services.
When it comes to physical security, you could consider locking up the server room, having alarms at all access point, keeping the premises under video surveillance, and also setting up flood alarms and fire prevention systems.
You’ll also have to train any users who have access to AD about how to stay secure. Read our in-depth guide to security training, Security Training 101: Employee Education Essentials.
Of course, for many organizations the concept of physical security can be left to a cloud provider, if one is utilized.
How do you ensure high availability with AD?
There’s no one-size-fits-all formula for how to achieve high availability (HA) for your Active Directory instance. Different organizations have different uptime needs and standards. But redundancy is a “must-have” for all except the least risk-averse admins. The approach we see most commonly at SMBs is to have one direct domain controller in the production environment and then a second DC to serve as a failover. This general strategy of redundancy can be scaled up for larger organizations and enterprises.
There are a number of network infrastructure and hardware components that are necessary to ensure high availability. Many organizations are shifting to the cloud and leveraging cloud providers to help them solve the HA and load balancing concerns.
Can Active Directory work with Macs?
Technically, yes, Active Directory can work for Macs®. But the user and system management capabilities of AD are curtailed with Macs when compared to the functionality with Windows systems. Deep, automated control over Mac systems has conventionally been achieved only with the help of third party directory extensions or MDMs (mobile device managers). Tight control over users including provisioning, deprovisioning, permission modifications are also challenging on Macs when using AD.
We’ve put together a resource on this topic called best practices for integrating Macs with Active Directory.
Why learn Active Directory?
Knowing how to use AD is a valuable skill—and one that’s broadly applicable at organizations worldwide. Learning AD is particularly valuable if you want to work in IT supporting Windows devices, Azure cloud services, Sharepoint, and many other enterprise softwares and platforms.
That said, it’s possible to advance a career in IT without ever learning AD. Modern, cloud-forward organizations are bypassing on-prem AD altogether and going straight to cloud-based directory services. You can practice with directory services by taking advantage of a free JumpCloud Directory Platform account. There’s also the JumpCloud University that can help you learn the concepts around a cloud directory platform and the Domainless Enterprise.
Evaluating Active Directory
Is Active Directory free?
This is a common misconception. While AD is technically included with Windows Server, the servers it runs on certainly aren’t, and Microsoft cleverly makes its money from AD customers through licensing to Windows Server. The cost of CALs (Client Access License) ensures that organizations using AD will keep paying Microsoft month after month.
But CALs are just the surface level cost. We’ve created a guide to budgeting for Active Directory that includes the cost of associated infrastructure, Windows Server software, Mac and Linux® binding, identity federation, maintenance & administration, and security. The cost of AD varies widely from organization to organization, but it is never completely free.
How can I calculate the cost of Active Directory?
We have a pretty straightforward equation for estimating the cost of AD:
Costs of Active Directory = servers + software + hosting + backup + security + monitoring + VPNs + IT admin + third-party SW + multi-factor authentication + governance
That said, the real cost of AD for your specific use case is not as straightforward. If you would like access to our directory service ROI calculator, you can request one here.
What size organizations need AD?
The larger a company is more likely it is to use Active Directory. Enterprises, universities, and government organizations all need directory services in order to efficiently and securely manage access to their thousands of IT resources.
While smaller organizations have been able to get by without Active Directory (some use Google Workspace or SSO solutions as their user directory), many small teams still choose to implement AD in order to improve security and efficiency. Usually, it’s when an organization grows to about 20 team members when the people responsible for all of the IT infrastructure begin to think that it’s time for directory services.
As organizations grow the cost and complexity to operate AD can scale dramatically. Many IT organizations have been searching for different ways to address this and ultimately look for Active Directory alternatives.
What are the advantages and disadvantages of Active Directory?
To put it in terms of simple benefits, Active Directory offers these advantages:
- Greater Administrative Control over Windows resources
- Improved Efficiency for Users and Admins
- More Secure Windows Systems, Networks, & Data
- Reliable and Thorough Reporting for Auditing & Compliance
But Active Directory is also important in the way that it comes with its disadvantages:
- Reduced Functionality with Mac & Linux Systems
- Difficult to Configure and Manage
- Requires On-Premises Hardware
- High Upfront Costs
- Limited Connectivity to Cloud Apps & Infrastructure
When is Active Directory needed?
Most anything that Active Directory does can be done on an individual system without Active Directory. For instance, setting up a new user for a laptop or instituting a certain security setting can all be done manually from the OS. But the key word there is manual. Active Directory is needed once an organization has reached a size where manual administration over its systems and IT resources is no longer feasible. The ability for AD to perform group-based management tasks across users and Windows systems, at scale, is what has made it a ‘must-have’ at large organizations.
Another common reason Active Directory is needed is when an organization is subject to auditing and compliance requirements. The stringent security demands of regulatory statutes such as HIPAA, PCI, and GDPR often “force the hand” of organizations that may otherwise not need AD.
As more organizations shift to the cloud, leverage web applications, utilize modern platforms, and more, the need for AD is waning, although the requirement for a holistic identity and access management solution is more critical than ever.
Do I need AD to pass our audit?
This really depends on your compliance needs—are you facing an audit from PCI, HIPAA, SOX, SSAE 16, or ISO? But the short answer is that you never need AD to pass an audit. Generally speaking, directory services can be very helpful in achieving compliance since they can (1) secure identities, (2) limit access to critical resources and data, and (3) simplify the auditing, logging, and reporting processes. That said, Active Directory is only one of an assortment of possible directory solutions that can help boost your security.
Learn more about how JumpCloud helps with security and compliance.
When shouldn’t you use Active Directory?
Active Directory is ideal for on-prem, all Windows-based IT environments. If your IT environment doesn’t fit within this model, you should consider looking into Active Directory alternatives. For example, if you leverage Mac® and Linux® systems, web-based applications, cloud servers, wireless networks, or non-Windows files servers, you will need add-on solutions in order to integrate these resources with Active Directory. In the long run this will end up increasing costs and reducing productivity.
As many organizations shift to the cloud, the opportunity to use modern cloud directory platforms increases. These can create agility for organizations and save significant costs.
Are there any alternatives to AD?
Yes, there are a few alternatives to Microsoft Active Directory. It all depends on what you want. Some organizations consider manual user and system management a viable alternative to AD. Manual management is feasible up to a point, but it simply doesn’t scale.
The conventional competitor to AD is OpenLDAP™. You can think of this as the open source alternative to AD. But OpenLDAP isn’t really a true alternative to AD. It is a directory service, but it doesn’t match up with AD feature for feature, and the overall level of technical expertise to configure and maintain an OpenLDAP instance is demanding. Specifically, OpenLDAP doesn’t help manage systems (e.g. like GPO capabilities of AD).
More recently, there are web IAM tools that offer a degree of IAM. So, these are the SSOs of the world, along with major players like Google and their Google Workspace platform for businesses and organizations. That said, the “browser-first” approaches to IAM have always fallen short when it comes to the feature set of true directory services (i.e. user and system management). It would be a stretch to call SSO or Google Workspace an alternative to AD, but if you’re fine with a limited feature set, it’s possible.
You could also consider MDM solutions here. Again, they provide some AD-like capabilities, but fall short of true directory services. They can manage systems, but struggle with user management.
Finally, there are cloud-directory services, exemplified by our own cloud directory platform. Think of JumpCloud as Active Directory and LDAP reimagined for modern IT. JumpCloud’s diverse feature set includes the robust, group-based system management that directory services are known for, but it does it across Windows, Mac, and Linux – securely connecting a single user identity to their workstation, files, networks, and apps – without the need for a domain controller.
Still Looking For Answers? What Did We Miss?
We want this to be an authoritative guide, so if you have any additional questions that we didn’t answer, please reach out to us and let us know. We’re happy to take a swing at additional questions about AD or consider amending an answer if you can shed further light on one of them. That’s the only way we’ll be able to truly make this an ultimate FAQ.
Got questions about JumpCloud or cloud directory services? We’ve got answers for you. If you would like to try JumpCloud, you can sign-up for a free account with 10 users and 10 devices. You’ll also get 10 days of 24×7 Premium in-app chat support.