This is the ultimate FAQ for Microsoft Active Directory — built to answer all of the most frequently asked questions about the legacy, on-prem directory service. We’ll get into the what, when, why, who, and how of Microsoft Active Directory — otherwise known as AD.
AD is both widely used and widely misunderstood. Developed by Microsoft in the late 1990s, AD is the world’s most well-known on-prem directory service and is often referred to as an identity provider (IdP). AD ushered in the era of modern identity management in the early 2000s, but with today’s shifting IT landscape there are a number of questions that IT admins and organizations have about what AD is, how it works, and why it matters.
Microsoft has extended AD and its legacy protocols from the LAN to the web with an assortment of services for user and device management. This new hybrid cloud paradigm expands its ecosystem with an emphasis on directing users to Microsoft’s technologies while retrofitting its local LAN solution for the WAN.
We’ve identified some of the most common questions about Microsoft’s approach to Active Directory device management identity management and answer them below.
Modernize Your Infrastructure
See why an open directory platform can help you to unify your environment.
Active Directory Basics
What Is Active Directory?
Active Directory is a directory service/identity provider that enables administrators to connect users to Windows-based IT resources. Further, with AD, IT can manage and secure their Windows-based systems and applications. AD stores information about network objects (e.g., users, groups, systems, networks, applications, digital assets, and many other items) and their relationship to one another.
Admins can use AD to create users and grant them access to Windows laptops, servers, and applications. They can also use AD to control groups of systems simultaneously, enforcing security settings and software updates.
Access and controls are enabled using the concept of a domain. The domain concept is essentially a concept of inclusion and exclusion. Traditionally, this approach was leveraged for physical locations. Historically, many IT resources were hosted on-prem and were a part of the domain — i.e., internal network — and when a user was in the physical location they would have access to all of their requisite resources on-prem. If a user was off-prem, they would need a VPN to make it appear that they were on-prem. This approach worked well when IT resources and people were in the same physical proximity.
AD is part of the wider identity and access management (IAM) space and is often supplemented with single sign-on (SSO) or mobile device management (MDM) solutions among many others. JumpCloud Directory Platform is a cloud-based alternative to Active Directory.
When Was Active Directory Released?
Microsoft first introduced the world to Active Directory in 1999 and released it alongside Windows® 2000 Server edition.
What Protocols Does AD Use?
Active Directory takes advantage of the networking protocols for DNS/DHCP and the Lightweight Directory Access Protocol (LDAP), alongside Microsoft’s proprietary version of Kerberos for authentication within internal networks (LANs). Kerberos was considered secure when it was introduced during the late 1990s, but it’s now vulnerable to attack methods involving Kerberoasting, forged tickets, and stolen tickets. That means spending a lot of time and resources for mitigations and security controls to improve security. Failure to do so may place valid account credentials at risk.
Many people ask why AD doesn’t natively support more modern protocols, such as SAML, OIDC, and RADIUS. We won’t speculate on their reasoning, but we do believe that a multi-protocol approach is the future of cloud IAM architecture. Support for protocols such as SAML, OIDC, and RADIUS can be accomplished through Microsoft add-on solutions as well as third-party solutions.
Why Is Active Directory Called Active?
Our best guess is that AD is called “Active” Directory because it actively updates information stored in the directory. For example, when an administrator adds or subtracts a user from the organization, Active Directory automatically replicates the change to all of the directory servers. This happens at a regular interval so that the information always remains up to date and synchronized.
Today, this “active” type of behavior is expected in IT systems. But, before the era of computerized directory services, the concept of a directory that kept itself up to date was pretty innovative. Keep in mind that when the Active Directory moniker was coined, physical encyclopedias were still commonly used and the “active” Wikipedia hadn’t yet launched.
Who Uses Active Directory?
Generally speaking, when an organization leverages Active Directory, every single employee uses Active Directory every day without even knowing it. People use Active Directory when they log in to their work machines and when they access apps, printers, and file shares.
But the primary users of Active Directory are the admins who operate, manage, and configure AD. AD admins likely include all of the IT team and may also include members of the organization’s security, DevOps, or engineering teams.
Virtually all organizations around the world use a solution such as Active Directory or other identity provider. Enabling and controlling access to IT resources is one of the most important aspects of operating and securing an organization. Solutions such as directory services enable organizations to be productive.
Why Does Active Directory Matter?
Whether people realize it or not, Active Directory has been making the business world go ‘round since the turn of the century. AD is in place at almost every large organization and many small ones. It’s a foundational tool that hums away quietly in the background, so many people who use AD every day don’t even realize what it is — the secure access key to their laptops, applications, network, and files. In short, a directory service is what connects users to their IT resources, and AD has done that for users to their Windows resources for almost two decades.
Looking for a more in-depth answer? We have a blog that covers why AD is important.
Active Directory Definitions
What Are Active Directory Objects?
An object is the generic term for any unit of information stored within Active Directory’s database. Objects can include users, laptops, servers, and even groups of other objects (explained below).
What Are Active Directory Groups?
AD enables admins to manage sets of multiple objects known as groups. Using GPOs (group policy objects), an admin can make a change to one group and have that change apply to all objects within that group. They’re often used to segment users or systems by department or clearance.
That convenience comes at the cost of IT security. Nested groups can be very useful if they’re used wisely. However, they can also be the source of over-provisioned users, putting at risk data confidentiality, integrity, and insurance. AD’s group management is manually driven, which offers the least mature level of entitlements management. Controls and measures are manual and ad hoc, entitlements are identified but need regular oversight, least privilege is policy driven, and remediation is manual.
The bottom line is that group-based management makes IT administration more efficient, but efficiency comes at the cost of security if admins don’t carefully manage identities and entitlements. Active Directory, developed nearly two decades ago, wasn’t designed with Zero Trust concepts as a guiding principle or for the web.
What Are Forests, Trees, and Domains in Active Directory?
A forest is at the top of Active Directory’s logical structure, which also includes objects, trees, domains, and organizational units (OU). A forest describes a collection of trees, which denote a collection of domains. So, what are trees and domains?
Well, a domain is a collection of users, computers, and devices that are part of the same Active Directory database. If an organization has multiple locations, they may have a seperate domain for each one. For example, an international organization could have a domain for their London office, another one for their New York office, and a third one for their Tokyo office. IT admins also sometimes isolate their user accounts into a separate forest to maximize security. These configurations aren’t rudimentary and oftentimes require hiring external resources to set up.
A tree could be used to group all three of those domains as branches belonging to the same tree, so to speak. An organization that has multiple trees could then group them into a forest.
This is a core concept of Active Directory and it can be complicated. If you have questions, drop us a note and we’d be happy to help you work through what type of AD structure makes the best sense for your organization.
What Is a Domain Controller?
A domain controller (DC) is any server that is running Active Directory Domain Services (AD DS). At least one domain controller is necessary to use Active Directory, though most organizations have at least two per location. Large, multinational organizations may require dozens of domain controllers across each of their physical locations in order to ensure high availability for their AD instance.
Generally, DCs are thought of as being tied to a physical office, which in the current remote work environment can be challenging. IT teams that are AD centric must connect remote users to their LANs through VPNs or alternatives including a software-defined WAN (SD-WAN) and secure access service edge (SASE). Otherwise, purpose-driven cloud services can more easily manage remote endpoints and identities with less infrastructure and overhead.
Individual users and their systems are connected to the domain controller through the internal network. When users request access to objects within the Active Directory database, AD processes that request and either authorizes or prevents access to the object.
Once within the domain, a user doesn’t need to input another username and password to gain access to the domain-bound resources that they have rights to. The authentication and access occurs seamlessly. That’s the beauty of the domain. But this concept begins to fall apart as non-Windows resources are introduced. It also struggles if users are remote and not physically attached to the domain — in this case, the end user will need a VPN to the network and be authenticated by the DC in order to gain access to their on-prem, Windows-based resources.
Azure AD (AAD) — An Active Directory Alternative?
Note that Microsoft has also extended the concept of a domain to Azure. Organizations can create a separate domain at Azure through Active Directory Domain Services (AD DS). This domain is separate and distinct from the on-prem domains, although the two can be bridged through a variety of connective technology including Azure AD Connect and Azure AD. AAD is, however, a separate directory service from the legacy on-premises directory. It’s not possible to access Microsoft services such as Microsoft 365™ (M365) without AAD if your existing directory resides in AD.
Microsoft has also branched into mobile device management (MDM) and premium identity management services through its SKUs. Likewise, those are dependent upon AAD.
Gated Licensing Structure
Microsoft has implemented a gated licensing scheme for AAD services. For instance, there are two distinct subscription levels for AAD Premium; and other services for MDM, advanced identity management, and Zero Trust security policies are either included or available as separate subscriptions.
IT organizations often work with partners to navigate this web. We should also note that there is a new concept called the Domainless Enterprise, which takes the approach of eliminating the domain concept, but still retains the idea of securely and frictionlessly accessing IT resources wherever they may be through an open directory platform. This concept is especially helpful for organizations that leverage web applications, cloud infrastructure, and non-Windows platforms (e.g., macOS, Linux).
What Is Active Directory Domain Services (AD DS)?
AD DS basically sets up the database of objects that serves as the foundation for AD management. AD DS isn’t the only server role associated with Active Directory, but you could argue that it’s the server role that corresponds most directly to the core functionality that people associate with AD.
How Does Active Directory Work?
When Active Directory Domain Services is installed on a server, it becomes known as a domain controller. This server stores the Active Directory database, which contains a hierarchy of objects and their relationship to one another.
Active Directory is managed by an admin through a thick-client GUI (graphical user interface) that resembles the file manager in Windows (pictured above). This application runs on a Windows server and is not a modern browser-based application. Admins can point, click, and drag objects within AD and adjust their settings with a right-click via the mouse to access the dropdown menu.
AD can also be controlled via the command line and through tools that leverage PowerShell, Microsoft’s language for automation and API-level tasks.
Management Applications, Integrations, and Interfaces
Active Directory is managed on premises by several different applications. Many organizations opt to license third-party applications and snap-ins to simplify the experience, make workflows more accessible, and improve reporting. Applications also exist to integrate AD with Azure AD. AAD and Microsoft’s endpoint management products also have separate interfaces.
A change or workflow made in AD cannot be executed on AAD (and vice versa), so you have two different management paradigms, two different security paradigms, and two different interfaces and workflow potentials.
What Is Azure Active Directory?
The biggest misconception around Azure AD is that it’s Active Directory in the cloud. But the truth is that Azure AD wasn’t built to be a standalone AD in the cloud. Instead, Azure AD is designed to extend an existing Active Directory instance to the cloud.
To better understand the AD and AAD relationship, Microsoft’s reference architecture diagram is helpful.
The concept has a lot of moving parts: you can synchronize your on-prem AD with Azure AD Connect and connect your existing database of user identities and groups to Azure cloud-based resources. Of course, you need Azure AD and then if you would like to create a domain within Azure, the Azure AD DS product as well.
Azure AD can do many things that AD can’t (e.g., it has an integrated web application single sign-on component) — and the wider umbrella of Microsoft’s Azure platform spans functionality so broad that it may be considered a competitor to Amazon Web Services. But don’t be fooled into thinking that means that Azure AD can do everything that on-prem Active Directory can.
What Is Azure AD Connect?
Azure AD Connect is a tool used to federate on-prem Active Directory identities to resources that are hosted within the Azure platform through integrations with Azure Active Directory. AAD does the “heavy lifting” to federate identities, and AD serves as an entry point to AAD. These resources could include M365 and Azure systems, servers, and applications. Users could experience limitations when accessing resources outside of the Microsoft ecosystem.
What AD Is and Isn’t
Is Active Directory Single Sign-On (SSO)?
You could say that Active Directory was SSO before SSO existed. By that, we mean that AD provided a single sign-on experience for users by centralizing access to all Windows-based resources within the database. Further, those resources were all on-prem or at minimum connected to the domain.
That said, what the industry conventionally considers to be SSO (web app SSO) is very different from AD — and in fact, conventional SSO arose out of AD’s inability to authenticate users into web apps during the mid-2000s. Today, many organizations still supplement their Active Directory with a browser-based web application SSO tool.
Azure AD is Microsoft’s attempt at web SSO, but it’s optimized for the Microsoft ecosystem. Its interoperability starts to break down as you expand beyond Microsoft services — particularly to things that don’t support SAML or OIDC.
However, new business requirements have driven the concept of SSO to now extend to devices, networks, file servers, and more, so the modern concept of SSO goes beyond just access to Windows resources or even web applications. The concept of True SSO is even more expansive and highly relevant for modern organizations where users and their IT resources may be all over the world.
Is Active Directory Software?
Yes, Active Directory is software developed by Microsoft that is installed, maintained, and updated on Windows-based server hardware. The AD software is licensed through a concept called CALs (client access licenses) among other mechanisms. Licensing for AD software can be quite complex, so discussing your options with a Microsoft reseller is your best bet.
Further, the AD software and hardware is not a complete solution. You need to procure other components to help make AD run including solutions for security, high availability, backup, VPN, and more.
Is Active Directory a Server?
Not exactly. Active Directory requires a Windows server in order to function. A server running Active Directory Domain Services software is known as a domain controller — whether that server is physical hardware located on-prem or virtualized.
Is Active Directory a Database?
It would be more accurate to say that Active Directory contains a database. The Active Directory database stores all the users, groups, systems, printers, and policies within the network. These are known as objects and can be manipulated by admins using Active Directory.
Is Active Directory Open Source?
No. Active Directory was developed privately by Microsoft and its code has not been made available to the public like an open source tool. The primary open source alternative to Active Directory is OpenLDAP (others include FreeIPA, Samba, 389 Directory, and others). You can learn more about OpenLDAP vs Active Directory.
Is Active Directory LDAP?
Active Directory isn’t LDAP, but it uses LDAP. AD is a directory service that is capable of communicating through the LDAP protocol and managing access to LDAP-based resources. AD’s primary protocol is a Microsoft proprietary version of Kerberos.
Active Directory Functionality
What Do You Need to Operate Active Directory?
Generally, to operate AD you need a server, a backup, data center space, and VPNs. That’s just to get through the basics, but for most organizations you also need to figure out security, load balancing/high availability, data backup, and much more. You also need an IT admin who is technically adept enough to install, manage, and maintain AD.
Note that the hardware and software requirements necessary to operate Active Directory are unique to each organization. Some aspects to consider when determining what you need to operate AD include the following:
- Number of users
- Number of systems
- Level of RAM required
- Network bandwidth needs
- File storage capacity and performance demands
- Processing power
Accurately assessing your IT environment is crucial for effective use of Active Directory, and taking shortcuts could result in performance issues down the line. For more information, check out Microsoft’s capacity planning article. It is also recommended that you talk to a Microsoft reseller regarding licensing as it can be complex and include server software, client access licenses, and more.
Of course, if you have non-Windows systems, applications, file servers, and network infrastructure, you need to purchase add-ons as well such as web application SSO, multi-factor authentication (MFA), privileged access management, governance and auditing, and more.
What Are Active Directory’s Limitations?
Yes, there are limits in Active Directory. From maximum number of objects to maximum number of GPOs applied, Active Directory has its restrictions. Here are a few of them:
- A domain controller can create “a little bit less” than 2.15 billion objects during its lifetime
- Users, groups, and computer accounts (security principals) can be members of a maximum of approximately 1,015 groups
- You can apply a limit of 999 Group Policy Objects (GPOs) to a user account or a computer account
- You should avoid performing more than 5,000 operations per LDAP transaction when writing scripts or applications for an LDAP transaction
- It cannot support anything that is within the realm of Azure AD
It Cannot Address Modern Security Needs
Premium AAD subscriptions, several ad hoc Azure services, or third-party solutions are required to implement a Zero Trust security posture. Identity management is an essential aspect of the modern attack surface. Any unattended credential, or elevated access to applications or data, is of particular interest to cybercriminals. Therefore, compromising AD is the first step for hackers that want to penetrate the enterprise’s network.
As more companies migrate their operations to the cloud and workforces become distributed outside of on-prem network perimeters, AD is increasingly becoming a focal point for cybercriminals. While AD is not inherently insecure, the complexities associated with implementing it can leave the network susceptible to attackers. For example, cybercriminals can take advantage of replication processes in AD and steal signing certificates, potentially launching catastrophic attacks.
It Doesn’t Integrate Well with Third-Party Platforms
When Microsoft unveiled AD, most of the applications that companies used were largely Windows-based and resided in on-prem servers called domain controllers (DCs). However, web-based applications that are not native to Microsoft dominate today’s enterprise IT environments. Linux and macOS systems have also replaced Windows workstations in most organizations.
Since Active Directory wasn’t built with the integration of third-party solutions in mind, connecting non-Microsoft systems to the platform is a challenging task. While you could achieve integration with additional configurations, the process isn’t as seamless as how AD natively supports Windows-based applications. Microsoft’s cloud services aren’t much different.
Some of Azure AD’s identity and access management features don’t extend to non-Microsoft services, unless you pay more. Single sign-on (SSO) and multi-factor authentication (MFA) are examples of this.
Implementing AD Can Be Costly for the Organization
Active Directory is technically a free solution, with no additional costs if you’ve already subscribed to Windows Server OS. However, setting up SSO can be expensive for the organization and adds a higher total cost of ownership than anticipated. For example, besides the initial server and setup costs, you have to figure out the maintenance expenses. Microsoft’s core-based licensing approach has added complexity and costs for many organizations that are updating legacy hardware to newer server racks.
You can read more about other Active Directory limitations here. From a practical standpoint, there are limitations due to server hardware capacity, bandwidth, performance latency, and more. IT admins need to understand their entire infrastructure to identify how their users are impacted by these types of limitations.
Why Backup Active Directory?
Take a moment to think about all of the hard work you’ve put into creating a secure, seamless IT environment. You’ve nailed providing users with just the right amount of access in all of the IT resources they need to get work done. You’ve got all the right GPOs in place. Your logical structure is pristine.
Unfortunately, with no backup, you run the risk of having to start all over.
Not only is it a pain to set everything up again, but the rest of the company will be significantly delayed in getting back to work. Employees won’t be able to access their IT resources until you’ve rebuilt your Active Directory setup. So, having a backup strategy for your Active Directory instance can save a lot of pain and time in the event you experience a failure or disaster. For advice on what to consider for your disaster recovery plan, read this r/sysadmin Reddit post.
Of course, backing up AD is only one of the disaster scenarios that you need to account for: internet connections can be severed, hardware can fail, human errors can occur as well, and more. Those all need to be accounted for as well. As IT admins know, authentication services are generally a 100% uptime initiative.
Microsoft also cautions, “Choosing a more recent backup recovers more useful data, but it might increase the risk of reintroducing dangerous data into the restored forest.” It notes that there’s a trade-off between recovering more useful data and the safety of the restored data.
When Is It Time to Move Beyond Windows Server?
The estimated lifespan for a server is generally about five years. After that, you’re on borrowed time. If you’re still using Windows Server 2003 or Windows Server 2008, then you should definitely think about getting a new domain controller. The EOL for Windows Server 2003 occurred in July 2015 and the EOL for Windows Server 2008 was January 14, 2020. As mentioned, core-based licensing has replaced prior licensing regimes and might raise costs.
Organizations that migrate to the cloud from AD have ample time to decommission it. You can’t turn off AD until the last resource that requires it is also turned off. It’s possible to adopt more capable solutions for modern problems without prematurely “pulling the plug” on AD.
Are There Any Active Directory Best Practices?
Yes. When building out Active Directory infrastructure, there are some best practices that can help you maintain strong security and also avoid configuration issues. Here are a few recommendations (please note that you may require external consultants to accomplish these tasks):
- Change the default security settings: Attackers have a good understanding of the default security settings within AD, so it’s best to change these from their defaults (BeyondTrust).
- Consider having administrative accounts exist within a separate forest (Red Forest model) from other users by implementing authentication policy silos. This may require external experts and add-on tools to enact.
- Implement new Active Directory enhanced features such as protected groups, restricted RDP, time-based group membership and testing.
- Utilize principles of least privilege in AD roles and groups: By giving employees the least amount of access that they need to do their jobs, you reduce the attack surface for intruders (BeyondTrust).
- Control administration privileges and limit accounts in the Domain Admins group: Similar to the point above, you want to minimize who has superuser access (BeyondTrust). IT admins should ideally never run as super users except for time-based intervals where accounts are temporarily elevated to perform tasks. This requires either additional setup or third-party security hardware and software solutions.
- Don’t use a domain controller like it’s a computer: In other words, don’t install software or applications on a domain controller. It is best if a domain controller is a server dedicated solely to this function. Generally, admins follow the concept of one server, one function (Iperius Backup). Supply chain management best practices should be followed.
- Patch AD regularly: Attackers can also easily exploit unpatched applications, OS, and firmware on AD servers. Some Microsoft defects permit attackers to go from a user to an admin in mere minutes. Avoid giving them this foothold by regularly patching (BeyondTrust).
- Monitor and audit AD health: Doing so will enable you to troubleshoot outages and other issues more quickly (Active Directory Pro).
- Define a naming convention at the beginning: This will go a long way in keeping AD organized as you scale (Active Directory Pro).
- Clean up AD regularly: Remove obsolete users, computers, and group accounts on a regular cadence. Doing so will help maintain security and organization (Active Directory Pro). Active Directory has no automation to accomplish this.
- Get your domain time right: Having the right time on all domain controllers, member servers, and machines is important for Kerberos authentication and for making sure changes are distributed correctly (Active Directory Pro).
- Maintain: These tasks help to ensure a healthy directory.
- Upgrade domain function levels to supported versions of Windows Server.
- Run Active Directory Health Checks.
- Don’t Run Your CA on Your DC: Setup the Enterprise PKI role to separate your certificate authority from the primary domain controller. That may require standing up another server.
- Set up Microsoft ATA (Advanced Threat Analytics): Do this to detect attacks against your server infrastructure that fall outside of typical system behavior(s).
- Compliance: Create documentation and contingency plans.
These suggestions could take five to six full days of work to implement, but are worth the investment in view of the multitude of security risks that AD is vulnerable to when it’s not hardened.
How Do You Secure Active Directory?
Many of the best practices listed above get to the heart of this: keep your AD instance patched and up to date, and utilize principles of least privilege. Don’t use your domain controller for anything other than the roles required for domain services. Administrative accounts should be isolated from regular users and only used to perform tasks. Never run as a super user.
When it comes to physical security, you should consider locking up the server room, having alarms at all access points, keeping the premises under video surveillance, and also setting up flood alarms and fire prevention systems. Server rooms often accumulate associated costs such as modifying a server room to be airtight as well as dedicated HVAC systems.
You also have to train any users who have access to AD about how to stay secure. Read our in-depth guide to security training, Security Training 101: Employee Education Essentials.
Of course, for many organizations the concept of physical security can be left to a cloud provider, if one is utilized.
How Do You Ensure High Availability with AD?
There’s no one-size-fits-all formula for how to achieve high availability (HA) for your Active Directory instance. Different organizations have different uptime needs and standards. But redundancy is a “must-have” for all except the least risk-averse admins.
The approach we see most commonly at small to medium-sized businesses (SMBs) is to have one direct domain controller in the production environment and then a second DC to serve as a failover. An active server is responsible for providing IP addresses and configuration information to all clients in a scope or subnet and the secondary server assumes the responsibility if the primary server becomes unavailable. This general strategy of redundancy can be scaled up for larger organizations and enterprises.
HA Increases Administrative Complexity
It’s sometimes recommended that a HA cluster include separate hardware or even be located at a different physical location within a facility. Running AD in this mode changes management procedures. For instance, updates will have to be cycled per DC, and any software that’s required to run on a DC must be updated on each device.
There are a number of network infrastructure and hardware components that are necessary to ensure high availability, including DHCP HA. Many organizations are shifting to the cloud and leveraging cloud providers to help them solve the HA and load balancing concerns.
Can Active Directory Work with Macs?
Technically, yes, Active Directory can work for Macs. But the user and system management capabilities of AD are curtailed with Macs when compared to the functionality with Windows systems. Deep, automated control over Mac systems has conventionally been achieved only with the help of third-party directory extensions or MDMs (mobile device managers). Tight control over users including provisioning, deprovisioning, and permission modifications are also challenging on Macs when using AD. Microsoft provides Mac MDM for an additional cost.
We’ve put together a resource on this topic called best practices for integrating Macs with Active Directory.
Why Learn Active Directory?
Knowing how to use AD is a valuable skill — and one that’s broadly applicable at organizations worldwide. Learning AD is particularly valuable if you want to work in IT supporting Windows devices, Azure cloud services, SharePoint, and many other enterprise softwares and platforms.
However, it is possible to advance a career in IT without ever learning AD.
Modern, cloud-forward organizations are bypassing on-prem AD altogether and going straight to cloud-based directory services. You can practice with directory services by taking advantage of a free JumpCloud Directory Platform account. JumpCloud University can also help you learn the concepts around a cloud directory platform and the domainless enterprise.
Evaluating Active Directory
Is Active Directory Free?
This is a common misconception. While AD is technically included with Windows Server, the servers it runs on certainly aren’t, and Microsoft cleverly makes its money from AD customers through licensing to Windows Server. The cost of CALs (client access licenses) ensures that organizations using AD will keep paying Microsoft month after month.
But CALs are just the surface-level cost. We’ve created a guide to budgeting for Active Directory that includes the cost of associated infrastructure, Windows Server software, Mac and Linux® binding, identity federation, maintenance and administration, and security. The cost of AD varies widely from organization to organization, but it is never completely free.
How Can I Calculate the Cost of Active Directory?
We have a pretty straightforward equation for estimating the cost of AD:
Costs of Active Directory = servers + software + hosting + backup + security + monitoring + VPNs + IT admin + third-party SW + multi-factor authentication + governance
This free TCO calculator assists with these calculations. Further costs might include external resources to configure advanced AD capabilities for better security and high availability.
It is important to note that the real cost of AD for your specific use case is not always straightforward. If you would like access to our directory service ROI calculator, you can request one here.
What Size Organizations Need AD?
The larger a company is the more likely it is to use Active Directory. Enterprises, universities, and government organizations all need directory services in order to efficiently and securely manage access to their thousands of IT resources.
While smaller organizations have been able to get by without Active Directory (some use Google Workspace or SSO solutions as their user directory), many small teams still choose to implement AD in order to improve security and efficiency. Usually, it’s when an organization grows to about 20 team members that the people responsible for all of the IT infrastructure begin to think that it’s time for directory services.
As organizations grow the cost and complexity to operate AD can scale dramatically. Many IT organizations have been searching for different ways to address this and ultimately look for Active Directory alternatives.
What Are the Advantages and Disadvantages of Active Directory?
To put it in terms of simple benefits, Active Directory offers these advantages:
- Greater administrative control over Windows resources
- Improved efficiency for users and admins
- More secure Windows systems, networks, and data
- Reliable and thorough reporting for auditing and compliance
But Active Directory also comes with disadvantages:
- Reduced functionality with Mac and Linux systems
- Difficult to configure and manage
- Potential requirements for third-party solutions and consultants
- Requires on-premises hardware
- High upfront costs
- Limited connectivity to cloud apps and infrastructure
- Higher costs and complexity to set up and license AAD services
When Is Active Directory Needed?
Most anything that Active Directory does can be done on an individual system without Active Directory. For instance, setting up a new user for a laptop or instituting a certain security setting can all be done manually from the OS. But the key word there is “manual.” Active Directory is needed once an organization has reached a size where manual administration over its systems and IT resources is no longer feasible. The ability for AD to perform group-based management tasks across users and Windows systems, at scale, is what has made it a “must-have” at large organizations.
Another common reason Active Directory is needed is when an organization is subject to auditing and compliance requirements. The stringent security demands of regulatory statutes such as HIPAA, PCI DDS, and GDPR often “force the hand” of organizations that may otherwise not need AD.
As more organizations shift to the cloud, leverage web applications, utilize modern platforms, and more, the need for AD is waning, although the requirement for a holistic identity and access management solution is more critical than ever.
Do I Need AD to Pass Our Audit?
This really depends on your compliance needs — are you facing an audit from PCI, HIPAA, SOX, SSAE 16, or ISO? But the short answer is that you never need AD to pass an audit. Generally speaking, directory services can be very helpful in achieving compliance since they can (1) secure identities, (2) limit access to critical resources and data, and (3) simplify the auditing, logging, and reporting processes. Active Directory is only one of an assortment of possible directory solutions that can help boost your security.
Learn more about how JumpCloud helps with security and compliance.
When Shouldn’t You Use Active Directory?
Active Directory is ideal for on-prem, all Windows-based IT environments. If your IT environment doesn’t fit within this model, you should consider looking into Active Directory alternatives. For example, if you leverage Mac and Linux systems, web-based applications, cloud servers, wireless networks, or non-Windows files servers, you will need add-on solutions in order to integrate these resources with Active Directory. That includes integrating Microsoft’s cloud and on-premises solutions. In the long run, this will end up increasing costs and reducing productivity.
As many organizations shift to the cloud, the opportunity to use modern cloud directory platforms increases. These can create agility for organizations and save significant costs.
Are There Any Alternatives to AD?
There are a few alternatives to Microsoft Active Directory. It all depends on what you want, but increasingly, compliance standards and security professionals stipulate that devices should be your perimeter. Every device is a gateway where identities access resources and should be managed to provide a baseline posture. Identity management and device management go hand in hand; it’s not possible to follow a Zero Trust security strategy with unmanaged devices.
The traditional on-premises competitor to AD is OpenLDAP™. You can think of it as the open source alternative to AD. But OpenLDAP isn’t really a true alternative to AD. It is a directory service, but it doesn’t match up with AD feature for feature, and the overall level of technical expertise to configure and maintain an OpenLDAP instance is demanding. Specifically, OpenLDAP doesn’t help manage systems (e.g., like the GPO capabilities of AD).
That’s where JumpCloud comes in. Its open directory platform provides unified endpoint management (UEM) and integrated IAM. Google recommends JumpCloud as the directory for small and medium-sized enterprises (SMEs) to manage Workspace users, unify device management, and secure access to every resource. JumpCloud also integrates with Active Directory, enabling use cases where SMEs that still require AD can expand its capabilities.
Open Directory Platform
JumpCloud’s open directory platform empowers your employees by provisioning the best resources from any vendor they need to do their job using the best protocol for each resource.
- Cloud LDAP is available along with pre-built integrations for other directory services, including Google, Microsoft, and Okta. JumpCloud also integrates with popular HR systems to help streamline identity lifecycle management.
- Servers use SSH keys, which are more secure than passwords.
- Passwordless certificates can secure RADIUS Wi-Fi access.
- Web applications use SAML and OIDC for authentication.
- An optional password manager for when SSO is not a possibility.
- Conditional access rules and biometrics for privileged access management.
- JumpCloud is also working to add federation to its platform to permit SMEs that use other identity providers to benefit from its UEM and other value-added services.
JumpCloud’s diverse feature set includes the robust, group-based system management that directory services are known for, but it does it across Android, Mac, Linux, and Windows devices — securely connecting a single user identity to all their workstations, files, network resources, and apps. It can work without a domain controller or extend what’s possible for SMEs that aren’t yet ready to leave Active Directory behind.
JumpCloud adheres to a Zero Trust security model with features such as MFA everywhere, pre-built conditional access policies, and a groups model that automates memberships and entitlements based upon user attributes. Attributes may be imported from an HRIS system, streamlining the entire identity lifecycle. JumpCloud also provides cross-OS patch management and IT remote assistance capabilities to enable IT teams to unify their resources.
The open directory platform integrates with AAD (and other) credentials to authenticate, authorize, connect, and provision identities to services. This grants you the flexibility to build and evolve your own IT and security approach without locking you into any specific technology choices. Your resources will change and so will your working patterns. The one foundation that can accommodate your organization now and into the future is JumpCloud.
Still Looking for Answers? What Did We Miss?
We want this to be an authoritative guide, so if you have any additional questions that we didn’t answer, please reach out and let us know. We’re also happy to take a swing at additional questions about AD or consider amending an answer if you can shed further light on one of them.
If you would like to try JumpCloud, you can sign up for a free account with 10 users and 10 devices. You’ll also get 10 days of 24×7 Premium in-app chat support. JumpCloud offers a variety of Professional Services to help ease the load your employees face. Learn more or schedule a free 30-minute technical consultation.