By Nick Scheidies Posted March 6, 2019
This is an authoritative hub for information related to Active Directory®—built to answer all of the most frequently asked questions about the directory service. We’ll get into the what, when, why, who, and how of Microsoft® Active Directory—otherwise known as AD or MAD. We want this to be the ultimate Active Directory FAQ, so just let us know if there are any questions that we missed!
AD is both widely used and widely misunderstood. Developed by Microsoft in the late 1990s, AD is the world’s most well-known on-prem directory service. It is a complex platform with many practical applications, so that has led to a lot uncertainty about just what AD is, how it works, and why it matters.
We’ve identified some of the most common questions about Active Directory and answered them below.
Active Directory Basics
What is Active Directory?
Active Directory is a directory service that enables administrators to manage and secure their IT resources. AD stores information about network objects (e.g. users, groups, systems, networks, applications, digital assets, and many others) and their relationship to one another. Admins can use AD to create users and grant them access to Windows laptops, servers, and applications. They can also use AD to control groups of systems simultaneously, enforcing security settings and software updates.
AD is part of the wider Identity and Access Management (IAM) space and is often supplemented with single sign-on (SSO) or MDM (mobile device management) solutions. JumpCloud® Directory-as-a-Service® is a cloud-based alternative to Active Directory.
Get a more in-depth definition of Active Directory with “What is Active Directory, Anyway?”
When was Active Directory released?
Microsoft first introduced the world to Active Directory in 1999 and released it alongside Windows® 2000 Server edition.
What protocols does AD use?
Active Directory takes advantage of the DNS protocol and the Lightweight Directory Access Protocol (LDAP), alongside Microsoft’s proprietary version of Kerberos.
Many people ask why AD doesn’t support more protocols, such as SAML and RADIUS. We won’t speculate on their reasoning, but we do believe that a multi-protocol approach is the future of IAM.
Why is Active Directory called active?
Our best guess is that AD is called Active Directory because it actively updates information stored in the directory. For example, when an administrator adds or subtracts a user from the organization, Active Directory automatically replicates that change to all of the directory servers. This happens at a regular interval so that the information always remains up-to-date and synchronized.
Today, this “active” type of behavior is expected in IT systems. But, before the era of computerized directory services, the concept of a directory that kept itself up to date was pretty innovative. Keep in mind that when the Active Directory moniker was coined, physical encyclopedia were still commonly used and the “active” Wikipedia hadn’t yet launched.
Who uses Active Directory?
Generally speaking, when an organization leverages Active Directory, every single employee uses Active Directory every day without even knowing it. People use Active Directory when they log in to their work machines and when they access apps, printers, and file shares.
But the primary users of Active Directory are the admins. These people actually operate, manage, and configure AD. AD admins likely include all of the IT team and may also include members of the security, DevOps, or engineering teams.
Why does Active Directory matter?
Whether people realize it or not, Active Directory has been making the business world go ‘round since the turn of the century. AD is in place at almost every large organization. It’s just such a foundational tool (always humming away quietly in the background) that many people who use AD every day don’t even realize what AD is—or that it’s the key to their secure access to their laptop and files.
Looking for a more in-depth answer. We also have a full blog covering why AD is important.
Active Directory Terminology
What are Active Directory objects?
An object is the generic term for any unit of information stored within Active Directory’s database. Objects can include users, laptops, servers, and even groups of other objects (explained below).
What are Active Directory groups?
AD enables admins to manage sets of multiple objects and these sets are known as groups. Using GPOs (group policy objects), an admin can make a change on one group and have that change apply to all objects within that group. They’re often used to segment users or systems by department or clearance.
The bottom line is that group-based management makes IT administration more efficient.
What are forests, trees, and domains in Active Directory?
A forest is the most top part of Active Directory’s logical structure, which also includes objects, trees, domains, and organizational units (OU). A forest describes a collection of trees, which denote a collection of domains. So, what are trees and domains? Well, a domain is a collection of users, computers, and devices that are part of the same Active Directory database. If an organization has multiple locations, they may have a seperate domain for each one. For example, an international organization could have a domain for their London office, another one for their New York office, and a third one for their Tokyo office. A tree could be used to group all three of those domains as branches belonging to the same tree, so to speak. An organization that has multiple trees could then group them into a forest.
What is a domain controller?
A domain controller is any server that is running Active Directory Domain Services. At least one domain controller is necessary to use Active Directory, though most organizations have at least two per location. Large, multinational organizations may require dozens of domain controllers across each of their physical locations in order to ensure high availability for their AD instance.
Individual users and their systems are connected to the domain controller through the network. When users request access to objects within the Active Directory Database, AD processes that request and either authorizes or prevents access to the object.
Once within the domain, a user doesn’t need to put in another username and password to gain access to domain-bound resources. The authentication and access occurs seamlessly. That’s the beauty of the domain. But this concept begins to fall apart as non-Windows resources are introduced.
What is Active Directory Domain Services (AD DS)?
AD DS basically sets up the database of objects that serves as the foundation for AD management. AD DS isn’t the only server role associated with Active Directory, but you could argue that it’s the server role that corresponds most directly to the core functionality that people associate with AD.
What is Azure® Active Directory?
The biggest misconception around Azure AD is that it’s Active Directory in the cloud. But the truth is that Azure AD wasn’t built to be a standalone AD in the cloud. Instead, Azure AD has been designed to extend an existing Active Directory instance to the cloud.
The concept is simple: synchronize your on-prem AD with Azure AD Connect and you can connect your existing database of user identities and groups to Azure cloud-based resources.
Azure AD can actually do many things that AD can’t—and the wider umbrella of Microsoft’s Azure platform spans functionality so broad that you can think of it as Microsoft’s competitor to Amazon Web Services. But don’t be fooled into thinking that means that Azure AD can do everything that on-prem Active Directory can.
What is Azure AD Connect?
Azure AD Connect is a tool used to federate on-prem Active Directory identities to resources that are hosted within the Azure platform through Azure Active Directory. These resources could include Office 365™ and Azure systems, servers, and applications.
What AD Is & Isn’t
Is Active Directory LDAP?
Active Directory isn’t LDAP, but it uses LDAP. AD is a directory service that is capable of communicating through the LDAP protocol and managing access to LDAP-based resources.
Is Active Directory Single Sign-On (SSO)?
You could say that Active Directory was SSO before SSO existed. By that, I mean that AD can provide a single sign-on experience for users by centralizing access to all Windows-based resources within the database.
That said, what we conventionally consider to be SSO (web app SSO) is very different from AD—and in fact, conventional SSO arose out AD’s inability to authenticate users into web apps during the mid-2000’s. Today, many organizations still supplement their Active Directory with a browser-based SSO tool.
Is Active Directory software?
Yes, Active Directory is software developed by Microsoft.
Is Active Directory a server?
Not exactly. That said, Active Directory requires a server in order to function. A server running Active Directory Domain Services software is known as a domain controller – whether that server is physical hardware located on-prem or virtualized.
Is Active Directory a database?
It would be more accurate to say that Active Directory contains a database. The Active Directory database is the store of all the users, groups, systems, printers, and policies within the network. These are known as objects and can be manipulated by admins using Active Directory.
Is Active Directory open source?
No. Active Directory was developed privately by Microsoft and its code has not been made available to the public like an open source tool. The primary open source alternative to Active Directory is OpenLDAP (others include FreeIPA, Samba, 389 Directory, and others). You can learn more about the difference between OpenLDAP and AD.
Active Directory Functionality
How does Active Directory work?
When Active Directory Domain Services is installed on a server, it becomes known as a domain controller. This server stores the Active Directory Database, which contains a hierarchy of objects and their relationship to one another.
Active Directory is managed by an admin through a GUI (graphical user interface) that resembles the file manager in Windows (pictured above). Admins can point, click, and drag objects within AD and adjust their settings by right-clicking with the mouse and accessing the dropdown menu.
AD can also be controlled via the command line.
What do you need to operate Active Directory?
Generally, to operate AD, you’ll need a server, a backup, data center space, and VPNs. You’ll also need an IT admin who is technically adept enough to operate AD.
That said, the hardware and software requirements necessary to operate Active Directory are unique to each organization. Some aspects you need to consider when determining what you’ll need to operate AD include the following:
- number of users
- number of systems
- level of RAM required
- network bandwidth needs
- file storage capacity and performance demands
- processing power
Accurately assessing your IT environment is crucial for effective use of Active Directory, and taking shortcuts could result in performance issues down the line. For more information, consider checking out Microsoft’s capacity planning article.
Are there any limits in Active Directory?
Yes, there actually are limits in Active Directory. From maximum number of objects to maximum number of GPOs applied, Active Directory has its restrictions. Here are a few of them:
- A domain controller can create “a little bit less” than 2.15 billion objects during its lifetime
- Users, groups, and computer accounts (security principals) can be members of a maximum of approximately 1,015 groups
- You can apply a limit of 999 Group Policy Objects (GPOs) to a user account or a computer account.
- You should avoid performing more than 5,000 operations per LDAP transaction when writing scripts or applications for an LDAP transaction.
You can read more about Active Directory limitations here.
Why backup Active Directory?
Take a moment and think about all of the hard work you’ve put into creating a secure, seamless IT environment. You’ve nailed providing users with just the right amount of access in all of the IT resources they need to get work done. You’ve got all the right GPOs in place. Your logical structure is pristine.
With no backup, you run the risk of having to start all over.
Not only is it a pain to set everything up again, but the the rest of the company will be significantly delayed in getting back to work. Employees won’t be able to access their IT resources until you’ve rebuilt your Active Directory setup. So, having a backup strategy for your Active Directory instance can save a lot of pain and time in the event you experience a failure or disaster. For advice on what to consider for your disaster recovery plan, consider reading this r/sysadmin Reddit post.
When is it time to replace Windows Server?
The estimated lifespan for a server is generally about five years. After that, you’re on borrowed time. If you’re still using Windows Server 2003 or Windows Server 2008, then you should definitely be thinking about getting a new domain controller. The EOL for Windows Server 2003 occurred in July 2015 and the EOL for Windows Server 2008 is scheduled for January 14, 2020.
Are there any Active Directory best practices?
Yes. When building out Active Directory infrastructure, there are some best practices that can help you maintain strong security and also avoid configuration issues. Here are a few recommendations:
- Change the default security settings: Attackers have a good understanding of the default security settings within AD, so it’s best to change these from their defaults (BeyondTrust).
- Utilize principles of least privilege in AD roles and groups: By giving employees the least amount of access that they need to do their jobs, you reduce the attack surface for intruders (BeyondTrust).
- Control administration privileges and limit accounts in the Domain Admins group: Similar to the point above, you want to minimize who has superuser access (BeyondTrust).
- Don’t use a domain controller like it’s a computer: In other words, don’t install software or applications on a domain controller. It is best if a domain controller is a server dedicated solely to this function (Iperius Backup).
- Patch AD regularly: Attackers can also easily exploit unpatched applications, OS, and firmware on AD servers. Avoid giving them this foothold by regularly patching (BeyondTrust).
- Monitor and audit AD health: Doing so will enable you to troubleshoot outages and other issues more quickly (Active Directory Pro).
- Define a naming convention at the beginning: This will go a long way in keeping AD organized as you scale (Active Directory Pro).
- Clean up AD regularly: Remove obsolete users, computers, and group accounts on a regular cadence. Doing so will help maintain security and organization (Active Directory Pro).
- Get your domain time right: Having the right time on all domain controllers, member servers and machines is important for Kerberos authentication and for making sure changes are distributed correctly (Active Directory Pro).
How do you secure Active Directory?
Many of the best practices listed above get to the heart of this: keep your AD instance patched, up-to-date, and utilize principles of least privilege. Don’t use your domain controller for anything other than the roles required for domain services.
When it comes to physical security, you could consider locking up the server room, having alarms at all access point, keeping the premises under video surveillance, and also setting up flood alarms and fire prevention systems.
You’ll also have to train any users who have access to AD about how to stay secure. Read our in-depth guide to security training, Security Training 101: Employee Education Essentials.
How do you ensure high availability with AD?
There’s no one-size-fits-all formula for how to achieve high availability (HA) for your Active Directory instance. Different organizations have different uptime needs and standards. But redundancy is a “must-have” for all except the least risk-averse admins. The approach we see most commonly at SMBs is to have one direct domain controller in the production environment and then a second DC to serve as a failover. This general strategy of redundancy can be scaled up for larger organizations and enterprises.
Can Active Directory work with Macs?
Technically, yes, Active Directory can work for Macs®. But the user and system management capabilities of AD are curtailed with Macs when compared to the functionality with Windows systems. Deep, automated control over Mac systems has conventionally been achieved only with the help of a third party directory extensions or MDMs (mobile device managers). Tight control over users including provisioning, deprovisioning, permission modifications are also challenging on Macs when using AD.
We’ve put together a resource on this topic called best practices for integrating Macs with Active Directory.
Why learn Active Directory?
Knowing how to use AD is a valuable skill—and one that’s broadly applicable at organizations worldwide. Learning AD is particularly valuable if you want to work in IT supporting Windows devices, Azure cloud services, Sharepoint, and many other enterprise softwares and platforms.
That said, it’s possible to advance a career in IT without ever learning AD. Modern, cloud-forward organizations are bypassing on-prem AD altogether and going straight to cloud-based directory services. You can practice with directory services by taking advantage of a free Directory-as-a-Service® account.
Evaluating Active Directory
Is Active Directory free?
This is a common misconception. While AD is technically included with Windows Server, the servers it runs on certainly aren’t, and Microsoft cleverly makes its money from AD customers through licensing to Windows Server. The cost of CALs (Client Access License) ensures that organizations using AD will keep paying Microsoft month after month.
But CALs are just the surface level cost. We’ve created a guide to budgeting for Active Directory that includes the cost of associated infrastructure, Windows Server software, Mac and Linux® binding, identity federation, maintenance & administration, and security. The cost of AD varies widely from organization to organization, but it is never completely free.
How can I calculate the cost of Active Directory?
We have a pretty straightforward equation for estimating the cost of AD:
Costs of Active Directory =
servers + software + hosting + backup + security + monitoring + VPNs
+ IT admin + third-party SW + multi-factor authentication + governance
That said, the real cost of AD for your specific use case is not as straightforward. If you would like access to our directory service ROI calculator, you can request one here.
What size organizations need AD?
The larger a company is, the more likely it is to use Active Directory. Enterprises, universities, and government organizations all need directory services in order to efficiently and securely manage access to their thousands of IT resources.
While smaller organizations have been able to get by without Active Directory (some use G Suite™ or SSO as their user directory), many small teams still choose to implement AD in order to improve security and efficiency. Usually, it’s when an organization grows to about 20 team members when the people responsible for all of the IT infrastructure begin to think that it’s time for directory services.
What are the advantages and disadvantages of Active Directory?
To put it in terms of simple benefits, Active Directory offers these advantages:
- Greater administrative control over Windows resources
- Improved efficiency for users and admins
- More secure Windows systems, networks, & data
- Reliable and thorough reporting for auditing & compliance
But Active Directory is also important in the way that it comes with its disadvantages:
- Reduced functionality with Mac & Linux systems
- Difficult to configure and manage
- Requires on-premises hardware
- High upfront costs
- Limited connectivity to cloud apps & infrastructure
For more info, see the pros and cons of Active Directory and LDAP.
When is Active Directory needed?
Most anything that Active Directory does can be done on an individual system without Active Directory. For instance, setting up a new user for a laptop or instituting a certain security setting can all be done manually from the OS. But the key word there is manual. Active Directory is needed once an organization has reached a size where manual administration over its systems and IT resources is no longer feasible. The ability for AD to perform group-based management tasks across users and Windows systems, at scale, is what has made it a ‘must-have’ at large organizations.
Another common reason Active Directory is needed is when an organization is subject to auditing and compliance requirements. The stringent security demands of regulatory statutes such as HIPAA, PCI, and GDPR often “force the hand” of organizations that may otherwise not need AD.
Do I need AD to pass our audit?
This really depends on your compliance needs—are you facing an audit from PCI, HIPAA, SOX, SSAE 16, or ISO? But the short answer is that you never need AD to pass an audit. Generally speaking, directory services can be very helpful in achieving compliance since they can (1) secure identities, (2) limit access to critical resources and data, and (3) simplify the auditing, logging, and reporting processes. That said, Active Directory is only one of an assortment of possible directory solutions that can help boost your security.
Learn more about how JumpCloud helps with security and compliance.
When shouldn’t you use Active Directory?
Active Directory is ideal for on-prem, Windows-based IT environments. If your IT environment doesn’t fit within this model, you should consider looking into Active Directory alternatives. For example, if you leverage Mac® and Linux® systems, web-based applications, cloud servers, wireless networks, or non-Windows files servers, you will need add on solutions in order to integrate these resources with Active Directory. In the long run this will end up increasing costs and reducing productivity.
Are there any alternatives to AD?
Yes, there are a few alternatives to Microsoft Active Directory. It all depends on what you want. Some organizations consider manual user and system management a viable alternative to AD. Manual management is feasible up to a point, but it simply doesn’t scale.
The conventional competitor to AD is OpenLDAP™. You can think of this as the open source alternative to AD. But OpenLDAP isn’t really a true alternative to AD. It is a directory service, but it doesn’t match up with AD feature for feature, and the overall level of technical expertise to configure and maintain an OpenLDAP instance is demanding.
More recently, there are web IAM tools that offer a degree of IAM. So, these are the SSOs of the world, along with major players like Google and their G Suite platform for businesses and organizations. That said, the “browser-first” approaches to IAM have always fallen short when it comes to the feature set of true directory services (i.e. user and system management). It would be a stretch to call SSO or G Suite an alternative to AD, but if you’re fine with a limited feature set, it’s possible.
You could also consider MDM solutions here. Again, they provide some AD-like capabilities, but fall short of true directory services.
Finally, there are cloud-directory services, exemplified by our own Directory-as-a-Service. Think of JumpCloud as Active Directory and LDAP reimagined for modern IT. JumpCloud’s diverse feature set includes the robust, group-based system management that directory services are known for, but it does it across Windows, Mac, and Linux – securely connecting a single user identity to their workstation, files, networks, and apps – without the need for a domain controller.
Still Looking For Answers? What Did We Miss?
We want this to be an authoritative guide, so if you have any additional questions that we didn’t answer, please reach out to us and let us know. We’re happy to take a swing at additional questions about AD or consider amending an answer if you can shed further light on one of them. That’s the only way we’ll be able to truly make this an ultimate FAQ.
Got questions about JumpCloud or Directory-as-a-Service? We’ve got answers for you on our own FAQ page.