Updated on August 14, 2024
Active Directory Domain Services (AD DS) is a crucial server role within Microsoft’s Active Directory (AD) platform that allows IT teams to manage and store information about enterprise resources. It helps IT teams organize resources (users, computers, devices) in a hierarchical containment structure that’s usually sorted into departments or business units.
Organizations can use AD DS to provide integrated security through single sign-on (SSO) and rights management for Windows networks. AD DS doesn’t support cross-OS device management or web apps on its own. This post explains how AD DS works, its core services, the terms you need to know, and the risks that its legacy technology poses.
Check out The Ultimate AD FAQ.
What Is AD DS?
AD DS is the main service in AD, which is a legacy identity and access management (IAM) solution within the Windows Server operating system (OS) environment. AD DS stores and manages information about users, services, and devices connected to the network into a tiered structure. AD DS allows IT teams to streamline IAM services by serving as a centralized point of administration for all the activities on a centralized private network.
The servers that host AD DS are domain controllers (DCs). An organization can have multiple DCs, with each one storing a copy of the AD DS for the entire domain for high availability. AD DS also integrates with Azure hybrid services and Entra ID (formerly Azure AD), as well as non-Microsoft cloud directory platforms that can contain and modernize it.
A Brief History of AD DS
The modern IAM space kicked off with the introduction of lightweight directory access protocol (LDAP). Many directories later emerged in the IAM space, including email systems, internet white pages, and domain name systems (DNS). LDAP defined open standards.
At the time, LDAP served as a basis for two major directory services solutions: Microsoft AD, open source LDAP (OpenLDAP), and Novell NetWare. AD went on to become a commercial market leader, entrenching Microsoft into server rooms, while OpenLDAP became a popular open source market option. Microsoft was the overall “winner” in business adoption.
The main reason was that OpenLDAP strictly adhered to the LDAP standard, providing an affordable directory service for Unix and GNU/Linux based systems. However, a lack of integration features, complexity, and need for customization limited its use.
Microsoft extended and modified the protocol while adding support for business information systems. It also leveraged its extensive ecosystem and marketing prowess to promote AD, which quickly gained market share. Server hardware was also affordable and workers were on-site.
Both solutions became underlying technologies for identity providers (IdPs) worldwide. The idea behind an IdP was to create a central user and data store for an organization. User accounts would then be stored within the IdP alongside IT resource information.
These two sets of objects would then be interrelated to connect users to the IT resources that they needed, when they needed access. These resources, such as systems, applications, networks, and more, would each be tied directly to the user identities that needed them, as well as limited by the privileges of that specific user’s role.
In the case of AD DS, this was done largely for Windows networks and resources. The typical IT network at the time was virtually all Windows-based, so AD DS became very popular. A user could log in to their machine, and the AD DS would enable access to whatever the user needed and was authorized to.
How Does AD DS Work?
AD DS relies on various standards and protocols, including LDAP, Kerberos, and DNS, to organize information into a hierarchy. This allows multiple domain services to connect with them while users access or manage them. The hierarchy includes the following components:
Domains
An AD domain is a set of objects such as users, endpoints, or groups that share the same AD database. A domain can have multiple sub-domains, which can then have their own sub-domains. Authenticating users within the domain operates through a transitive trust relationship.
Trees
A domain tree is a collection of one or more domains with a common namespace. For example, a subdomain, or branch of the same company.
Forest
A collection of trees is called a forest, and can have different name spaces. For instance, a company might have acquired another with an entirely different domain. A forest is the highest-level logical container in any AD DS configuration and contains domains, devices, users, and group policies.
Each forest shares one database security boundary and has a single global address list. By default, an IT administrator or user in one forest cannot access another forest.
Organization unit (OU)
Organizational units are containers within AD for computers, groups, and users. It’s the smallest unit to which IT teams can assign account permissions or group policy settings. Each organization unit can contain multiple OUs with it. However, all the attributes within the OU cannot have AD objects from other domains.
What Services Does AD DS Support?
AD DS provides a range of services for enterprise IT environments.
Domain Services
AD DS contains a centralized directory that lets domains and users communicate. For example, when users log in to Windows domain-based PCs, AD DS checks the submitted credentials and verifies whether they are IT administrators or regular users.
Lightweight Directory Services (LDS)
Active Directory Lightweight Directory Services (AD LDS) is a standalone LDAP server that can provide a dedicated directory for applications and application data. It’s usually installed on a server that’s not a domain controller. It’s similar to Domain Services. However, it leverages the LDAP that provides cross-platform capabilities. For example, IT teams can use AD LDS to enable Linux-based systems to function on an AD network.
Federation Services (FS)
AD FS provides SSO authentication capabilities. This allows users to sign in only once and access multiple services or applications in the same session.
Rights Management Services (RMS)
AD RMS provides persistent data protection capabilities by enforcing access policies and rights management. For example, it determines which folders users can access in the AD domain.
Certificate Services (CS)
Active Directory Certificate Services (AD CS) is a Windows Server role that must be set up and supported in order to issue and manage public key infrastructure (PKI) certificates (ports 2560, 9389). AD CS allows DCs to create and manage digital certificates, signatures, and asymmetric key cryptography. Users can leverage AD CS to encrypt and digitally sign electronic documents. However, it’s been associated with serious security risks.
Note: Microsoft has added cloud PKI to its Intune suite, which may foretell a potential end to this on-premises service.
A Legacy System
AD leaves security gaps and lacks controls that could prevent attacks. You’ll have to spend more to prop up AD in order to keep your identities safe. At least one industry expert has also raised concerns about Microsoft monetizing security and “abusing the term legacy” to sell more products versus fixing its issues.
A recent Kerberos bypass vulnerability made it possible to launch impersonation attacks. The answer was to patch quickly, which isn’t always realistic. Only Microsoft’s Defender for Identity service, which is a separate cost from Microsoft 365 packages, could detect the attack.
Those solutions are rarely consumed a la carte; customers purchase Microsoft 365 bundles, such as its E3 SKU. E3 bundles many products at one price and seems like a great bargain.
Reality sets in once admins recognize that its vast, vertically integrated suites of tools with apps for “everything” are a mismatch for their organization and limits their flexibility. The cost of licensing, implementing, integrating services, and training admins and users can be significant. You’ll pay to prop up AD, but you could still be at risk of identity theft.
Keeping your IdP independent and isolated can help to mitigate the risks.
JumpCloud Directory: A Modern Alternative to AD DS
While AD has dominated the IAM market for some time, it is struggling to keep up with today’s fast-paced and ever-changing IT environment. Since the mid-2000s, the IT space has seen companies adopt heterogeneous devices under the bring-your-own-device (BYOD) framework and support OSs like Linux and macOS, as well as mobile OSs like Android, iOS, and iPadOS.
These components introduce new access requirements, creating a hassle for IT teams to maintain security, compliance, and IT efficiency. This is largely because AD focuses on Windows environments. Besides heterogeneous IT environments, virtually all organizations are embracing cloud-based solutions. Such a cloud-forward status presents a significant challenge to organizations grounded on-prem with AD DS.
What Can JumpCloud Do for My AD Infrastructure?
Let’s get down to brass tax: how and where can you use JumpCloud?
Where Can JumpCloud Eliminate AD?
Most organizations can migrate to a modern cloud directory to allow them to take advantage of the cloud, efficiency, and security.
- Domain-bound Windows devices and unbound cross-OS device types
- Windows servers including Windows File Servers
- M365, Azure resources, and on-device Office installations
- Third-party Windows applications using open standards (OIDC, SAML, LDAP, etc.)
- Multiple domains, multiple forests, multiple OUs
- Multi-organization trust situations, flattening security groups and OUs
Active Directory Integration (ADI) and Migration Utility tools help to migrate identities away from AD. ADI supports multiple workflows, providing flexibility while keeping necessary services for DHCP, DNS, faxing, file sharing, printing, virtualization, and more.
Where Can JumpCloud Contain AD?
Only enterprises with custom, homegrown applications will not be able to fully migrate. A containment strategy where these apps and AD become ring-fenced is implemented.
- Legacy and custom applications that can’t update to modern auth protocols
- Highly customized AD schema and SharePoint workflows
- Certificate-based auth for network access
- Some multi-organization forest trust situations
Sign Up for a JumpCloud Demo
If you’d like to learn more about a better alternative to Active Directory, please reach out to us. Try JumpCloud for free and find out if it’s the right option for your organization’s journey away from AD.
Google, a JumpCloud partner, recommends the open directory platform for small and midsize enterprises (SMEs) to modernize AD.