In Active Directory, Blog

Summary of Directory Services

Before we talk about Microsoft Active Directory®, it’s important to discuss directory services from a holistic perspective. A directory service can be thought of as a three dimensional spreadsheet with users down the left hand column and IT resources across the top in a row. Each cell indicates what type of access a particular user has for a given resource. For example, an administrator will have a different level of access compared to an end user. User information such as passwords, SSH keys, or other unique identifiers are stored in the directory, which acts as the authoritative source of truth for verifying a user identity and enables administrators to provision access to various resources accordingly.

Think of the entries in the spreadsheet model we described above as objects, which refers to both users and IT resources like systems, groups of objects, applications, networks, devices – essentially, any resource that can be managed by the directory service. Directory services describe how network objects can be organized within an IT network in such a way that administrators can easily control user access to these IT resources.

Directory services typically require users to authenticate their identity against the directory’s user database with a username and password (or other type of credentials) to gain access to managed resources. If the username and password match the associated credentials stored within the database, access is granted and the user can connect to their IT resources. If the username and password do not match, access is denied.

History and Development of Directory Services

The rise of computers dramatically improved the way we store and search for information. Yet, the amount of information we have access to has dramatically increased as well. Controlling who has access to that information is the core problem, especially when that information is confidential or proprietary as much of it is these days within organizations. Directory services effectively address this issue.

The first widely accepted directory schema was the X.500 protocol. According to Boswell (2003), “The goal of X.500 was to cut through the babble of competing information repositories to define a single place where users from all nations could go to locate each other, learn about each other, discover common likes and dislikes, and eventually communicate freely to find a path to universal peace and brotherhood and the dawning of the Age of Aquarius” (1)While not specifically intended to be the modern equivalent to directory services, it is easy to see how that form of a directory ultimately added in the capability of access control. The X.500 protocol was the prototype for later directory service protocols like the Lightweight Directory Access Protocol (LDAP) and Kerberos, and defined various terms that are commonly used when discussing directories to this day.

Common Terms:

  • User – a digital representation of a person requesting access to a managed resource.
  • System – a computer managed by the directory services.
  • Object – represents a resource that can be managed by the directory service like user identities or IT resources.
  • Attribute – an additional element of data that helps to distinguish or add functionality to an object managed by the directory service.
  • Group – a container that enables administrators to organize network objects such as users, computers, and even other organizational units to form a logical administrative group.
  • Domain – describes the primary structure of a traditional directory that contains all related network objects managed by the directory service.

There are of course many other terms used when describing directory services. However, they generally build off of the common items listed above. Modern directory services are very complex and contain a huge amount of data. However, the primary reason directory services exist is simply to authenticate and authorize user access to IT resources, or, said another way, to connect people within an organization to the systems, applications, data, and networks that they need to do their jobs. This enables admins to control the flow of information within their domain to ensure that only the right person has access to the right resource. Once access has been granted, directory services help to simplify the user experience by making information available in a logical way and ensures that resources are easily accessible.

Active Directory

Microsoft Active Directory

Active Directory is a directory service that offers management capabilities for Windows® systems, applications, and networks primarily. Just like prior directory services, AD is typically used to store information about network objects (e.g. users, groups, systems, networks, applications, digital assets, and many others) in a structured hierarchy designed to manage user access. This model allows admins to guarantee the right user is getting access to the right resource at the right time while offering enhanced control over Windows systems and applications.

Where Did Active Directory Come From?

Microsoft’s first attempt at directory services arrived in 1990 with the release of Windows NT 3.0, which combined many features of the LAN Manager protocols and of the OS/2 operating system. The NT network operating system environment slowly evolved over the next eight years by adapting standard directory protocols like LDAP and Kerberos with Microsoft’s own proprietary elements until Active Directory was first released in beta form in 1997 (4).

The first production version of Active Directory was demonstrated in 1999 and released for distribution in 2000. Many additional features have been added to AD since it’s initial release and it has evolved to support a variety of new innovation throughout the years. However, the core product has always remained a traditional directory service focused on managing Windows systems.

Directory Service for Windows Systems

Active Directory was designed to be the sole directory service necessary for managing Windows systems. It brought an OS specific focus to the previous X.500 and LDAP directory protocols, which focused on creating a standard for the general structure of directories. When it was first released, enterprise systems and services were almost solely Windows systems, so it made sense at the time to have a directory service focused on Windows. Only recently did macOS and Linux systems begin to break into the market. As a result, AD has remained a very popular solution for managing directory services around the world, until now.

The Future of Identity Management Services

cross device management

Windows systems have dominated the enterprise sector for the past few decades. However, macOS and Linux systems have entered the battle for the heart of IT within the past few years and are starting to give Microsoft a run for their money. Today, it is not uncommon to find a mixed OS environment (i.e. Windows, Mac, and Linux) running multiple non-Windows and SaaS applications. This is especially true for smaller and more recently established organizations. As a result, Active Directory — which was originally designed for and is still focused on a primarily on-prem Windows environment — has not been as effective at managing the heterogeneous cloud-forward IT ecosystem of the modern office.

For a lot of organizations, Active Directory represents the old way of identity and access management in many ways. For example, implementing AD still requires having a lot of infrastructure on-prem like domain controllers and VPNs that do not play nicely in the modern cloud environment. While there are ways to manage access to web applications with AD, any network admin will tell you that it certainly isn’t easy. However, the main issue with AD that many organizations face is the fact that Microsoft’s directory services are still primarily designed for Windows systems.

This isn’t to say that the AD model is a bad way of of doing things. Yet, in an era of Software-as-a-Service (SaaS) based solutions, cloud delivered applications, and highly mobile employees working on disparate platforms — there is certainly a better way of managing user access. It’s no surprise then that many new organizations, and even former Microsoft customers, are starting to recognize the limitations of AD. This has opened the door for new players in the identity and access management market (IAM).

Directory-as-a-Service® for Everyone

JumpCloud is the first comprehensive cloud identity management solution for the modern enterprise. With Directory-as-a-Service, administrators retain all of the familiar management features of AD that allowed for seamless control over legacy applications and on-prem resources. Administrators can still create a database of network objects and form meaningful relationships throughout in order to deliver the resources employees need to get the job done – this is called Groups in JumpCloud parlance.

However, we’ve taken a huge step forward by providing OS neutral management for all of your systems and IT resources delivered securely from the cloud. Directory-as-a-Service was designed to be OS agnostic from the ground up, allowing for streamlined management across all of your Windows, macOS, and Linux systems. Furthermore, by delivering our services from the cloud, we have eliminated the need for on-prem infrastructure and dedicated IT staff allowing for management from anywhere on Earth at the speed of light. In essence, Directory-as-a-Service instantiates the idea of a cloud-forward directory service with the power to provide the source of truth for user identities and manage access to any resource that works best for your organization.

jumpcloud learn more demoCheck out our solutions page to learn more about how Directory-as-a-Service stacks up against Active Directory and why IT organizations are replacing AD with cloud identity management. Sign up today and you and your first ten registered users can demo the full functionality of our product forever. You can also contact our team for any product related questions at any time.

Sources:

  1. Boswell, William. “Brief History of Directory Services.” Understanding Active Directory Services. Informit, 10 Oct. 2003. Web. 20 July 2017. <http://www.informit.com/articles/article.aspx?p=101405&seqNum=4>.
  2. Howes, Timothy A. The Lightweight Directory Access Protocol: X.500 Lite. Ann Arbor: Center for Information Technology Integration. University of Michigan, 27 July 1995. PDF. <http://www.openldap.org/pub/umich/ldap.pdf>
  3. Nelson, Bill. “The Most Complete History of Directory Services You Will Ever Find.” Easy Identity – Identity Concepts Made Easy. Idmdude.com, 13 Apr. 2012. Web. 20 July 2017. <https://idmdude.com/2012/04/13/the-most-complete-history-of-directory-services-you-will-ever-find/>.
  4. Microsoft, TechNet. “Active Directory Architecture.” Microsoft TechNet. Microsoft TechNet, n.d. Web. 14 July 2017. <https://technet.microsoft.com/en-us/library/bb727030.aspx>
  5. Lowe-Norris, Alistair G., Joe Richards, Robbie Allen, and Brian Desmond. “Chapter 1. A Brief Introduction.” Active Directory. 5th ed. N.p.: O’Reilly Media, 2013. N. pag. Safari Books Online. O’Reilly Media, Inc., May 2013. Web. 20 July 2017. <https://www.safaribooksonline.com/library/view/active-directory-5th/9781449361211/ch01.html>.
Recent Posts