Active Directory and LDAP Fundamentals for IT Admins
Active Directory (AD) has been the backbone of enterprise identity management for over two decades. Whether you are a junior sysadmin inheriting an existing domain or a consultant designing a new environment, understanding AD concepts, LDAP fundamentals, and modern hybrid identity with Microsoft Entra ID is essential. This article covers the core building blocks, Group Policy basics, security best practices, and how cloud-only identity compares.
What Is a Directory Service?
A directory service is a centralised database that stores information about users, computers, groups, and other resources on a network. It allows administrators to manage identities and access from a single location rather than configuring each device individually. Think of it as a phone book for your network: when a user logs in, the directory service verifies their credentials and determines what resources they are allowed to access.
Microsoft's implementation of a directory service is Active Directory Domain Services (AD DS), commonly referred to simply as Active Directory. It uses the Lightweight Directory Access Protocol (LDAP) as its primary access protocol and Kerberos for authentication.
LDAP Protocol Basics
LDAP (Lightweight Directory Access Protocol) is an open, vendor-neutral protocol for accessing and maintaining distributed directory information services. It operates over TCP/IP, typically on port 389 for unencrypted connections and port 636 for LDAPS (LDAP over SSL/TLS). LDAP organises data in a hierarchical tree structure called the Directory Information Tree (DIT). Each entry in the tree has a unique Distinguished Name (DN), for example: CN=John Smith,OU=Staff,DC=example,DC=com,DC=au.
Common LDAP operations include Bind (authenticate), Search (query entries), Add, Delete, Modify, and Compare. While Active Directory is the most widely deployed LDAP-compatible directory, other implementations exist, including OpenLDAP, 389 Directory Server, and Apache Directory Server.
Unencrypted LDAP (port 389) transmits credentials in clear text during simple binds. Always use LDAPS (port 636) or StartTLS in production environments to protect authentication traffic. Microsoft began enforcing LDAP channel binding and signing by default in recent Windows Server updates.
Active Directory Components
Active Directory is built from several logical and physical components that work together to provide identity and access management across an organisation.
Domain Controllers (DCs) are the servers that host the AD DS database and handle authentication requests. Every domain has at least one DC, and best practice is to deploy a minimum of two for redundancy. Changes are replicated between DCs using a multi-master replication model.
Domains are the core administrative boundary in AD. A domain is a logical grouping of objects (users, computers, groups) that share the same AD database and security policies. Trees are collections of domains that share a contiguous DNS namespace (e.g. example.com.au and sub.example.com.au). Forests are the top-level container and represent the security boundary; a forest can contain one or more trees. Trust relationships between forests can be established to allow cross-forest authentication.
Organisational Units (OUs) are containers within a domain used to organise objects and delegate administrative control. OUs are also the targets for Group Policy Objects (GPOs), which allow administrators to enforce configurations, security settings, and software deployments across users and computers.
Azure AD and Microsoft Entra ID
As organisations move workloads to the cloud, Microsoft introduced Azure Active Directory, now rebranded as Microsoft Entra ID. Entra ID is a cloud-native identity provider that handles authentication for Microsoft 365, Azure services, and thousands of third-party SaaS applications via protocols such as SAML, OAuth 2.0, and OpenID Connect.
Most organisations today operate in a hybrid identity model, where an on-premises Active Directory is synchronised to Entra ID using Microsoft Entra Connect (formerly Azure AD Connect). This allows users to sign in with the same credentials whether they are accessing an on-premises file server or a cloud-based application like SharePoint Online.
Microsoft Entra ID is not simply Active Directory hosted in the cloud. It uses different protocols (OAuth/SAML instead of Kerberos/LDAP), does not support Group Policy, and has a flat structure rather than OUs and forests. Plan your hybrid architecture with these differences in mind.
User and Group Management
In Active Directory, users and groups are the fundamental objects for controlling access. User accounts represent individual people (or service accounts for applications). Security groups bundle users together so that permissions can be assigned to the group rather than to individual users. AD supports several group scopes: Domain Local groups for assigning permissions to resources, Global groups for organising users within a domain, and Universal groups for cross-domain access within a forest.
A widely recommended best practice is the AGDLP nesting strategy: place user Accounts into Global groups, nest Global groups into Domain Local groups, and assign Permissions to the Domain Local groups. This approach simplifies permission management in multi-domain environments and makes auditing straightforward.
Group Policy Basics
Group Policy is one of the most powerful features of Active Directory. A Group Policy Object (GPO) is a collection of settings that can be applied to users or computers within an OU, domain, or site. GPOs can control a vast range of behaviours, from password complexity requirements and screen lock timeouts to software installation and firewall rules.
GPOs are processed in a specific order known as LSDOU: Local policies first, then Site policies, Domain policies, and finally OU policies. When conflicts arise, the last policy applied wins (unless enforcement or block inheritance is configured). Administrators can use the Resultant Set of Policy (RSoP) tool or gpresult /r to troubleshoot which policies are being applied to a given user or computer.
AD Security Best Practices
Active Directory is a prime target for attackers because compromising it can grant access to the entire organisation. The following best practices significantly reduce risk:
Tiered administration model: Microsoft recommends a three-tier model separating administrative access for domain controllers (Tier 0), servers and applications (Tier 1), and workstations (Tier 2). Administrators at each tier should use dedicated accounts that cannot log into resources at other tiers, preventing lateral movement.
Local Administrator Password Solution (LAPS): LAPS automatically manages and rotates local administrator passwords on domain-joined machines, storing them securely in AD. This prevents attackers from reusing a single compromised local admin password across the entire fleet. The newer Windows LAPS (built into Windows 11 and Server 2025) adds Azure/Entra ID support and password encryption.
Auditing and monitoring: Enable advanced audit policies for logon events, privilege use, directory service changes, and account management. Forward these logs to a SIEM or log aggregation platform for alerting. Pay particular attention to events like Event ID 4728 (user added to a security-enabled global group) and Event ID 4672 (special privileges assigned to a new logon).
Never grant Domain Admin privileges to service accounts or day-to-day user accounts. A compromised Domain Admin account gives an attacker full control over every object in the domain. Use dedicated, tightly scoped accounts with the minimum privileges required.
Frequently Asked Questions
Yes. You can host domain controllers on infrastructure-as-a-service VMs in Azure or AWS. Alternatively, Microsoft Entra Domain Services (formerly Azure AD DS) provides a managed domain controller experience in the cloud without the need to manage VMs yourself. However, for a pure cloud-only identity model without traditional AD, you would use Entra ID with Intune for device management instead of Group Policy.
A domain is a logical grouping of objects that share the same database and security policies. A forest is the top-level security boundary that can contain one or more domains (organised into trees). Objects in different domains within the same forest can trust each other by default, but objects in different forests require explicit trust relationships.
If your organisation has no legacy on-premises applications, no file servers requiring Kerberos authentication, and all workloads run in the cloud, a cloud-only Entra ID approach is simpler and eliminates the need to maintain domain controllers. However, most established organisations have at least some on-premises dependencies, making a hybrid model the practical choice. Evaluate your application portfolio before deciding.
Migration is typically a phased approach. Start by deploying Microsoft Entra Connect to synchronise identities. Move authentication to the cloud using password hash sync or pass-through authentication. Gradually migrate applications to cloud-native protocols (SAML/OAuth). Replace Group Policy with Intune for device management. Once all dependencies are removed, you can decommission on-premises domain controllers.
