IDSync — identity software buyer platform
Run Stack Finder

Architecture

Active Directory (AD)

Active Directory (AD) is Microsoft's on-premises directory service — a combination of LDAP, Kerberos, and DNS — that has authenticated and authorized users, computers, groups, and policies inside Windows networks for 25+ years and remains the identity backbone of most enterprises.

Last reviewed 5/30/2026

Key points

  • AD DS is the on-prem product; Entra ID (formerly Azure AD) is the cloud product — they are different services that interoperate via Entra Connect.
  • Stores users, computers, groups, OUs in a forest of domains, applies policy via Group Policy Objects (GPOs).
  • Authentication: Kerberos primarily, NTLM as legacy fallback. Queries: LDAP/LDAPS.
  • Compromise of AD = total enterprise compromise. Almost every major breach in the last decade pivoted through AD.
  • Modern strategy: harden + tier AD on-prem, integrate with Entra ID for cloud SSO, eventually retire on-prem AD where feasible.

What is Active Directory?

Active Directory (AD) is Microsoft's on-premises directory and authentication system. It's been the default identity backbone of Windows networks since 2000 and still authenticates users, computers, and services for the vast majority of enterprises worldwide.

AD is really a bundle:

  • AD DS (Domain Services) — the directory itself: users, computers, groups, OUs, GPOs.
  • Kerberos KDC — the authentication engine.
  • LDAP server — the query interface.
  • DNS — service location for domain controllers.
  • Group Policy — policy distribution to domain-joined machines.

AD vs Entra ID

| | AD DS (on-prem) | Entra ID (cloud) | | --- | --- | --- | | Protocols | Kerberos, NTLM, LDAP | SAML, OIDC, OAuth, SCIM | | Scope | Windows endpoints, on-prem apps, file shares | SaaS, Microsoft 365, modern apps | | Management | Domain controllers, GPO | Entra portal, Intune, Conditional Access | | Sync | Entra Connect synchronizes selected attributes | — |

They are different products. Entra ID is not "AD in the cloud." Many enterprises run both: AD for the on-prem footprint, Entra ID for everything cloud.

Why AD is the #1 attacker target

AD compromise = enterprise compromise. The attacker playbook is mature:

  • Initial access — phishing, password spray, exposed RDP.
  • Recon — BloodHound enumerates the AD graph.
  • Privilege escalation — Kerberoasting, unconstrained delegation abuse, ACL abuse, GPO abuse.
  • Persistence — Golden Tickets, DCShadow, AdminSDHolder backdoors, skeleton key.
  • Lateral movement — Pass-the-Hash, Pass-the-Ticket, WMI / WinRM with admin creds.

Almost every ransomware case in the last five years (Conti, LockBit, BlackCat, Cl0p) involved AD compromise at some stage.

Hardening priorities

  1. Tier model — Tier 0 (DCs, ADFS, PKI) isolated from Tier 1 (servers) and Tier 2 (workstations). Admin accounts pinned to their tier.
  2. Rotate KRBTGT twice on a schedule (kills latent Golden Tickets).
  3. Disable RC4, NTLMv1; minimize NTLM usage; require LDAP signing and channel binding.
  4. MFA on admins via Entra ID — federate AD admin sign-in through Entra Conditional Access where possible.
  5. Tier-0 admin workstations (PAWs) — separate hardware for DC admins.
  6. ITDR for AD — Microsoft Defender for Identity, Silverfort, Semperis, Quest.

Editorial note

There's a tempting narrative that "AD is going away." For most enterprises, it isn't — not this decade. The realistic strategy is harden + tier + ITDR for on-prem AD, while moving net-new workloads to Entra ID / cloud IdPs.