What Is Active Directory? A guide to AD, its components, and security
Table of Contents
What is Active Directory?
Active Directory (AD) is a directory service developed by Microsoft that stores and manages information about users, computers, and resources on a Windows network, and controls who can access what. It runs on Windows Server, was first released with Windows 2000, and is used by an estimated 90% of Fortune 1000 companies as the foundation of their identity and access management.
In practice, Active Directory answers two questions every time someone tries to use a corporate system: Who are you? (authentication) and What are you allowed to do? (authorization).
Administrators use Active Directory to manage thousands of users and devices from one place, enforce security policies across the organization, and give employees single sign-on access to the applications they need without configuring each machine individually.
What is Active Directory used for?
Active Directory is used for six core functions in an enterprise IT environment:
- Authentication — verifies the identity of users, computers, and services using passwords, Kerberos tickets, or certificates.
- Authorization — determines which resources an authenticated identity is allowed to access.
- Centralized identity management — stores every user, group, and device in a single directory database.
- Policy enforcement — applies security and configuration settings through Group Policy Objects (GPOs).
- Single sign-on (SSO) — lets users log in once and access multiple applications without re-authenticating.
- Resource discovery — helps users and applications locate servers, printers, and shared folders on the network.
Because AD underpins so many enterprise systems including Exchange, SharePoint, file shares, VPNs, and thousands of third-party applications, it is often described as the identity backbone of the modern enterprise.
How does Active Directory work?
Active Directory works by storing identity and resource information as objects in a hierarchical database that lives on specialized servers called domain controllers. When a user logs in, a domain controller verifies the credentials and issues a Kerberos ticket the user presents to access other systems on the network.
Here is the step-by-step flow of a typical AD login:
- A user enters their username and password on a domain-joined computer.
- The computer sends the credentials to the nearest domain controller.
- The domain controller checks the credentials against the AD database.
- If valid, AD issues a Kerberos Ticket-Granting Ticket (TGT).
- When the user accesses a resource (file share, application, server), their device presents the TGT to request a service ticket.
- The resource trusts the service ticket and grants access — no second login required.
Active Directory relies on four core protocols:
- LDAP (Lightweight Directory Access Protocol) — used to query and update the directory
- Kerberos — used for secure authentication
- DNS (Domain Name System) — used to locate domain controllers
- SMB and RPC — used for communication between clients and servers
Changes made on one domain controller are automatically replicated to all other domain controllers in the same domain, so the directory stays consistent across the network.
Key components of Active Directory
Active Directory is built from eight core components that work together:
- Objects are the items stored in the directory — users, computers, groups, printers, and shared folders. Each object has attributes (for example, a user has a name, email, department, and password hash).
- Schema defines the types of objects AD can store and the attributes each object can have. It is the blueprint for the directory.
- Domain is a logical group of objects that share one directory database and security policy. A domain is identified by a DNS name such as corp.cohesity.com.
- Domain Controller (DC) is a Windows Server running the Active Directory Domain Services (AD DS) role. It authenticates users, enforces policies, and replicates data to other DCs. Most enterprises run multiple DCs for redundancy.
- Organizational Unit (OU) is a container inside a domain used to group related objects (for example, all Finance users). OUs enable delegated administration and targeted Group Policy.
- Group Policy Object (GPO) is a collection of configuration settings applied to users and computers — password rules, software deployment, security baselines, and more.
- Global Catalog is a distributed index that holds partial copies of every object in the forest, allowing fast searches across domains.
- Sites are physical groupings of domain controllers based on network topology (usually IP subnets). Sites optimize authentication and replication traffic.
What are the main Active Directory services?
"Active Directory" is an umbrella term for five related services, each with a distinct purpose:
| Service | Acronym | What it does |
| Active Directory Domain Services | AD DS | Core authentication, authorization, and directory service |
| Active Directory Lightweight Directory Services | AD LDS | Lightweight LDAP directory for applications that don't need a full domain |
| Active Directory Certificate Services | AD CS | Issues and manages digital certificates for encryption and identity |
| Active Directory Federation Services | AD FS | Enables single sign-on across organizations using identity federation |
| Active Directory Rights Management Services | AD RMS | Protects sensitive documents with encryption and usage policies |
When people say "Active Directory," they almost always mean AD DS, the foundation all the others build on.
Active Directory structure: domains, trees, and forests
Active Directory organizes resources in a three-level hierarchy:
Directory organizes resources in a three-level hierarchy:
- A domain is the basic administrative unit — one directory database and one security boundary (example: cohesity.com).
- A tree is one or more domains sharing a contiguous DNS namespace (example: sales.cohesity.com and hr.cohesity.com).
- A forest is the top-level container — one or more trees sharing a common schema, configuration, and Global Catalog. The forest is the ultimate security boundary of an AD environment.
Trust relationships between domains let users in one domain access resources in another, which is how large enterprises operate a unified identity system across business units, subsidiaries, and regions.
Active Directory vs. Microsoft Entra ID (formerly Azure AD): what's the difference?
Active Directory and Microsoft Entra ID are different products with different architectures. Active Directory is an on-premises directory service; Microsoft Entra ID (renamed from Azure AD in 2023) is a cloud identity service.
| Attribute | Active Directory (AD DS) | Microsoft Entra ID |
| DeploymentOn-premises (Windows Server) | On-premises (Windows Server) | Cloud (SaaS) |
| Primary protocols | LDAP, Kerberos, NTLM | OAuth 2.0, OpenID Connect, SAML, SCIM |
| Manages | Domain-joined PCs, servers, file shares, on-prem apps | SaaS apps, Microsoft 365, cloud workloads |
| Structure | Forests, domains, OUs | Flat tenant (no OUs) |
| Policy tool | Group Policy (GPOs) | Conditional Access + Microsoft Intune |
| Best for | Traditional enterprise infrastructure | Cloud-first and hybrid environments |
Most enterprises today run a hybrid identity model — on-premises Active Directory federated to Microsoft Entra ID using Entra Connect; so users get one login for both legacy on-prem systems and modern cloud apps.
Why is Active Directory a top target for cyberattacks?
Active Directory is targeted in an estimated 9 out of 10 cyberattacks on enterprise networks, according to Microsoft, because compromising AD effectively hands attackers the keys to the entire organization. Cohesity’s Cyber Events Response Team (CERT) see that 95% of security incidents involve AD.
The most common attacks against Active Directory include:
- Kerberoasting — extracting service account password hashes from Kerberos tickets for offline cracking
- Pass-the-Hash / Pass-the-Ticket — reusing stolen credential material to move laterally across systems
- DCSync — impersonating a domain controller to pull password hashes from AD
- DCShadow — registering a rogue domain controller to inject malicious changes
- Golden Ticket / Silver Ticket attacks — forging Kerberos tickets for persistent, privileged access
- Ransomware — disabling or destroying AD during ransomware campaigns to maximize damage and block recovery
When AD is compromised or destroyed, users cannot log in, applications cannot authenticate, and the business stops running — often for days or weeks.
Why Active Directory backup and recovery is business-critical
A full Active Directory recovery is one of the most complex operations in enterprise IT. Rebuilding a compromised AD forest from scratch can take weeks, often with direct assistance from Microsoft. Because nearly every other system depends on AD, an AD outage is effectively a total business outage.
Modern Active Directory protection requires more than traditional backup. An enterprise-grade AD recovery strategy includes:
- Regular backups of the AD database (NTDS.dit), SYSVOL, and Group Policy Objects
- Immutable backup storage that attackers cannot delete or alter, even with admin credentials
- Clean-room recovery that restores AD into an isolated environment for integrity checks before reconnecting to production
- Granular object-level restore so a single deleted user, group, or GPO can be recovered without a full forest restore
- Automated forest recovery that orchestrates the 20+ sequenced steps Microsoft prescribes for recovering a full AD forest
- Malware-free recovery by decoupling the OS to make sure that backdoors aren’t recovered
- Proven recoverability during cyber incidents that means the ability to recover without internet access
- Frequent recovery testing that validates that you can meet identity RTOs
- Support for hybrid restore workflows that help you recover cloud identity services like Entra ID, Okta, Ping, and Duo to restore cloud services and access.
Cohesity helps organizations protect and rapidly recover Active Directory by hardening your identity infrastructure, continuously monitoring for identity threats, automating AD recoveries, and conducting post-breach forensics to close backdoors. Cohesity Identity Resilience can help organizations reduce the chances of a successful attack by 25% while also reducing time spent manually monitoring by 40%. It automates AD recoveries to a few clicks to decrease recovery times from identity-based attacks by up to 90%.
Best practices for Active Directory security
Follow these nine best practices to harden Active Directory against attack:
- Apply least privilege — minimize Domain Admins and Enterprise Admins.
- Use a tiered administration model (Tier 0/1/2) to isolate privileged accounts from user workstations.
- Enforce multi-factor authentication (MFA) on all administrative access.
- Audit and monitor AD continuously for suspicious changes, logins, and privilege escalations.
- Patch and harden domain controllers, with minimal software installed and no general user access.
- Use privileged access workstations (PAWs) for all AD administration.
- Maintain immutable, offline backups of the full AD forest, including system state.
- Test forest recovery annually in an isolated environment.
- Implement AD-specific threat detection tools that surface attacks like Kerberoasting and DCSync.
Cohesity and Active Directory
Cohesity Identity Resilience helps organizations detect, withstand, and recover from identity-based attacks. Cohesity and Semperis have long partnered to bring leading proven technologies with seamless integrations that continuously monitor, remediate threats, automate malware-free recoveries, and enable advanced post-breach forensics for Active Directory. It is a purpose-built solution designed to protect AD before, during, and after an attack and aligns to the real sequence of identity compromise.
Frequently asked questions about Active Directory
What is Active Directory in simple terms?
Active Directory is Microsoft's service for managing who can sign in to a company's network and what they can access. It stores user accounts, computers, and resources in a central database and acts as both the phonebook and the security guard for a Windows environment.
What is Active Directory used for?
Active Directory is used for authentication, authorization, centralized user and device management, Group Policy enforcement, single sign-on, and resource discovery across a Windows network.
Is Active Directory the same as Azure AD or Microsoft Entra ID?
No. Active Directory (AD DS) is an on-premises directory service running on Windows Server and using LDAP and Kerberos. Microsoft Entra ID (formerly Azure AD) is a cloud identity service using OAuth, OpenID Connect, and SAML. They are complementary, not identical, and most enterprises run both in a hybrid model.
What is a domain controller?
A domain controller is a Windows Server running the Active Directory Domain Services role. It stores a copy of the AD database, authenticates users, enforces security policies, and replicates changes to other domain controllers.
What is the difference between a domain, a tree, and a forest?
A domain is one directory database with one security boundary. A tree is one or more domains sharing a contiguous DNS namespace. A forest is one or more trees sharing a schema, configuration, and Global Catalog — and is considered the ultimate security boundary in AD.
What protocols does Active Directory use?
Active Directory uses LDAP for directory queries, Kerberos for authentication, DNS for locating services, and SMB and RPC for communication between systems.
Why do attackers target Active Directory? Attackers target Active Directory because it controls authentication and access across the entire network. Compromising AD allows ransomware and advanced threat groups to move laterally, escalate privileges, disable defenses, and block recovery.
How do you back up Active Directory?
To back up Active Directory, you protect the system state of every domain controller, which includes the AD database (NTDS.dit), SYSVOL, registry, and Group Policy. Enterprise environments should use a dedicated backup solution with immutable storage, object-level recovery, and automated forest recovery — Windows Server Backup alone is not sufficient for enterprise resilience.
How long does Active Directory recovery take after a ransomware attack?
Without a purpose-built recovery solution, recovering a compromised AD forest can take one to four weeks. With automated, isolated recovery tools like those offered by Cohesity, organizations can restore AD in a matter of hours.
Can Active Directory be replaced by a cloud directory?
For newer or fully cloud-native organizations, Microsoft Entra ID can replace many AD functions. However, because AD is still such a prevalent technology that has been used for decades, most enterprises still depend on on-premises AD for legacy applications, domain-joined devices, and file shares, and will continue to operate a hybrid identity model for the foreseeable future.
What happens if Active Directory goes down?
If Active Directory goes down, users cannot log in to domain-joined systems, applications that rely on AD authentication stops working, file shares become inaccessible, and most enterprise IT operations halt until AD is restored.
