What is Active Directory (AD) and how does it work?

Active Directory (AD) is Microsoft’s directory service for Windows domain networks—a centralized database that stores information about users, computers, groups, policies and other objects in your network. It uses a hierarchical, object-oriented structure to organize resources, allowing administrators to manage permissions, deploy software, enforce security settings, and authenticate users across multiple machines from a single point of control. Fundamentally, AD underpins almost every aspect of identity and access management in Windows environments, making it the backbone of corporate network security and operations.

Why’s it important to understand Active Directory?

Grasping Active Directory is essential for any cybersecurity professional because it’s both the gatekeeper and the prime target in most enterprise breaches. Attackers will often seek to compromise an AD environment to gain persistent, privileged access—pivoting through trust relationships, stealing credentials, or abusing misconfigured group policies. By understanding how AD is structured, how authentication flows work (Kerberos, LDAP, NTLM), and where common misconfigurations or vulnerabilities lie, you’ll be better equipped to harden environments, detect suspicious activity, and respond effectively when things go wrong. Mastery of AD is therefore a foundational skill on which broader network defense and incident response capabilities are built.

History of Microsoft Active Directory

Here’s a concise timeline of the key milestones in the evolution of Active Directory:

• March 2000
  Microsoft ships Active Directory for the first time as part of Windows 2000 Server. AD replaces Windows NT’s flat “SAM” model with a true LDAP-based, hierarchical directory service for domains, forests, OU delegation, Group Policy and integrated DNS.
• April 2003
  Windows Server 2003 introduces refinements including improved AD replication (FRS → DFS-R for SYSVOL), domain controller promotion/demotion tools, and native support for 64-bit architectures.
• February 2008
  Windows Server 2008 brings in Read-Only Domain Controllers (RODCs) for secure branch-office deployments, a feature that limits credential exposure outside the datacenter.
• October 2009
  Windows Server 2008 R2 adds the Active Directory Recycle Bin, allowing full-fidelity recovery of deleted AD objects without requiring a system state restore.
• September 2012
  Windows Server 2012 debuts Dynamic Access Control, centralizing file-classification and access-policies integration with AD, plus more granular Kerberos enhancements.
• October 2013
  Microsoft launches Azure Active Directory, a cloud-native directory and identity-management service, enabling hybrid identity scenarios alongside on-prem AD.
• October 2016
  Windows Server 2016 introduces Privileged Access Management (PAM) via a time-bound, “just-in-time” tiered administrative model and improved Kerberos armoring (FAST).
• October 2018
  Windows Server 2019 refines hybrid connectivity (Azure AD Connect), enhances Kerberos security, and expands cloud management hooks.
• October 2021
  Windows Server 2022 builds on a stronger security core (Secured-core server) and tighter Azure AD integration, plus faster DC cloning and better performance for large-scale forests.

Each of these releases has hardened AD’s security posture, improved manageability at scale, and paved the way for hybrid/cloud identity scenarios—making AD mastery essential for any cybersecurity professional.

How does Active Directory work?

Active Directory (AD) is fundamentally an LDAP-compliant, multimaster replicated database that lives on Windows domain controllers (DCs). The directory is organized into partitions—Schema (object definitions), Configuration (forest topology), and Domain (users, computers, groups, GPOs)—each stored in an Extensible Storage Engine (ESE) database file (NTDS.dit). DCs replicate changes using the Knowledge Consistency Checker (KCC) over RPC or SMTP (for cross-site links), ensuring eventual consistency across sites. Objects in AD carry attributes (e.g., sAMAccountName, objectGUID) defined by the schema; group policies are stored in SYSVOL (replicated via DFS-R) and linked to OUs, domains or sites to push configuration settings via LDAP and SMB.

Authentication in AD leverages Kerberos v5 as its primary protocol: a client requests a Ticket-Granting Ticket (TGT) from the Key Distribution Center (KDC) on a DC by presenting its credentials; the KDC issues a TGT encrypted with the user’s password hash and, in turn, issues service tickets for specific resources. LDAP (over TCP/389 or LDAPS/636) is used for directory lookups and reads, while NTLM can fall back where Kerberos isn’t supported. Trust relationships between domains (transitive two-way by default) allow cross-domain authentication. Fine-grained password policies, RODCs for branch security, and features like “Just-Enough Administration” build on this core, but every interaction—lookup, bind, ticket request, policy application—is mediated through the unified AD data store.

How a logon process works

Describing a simple scenario, when a user attempts to access a domain resource – e.g. login to a laptop, access email, file server, printer etc., Active Directory will first authenticate the request by verifying their credentials against a member within its directory and then authorize the request whilst checking and ensuring the correct rights and privileges are issued before access is granted to the computer, alongside this, configured policy settings, applications, and network resources will also be deployed.

During the log-on process, several different Active Directory services will be utilized depending on what has been configured, these include domain, certificates, SSO (single sign-on), and rights management services, the most used service which also forms the basis for every Windows network, is Active Directory Domain Services (AD DS) and contains information about every member and device belonging to a domain.

How is Active Directory structured?

Active Directory is organized into both logical and physical structures that together define how objects are stored, grouped, and replicated:

Logical Structure

• Forest: The security boundary for an AD deployment; contains one or more Trees and a single Schema and Configuration partition.
• Tree: A collection of one or more Domains that share a contiguous namespace (e.g. sales.example.com under example.com).
• Domain: The core unit of administration and replication; holds a writable copy of the Domain partition (users, groups, computers, GPO links) in its NTDS.dit database. Each Domain has its own security policies and trusts.
• Organizational Units (OUs): Containers within a Domain used to group objects for administrative delegation and Group Policy application without creating new domains.
• Global Catalog: A partial, read-only replica of all objects in the Forest (only a subset of attributes), enabling forest-wide searches and universal group membership lookups.

Physical Structure

• Domain Controllers (DCs): Servers hosting writable (or read-only, in the case of RODCs) copies of directory partitions; they run the KDC for Kerberos, the LDAP service, and SYSVOL for Group Policy.
• Sites and Subnets: Define the physical topology—Sites map to one or more IP subnets and are used by the Knowledge Consistency Checker to optimize replication schedules and client authentication affinities.
• Directory Partitions:
  • Schema partition (forest-wide): Defines object classes/attributes.
  • Configuration partition (forest-wide): Holds topology data (sites, services, partitions).
  • Domain partition (per domain): Stores domain-specific objects (users, groups, computers, GPOs).

Replication occurs intra-domain for the Domain partition and inter-domain for Schema/Configuration via the RPC/SMTP-based Knowledge Consistency Checker, ensuring that every DC eventually converges on the same set of directory data. This dual logical/physical separation lets administrators scale, delegate, and secure their directory in complex enterprise environments.

Who uses Active Directory?

Active Directory could be considered a universal authentication solution – it has been estimated that it is being used by 90% of the Global Fortune 1000 companies and likely covers every company which runs a Windows-based network. Within these companies which use AD, every employee who has user credentials to connect to a network or accesses email via an Exchange server will be using Active Directory services, although more than likely, they are using them unknowingly.

As Active Directory is a server-side service it will be the IT Managers role to ensure that the services have been configured correctly to ensure that the correct permissions, privileges, services, and network resources are assigned to each individual member of the domain.

What’s Microsoft Entra ID (formerly Azure Active Directory)?

Microsoft Entra ID (formerly Azure Active Directory) is a cloud-based identity platform developed by Microsoft that provides SSO and MFA (multi-factor authentication) for cloud resources and Entra ID (formerly Azure AD) joined devices and enables access to thousands of external SaaS applications.

To ensure you get your terminology correct, Entra ID (formerly Azure AD) and AD are two separate services, when you hear Active Directory being mentioned, it is the on-prem version of AD that is being referred to, not the cloud-based Entra ID (formerly Azure AD).

Active Directory and cyber-attacks

Given the widespread adoption of AD throughout global enterprises and considering the information it both houses and authorizes access to, it would be no surprise to learn that it is under constant threat of cyber-attack. Compromising AD is one of the most prevalent ways cyber-attackers gain unauthorized entry into a company’s network, they then move laterally throughout the network, elevating their access and privileges to steal, ransom, or take control of the company network.

As over 85% of hacking-related breaches are due to compromised credentials, auditing Active Directory user accounts is a critical step to reduce the risk of a successful attack to gain unauthorized access, often companies invest heavily in cybersecurity solutions, yet overlook the importance of ensuring the first line of defense is secure through good password hygiene and policy. We’d highly recommend following these Active Directory security best practices.

Audit your Active Directory for free

Multiple admins, inactive admins, and user accounts with duplicate or compromised passwords are all potential areas vulnerable to attack, they can easily go unnoticed if Active Directory isn’t regularly audited. Audits like this can be a time-consuming and cumbersome process, it involves writing PowerShell scripts, exporting data for analysis, and extracting data to act on as if IT managers don’t have enough on their plates already!

Specops have developed a free, read-only tool that scans your Active Directory for various security-related weaknesses, from compromised passwords to stale admin accounts. You’ll get an exportable report full of insights, which will helps align your organization with current industry and compliance best practices. Download Specops Password Auditor for free.