Active Directory Domain Services-Describe security, compliance, privacy, and trust in Microsoft 365
Active Directory Domain Services (AD DS) is an object-oriented, hierarchical directory service that functions as an internal authentication and authorization provider for Windows networks. Because it is not located in the cloud like Entra ID, the primary source of protection for AD DS is the firewall and other perimeter protection surrounding the on-premises network. AD DS domain controllers are Windows servers located inside the network perimeter; they must not be deployed in a DMZ or any other way that leaves them open to access from the Internet.
Also, unlike Entra ID, network administrators must design, deploy, and maintain an AD DS directory. The service takes the form of a role in the Windows Server operating system, which administrators must add after installing the operating system itself. An AD DS directory does not include Microsoft’s cloud services’ built-in maintenance and fault tolerance.
Typically, servers that function as AD DS domain controllers do not perform any other services except for acting as DNS servers. For example, using domain controllers as application or file servers is not considered secure. Administrators must install multiple domain controllers to ensure fault tolerance and high availability, preferably at different sites. The domain controllers replicate the contents of the directory among each other regularly.
Unlike Entra ID, AD DS is a hierarchical directory service that enables administrators to create a directory that emulates their organization’s departmental or geographical infrastructure, as shown in Figure 3-2.
FIGURE 3-2 An Active Directory Domain Services container hierarchy
Forests, trees, domains, and organizational units are AD DS objects that contain other objects, such as users, groups, and computers, as shown in Figure 3-3. As with a file system, permissions flow downward through the hierarchy. Permissions granted to a container object are inherited by all the objects in that container and all subordinate containers beneath it. Administrators can design the AD DS hierarchy however they want.
FIGURE 3-3 AD DS objects in an organizational unit
In AD DS administration, much more work is left to the network administrator than in Entra ID. In Entra ID, you can begin creating users and groups immediately after establishing a tenancy without installing and maintaining domain controllers or designing an infrastructure. There are also no concerns about physical security with Entra ID because Microsoft is responsible for its datacenters and for maintaining the computers that provide the services. The initial cost outlay for an Entra ID directory is also minimal. AD DS requires the purchase of server computers and the Windows Server operating system, but there are no ongoing subscription fees.
Although AD DS uses a substantially different infrastructure than Entra ID, it performs the same basic services by authenticating users and authorizing access to network resources. However, AD DS does not support many of Entra ID’s advanced security features. For example, AD DS has no internal support for multifactor authentication, although it is possible to use an external authentication service for some additional authentication factors. AD DS also does not include Azure AD Identity Protection, Conditional Access, and Azure Information Protection.
Because domain controllers are often connected to the same network as workstations and other less sensitive systems, they can be vulnerable to a lateral attack from an intruder who has gained access to another computer on the network. As a result, even though the domain controllers themselves might be protected, any typical attack vectors to which on-premises computers are susceptible can threaten the AD DS implementation. For example, any computer on the network that is not current in its operating system and application updates or lacks virus or malware protection can be a target for attack and a launch point for a further invasion of the AD DS directory.
AD DS is also more vulnerable to credential theft than Entra ID because of the unsafe use of privileged credentials. Administrators of an on-premises network can sometimes be careless about using their privileged identities to perform everyday tasks, such as browsing the Internet or signing on to computers that are not fully secured. In Azure Active Directory Premium P1, these practices can be addressed with the Privileged Identity Management feature, but Microsoft has not integrated the Entra ID security tools into AD DS.
Exam Tip
For MS-900 examination candidates new to these technologies, it can be easy to confuse the capabilities of the cloud-based Entra ID and the on-premises Active Directory Domain Services (AD DS). It is important to know that AD DS is a hierarchical directory service provided with the Windows Server operating system that requires a fairly extensive design and implementation process. Entra ID, by contrast, is subscription-based, is not hierarchical, and requires virtually no setup. Candidates should also know which features are provided in the Azure Active Directory Premium P1 and Azure Active Directory Premium P2 plans.