Directory Services and Active Directory

Directory Services and Active Directory: A Complete Guide for SC-900

Why Directory Services and Active Directory Matter

Directory services form the backbone of identity and access management in modern organizations. They are the centralized systems that store, organize, and provide access to information about network resources — including users, devices, applications, and groups. Understanding directory services and Active Directory (AD) is essential for the SC-900 exam because identity is considered the primary security perimeter in today's cloud-first world. Microsoft frames identity as the first line of defense, and directory services are at the core of how identities are managed, authenticated, and authorized.

What Are Directory Services?

A directory service is a hierarchical database that stores information about objects within a network. Think of it like a phone book for your entire IT infrastructure. It allows administrators to manage and locate resources (users, computers, printers, applications) from a single, centralized location.

Key characteristics of directory services include:
- Centralized Management: All identity and resource data is stored in one logical location, making administration efficient.
- Hierarchical Structure: Objects are organized in a tree-like structure (domains, organizational units, etc.).
- Authentication and Authorization: Directory services verify who a user is (authentication) and determine what they can access (authorization).
- Scalability: They can handle millions of objects across global organizations.

What Is Active Directory (AD)?

Active Directory is Microsoft's on-premises directory service, introduced with Windows 2000 Server. It is the most widely used directory service in enterprise environments. AD uses the Lightweight Directory Access Protocol (LDAP) to query and modify the directory and Kerberos for authentication.

Core Components of Active Directory:

1. Active Directory Domain Services (AD DS): The core component that stores directory data and manages communication between users and domains. It handles authentication and authorization for on-premises environments. AD DS uses domain controllers to store copies of the directory and process authentication requests.

2. Domain Controllers (DCs): Servers that run AD DS. They store the directory database and handle authentication requests. Multiple DCs can exist for redundancy and load balancing.

3. Domains: A logical grouping of objects (users, computers, groups) that share the same AD database. A domain acts as a security boundary.

4. Organizational Units (OUs): Containers within a domain used to organize objects and apply Group Policies.

5. Forests and Trees: A tree is a collection of domains that share a contiguous namespace. A forest is a collection of one or more trees that share a common schema, configuration, and global catalog. The forest is the ultimate security boundary in Active Directory.

6. Group Policy Objects (GPOs): Used to enforce security settings, software deployment, and configurations across users and computers within the domain.

7. Global Catalog: A distributed data repository that contains a searchable, partial representation of every object in every domain within a forest. It enables users to find resources across the entire forest.

What Is Microsoft Entra ID (formerly Azure Active Directory)?

While Active Directory is the on-premises directory service, Microsoft Entra ID (formerly Azure AD) is Microsoft's cloud-based identity and access management service. For the SC-900 exam, it is critical to understand the differences between these two services.

Key Differences Between AD DS and Microsoft Entra ID:

- Structure: AD DS uses a hierarchical structure (domains, OUs, forests). Microsoft Entra ID uses a flat structure with tenants and no OUs or GPOs.
- Protocols: AD DS uses LDAP and Kerberos. Microsoft Entra ID uses REST APIs over HTTP/HTTPS, OAuth 2.0, OpenID Connect, and SAML.
- Authentication: AD DS uses Kerberos for on-premises authentication. Microsoft Entra ID uses cloud-based authentication protocols including SAML, WS-Federation, and OpenID Connect.
- Management: AD DS is managed by the organization's IT team. Microsoft Entra ID is a managed service (PaaS) from Microsoft.
- Device Management: AD DS uses Group Policy and domain join. Microsoft Entra ID uses MDM solutions like Microsoft Intune and Entra ID join/registration.
- Federation: Microsoft Entra ID natively supports federation with third-party identity providers and SaaS applications.

How Directory Services and Active Directory Work Together in Hybrid Environments

Most organizations operate in a hybrid environment, using both on-premises AD DS and Microsoft Entra ID. These environments use Microsoft Entra Connect (formerly Azure AD Connect) to synchronize identities between on-premises AD and the cloud.

Microsoft Entra Connect enables:
- Password Hash Synchronization (PHS): A hash of the on-premises password hash is synced to Entra ID, enabling users to sign in to cloud services with the same password.
- Pass-Through Authentication (PTA): Authentication requests to Entra ID are validated directly against on-premises AD, so passwords are never stored in the cloud.
- Federation with AD FS: Uses Active Directory Federation Services to redirect authentication to on-premises infrastructure for complete on-premises authentication control.
- Seamless Single Sign-On (SSO): Allows users who are on corporate devices to automatically sign in to cloud resources without re-entering credentials.

How Active Directory Authentication Works (Simplified):

1. A user enters their username and password on a domain-joined computer.
2. The computer contacts a domain controller.
3. The domain controller verifies the credentials using the Kerberos protocol.
4. If valid, a Kerberos Ticket-Granting Ticket (TGT) is issued.
5. The TGT is then used to request service tickets for accessing specific resources (file shares, applications, etc.).
6. The user can access resources without re-entering credentials (single sign-on within the domain).

Key Concepts for the SC-900 Exam:

- Identity as the Security Perimeter: In modern security, identity has replaced the traditional network perimeter. Directory services are central to this concept.
- Authentication vs. Authorization: Authentication proves identity (who you are). Authorization determines access (what you can do). Directory services handle both.
- Zero Trust Model: Directory services support Zero Trust by enabling verification of every identity before granting access. Key principles: verify explicitly, use least privilege access, assume breach.
- Conditional Access: Microsoft Entra ID uses conditional access policies to enforce access controls based on signals like user identity, device state, location, and risk level.
- Multi-Factor Authentication (MFA): An additional layer of security that requires two or more verification methods. Microsoft Entra ID supports MFA natively.
- Role-Based Access Control (RBAC): Both AD DS and Entra ID support assigning permissions based on roles rather than individual users.

Active Directory Domain Services (AD DS) vs. Microsoft Entra Domain Services

Microsoft Entra Domain Services (formerly Azure AD Domain Services) is a managed domain service in the cloud that provides domain join, group policy, LDAP, and Kerberos/NTLM authentication — without needing to deploy or manage domain controllers. This is useful for legacy applications that require traditional AD protocols but need to run in the cloud.

Key points:
- It is a managed service; Microsoft manages the domain controllers.
- It synchronizes identities from Microsoft Entra ID (one-way sync from Entra ID to Entra Domain Services).
- It does not support AD trusts, GPO creation from scratch (only built-in GPOs), or schema extensions in the same way as on-premises AD DS.

Exam Tips: Answering Questions on Directory Services and Active Directory

1. Know the Differences Between AD DS and Microsoft Entra ID: This is one of the most commonly tested areas. Remember that AD DS is on-premises, uses LDAP and Kerberos, and has a hierarchical structure. Microsoft Entra ID is cloud-based, uses REST APIs and modern authentication protocols (OAuth, SAML, OpenID Connect), and has a flat structure.

2. Understand Hybrid Identity: Many questions will focus on how on-premises AD connects to the cloud. Know the three synchronization methods: Password Hash Sync (PHS), Pass-Through Authentication (PTA), and Federation (AD FS). PHS is the simplest and most commonly recommended option.

3. Forest Is the Security Boundary: If asked about the ultimate security boundary in Active Directory, the answer is the forest, not the domain.

4. Microsoft Entra Connect Is the Bridge: Whenever a question mentions synchronizing on-premises identities to the cloud, the answer involves Microsoft Entra Connect.

5. Focus on Concepts, Not Deep Technical Details: SC-900 is a fundamentals exam. You won't be asked to configure AD or write LDAP queries. Focus on what each service does, why it matters, and when to use it.

6. Distinguish Between Entra ID Editions: Know that Microsoft Entra ID comes in Free, P1, and P2 tiers. P1 adds conditional access and self-service password reset. P2 adds Identity Protection and Privileged Identity Management (PIM).

7. Remember Key Terminology: Tenant (an instance of Entra ID representing an organization), Directory (the Entra ID tenant itself), Domain Controller (a server running AD DS), Schema (defines object types and attributes in the directory).

8. Watch for Trick Questions About GPOs: Group Policy Objects exist in AD DS but not in Microsoft Entra ID. Cloud policy management uses Conditional Access policies and Intune instead.

9. Understand Microsoft Entra Domain Services Use Cases: If a question describes a scenario where legacy applications need LDAP or Kerberos in the cloud without managing domain controllers, the answer is Microsoft Entra Domain Services.

10. Identity as the Control Plane: Microsoft emphasizes that identity is the new control plane for security. Any question that asks about the foundational element of Zero Trust security or modern security strategy will likely have identity (and by extension, directory services) as the correct answer.

11. Elimination Strategy: When unsure, eliminate answers that confuse on-premises and cloud concepts. For example, if a question asks about cloud-native authentication and an answer mentions Kerberos, that is likely incorrect (Kerberos is primarily on-premises AD DS).

12. Scenario-Based Questions: Many SC-900 questions present scenarios. Read carefully to determine whether the scenario is on-premises, cloud, or hybrid, then select the appropriate technology. On-premises = AD DS. Cloud = Microsoft Entra ID. Hybrid = Microsoft Entra Connect. Legacy apps in cloud = Microsoft Entra Domain Services.

Summary

Directory services are the foundation of identity management. Active Directory Domain Services (AD DS) handles on-premises identity, while Microsoft Entra ID manages cloud identity. In hybrid scenarios, Microsoft Entra Connect bridges the two. For the SC-900 exam, focus on understanding the purpose of each service, the protocols they use, how they differ, and when each is appropriate. Remember that identity is the primary security perimeter in Microsoft's security framework, making directory services one of the most critical topics on the exam.