Skip to main content

Skillber v1.0 is here!

Learn more

Directory Services

Checking access...

Directory services are the backbone of identity infrastructure. They store identity attributes, authenticate users, and provide authorisation information to applications and services. Understanding directory architecture is essential for designing resilient, performant IAM systems.

Directory Types

Directory TypeProtocolPrimary Use CaseStrengthsLimitations
Active DirectoryLDAP, Kerberos, NTLMEnterprise user/computer management, Windows integrationGroup Policy, Kerberos trust, application compatibilityComplex replication topology, Windows-centric
Entra ID (Azure AD)REST, OAuth, OIDCCloud identity, SaaS SSO, device managementCloud-native, conditional access, rich APIsNo LDAP, no Kerberos, different object model
OpenLDAP / 389 DirectoryLDAPLinux/Unix environments, custom schemaOpen source, flexible schema, lightweightNo Kerberos, limited management tools
PingDirectoryLDAP, SCIM, RESTLarge-scale directory, cloud-deliveredHigh performance, multi-tenancy, SCIM supportCommercial licensing
Okta Universal DirectoryREST, SCIM, OIDCCloud application identity, lifecycleCloud-native, SCIM outbound, app integrationNo LDAP, dependent on Okta platform
JumpCloud DirectoryLDAP, RADIUS, SSHCloud-delivered directoryMulti-OS, simple management, MDMLimited on-prem integration

Active Directory Architecture

Domain Topology

ComponentPurposeScalability Consideration
ForestSecurity boundary, contains one+ domainsRoot domain in multi-forest: trust management
DomainReplication boundary, contains OUsDomain count kept minimal (1-3 typical for most orgs)
Organisational Unit (OU)Administrative boundary, GPO applicationRationalised OU structure reduces GPO management overhead
SitePhysical network topology for replicationSite design affects replication traffic and logon performance

Domain Controller Roles

RoleFunctionRecommendations
Global CatalogUniversal group membership, forest-wide searchAll DCs should be GC in single-domain forest
PDC EmulatorTime sync, password changes, group policyMost performant DC, backed up first, monitored most closely
RID MasterSecurity identifier allocationEnsure sufficient RID pool; single-failure point but low-criticality
Infrastructure MasterCross-domain object referencesPlace on non-GC DC in multi-domain forest
Schema MasterSchema modification controlKeep offline except during schema changes
Domain Naming MasterDomain add/removePlace on same DC as Schema in small environments

Replication Topology

┌──────────────────────────────────────────────────────┐
│ AD REPLICATION │
│ │
│ ┌─────────┐ ┌─────────┐ ┌─────────┐ │
│ │ DC SiteA │<──────>│ DC SiteB │<──────>│ DC SiteC │ │
│ │ (PDC) │ int │ │ int │ │ │
│ └────┬─────┘ └─────────┘ └─────────┘ │
│ │ │ │ │
│ v v v │
│ ┌─────────┐ ┌─────────┐ ┌─────────┐ │
│ │ DC SiteA│ │ DC SiteB│ │ DC SiteC │ │
│ │ (RODC) │ │ (RODC) │ │ (RODC) │ │
│ └─────────┘ └─────────┘ └─────────┘ │
│ │
│ int = Intersite replication (compressed, scheduled) │
│ v = Intrasite replication (uncompressed, immediate) │
└──────────────────────────────────────────────────────┘

Replication Best Practices

PracticeRationaleConfiguration
2+ DCs per siteFault tolerance for authentication and directory lookupsDeploy 2+ DCs in each physical site
RODCs in branch officesRead-only DCs prevent credential theft at remote locationsRODC with password replication policy
Custom replication scheduleControl bandwidth usage during business hoursSchedule intersite replication intervals (e.g., every 15 min)
Separate site linksRoute replication over least-cost pathsCreate site links matching WAN topology
Monitor replication healthDetect replication failures earlyrepadmin /replsummary, AD health checks

LDAP Directory Architecture

LDAP Tree Structure

┌─────────────────────────────────────────────┐
│ dc=example,dc=com │
│ │
│ ┌───────────┴───────────┐ │
│ │ │ │
│ ou=People ou=Groups │
│ │ │ │
│ ├── uid=jdoe ├── cn=Developers │
│ ├── uid=asmith ├── cn=Admins │
│ └── uid=bjohnson └── cn=Analysts │
│ │
│ ┌─────────────────────────────────┐ │
│ │ ou=Applications │ │
│ │ ├── cn=ERP │ │
│ │ ├── cn=CRM │ │
│ │ └── cn=HRIS │ │
│ └─────────────────────────────────┘ │
└─────────────────────────────────────────────┘

LDAP Performance Tuning

ParameterImpactRecommended Setting
IndexingSearch performanceIndex attributes used in search filters (uid, mail, memberOf, objectClass)
Connection poolingDirectory connection efficiencyPool of 10-50 connections per application server
Page sizeSearch result paging1000 results per page (vs. default 100)
Idle timeoutConnection resource management5-10 minutes (balance between reconnect overhead and resource savings)
Cache sizeEntry cache hit ratioEntry cache: 50%+ of total directory data; DB cache: 20-30% of DB size
Thread poolConcurrent operation handling10-50 worker threads per CPU core
Referral chasingCross-server operationOff for client applications, on for admin tools

Directory Security Hardening

Hardening MeasureADOpenLDAPCloud Directory
Disable weak protocolsNTLMv1, LM hash, SMBv1Simple binds over TLS onlyOAuth token enforcement
Secure channelLDAPS (port 636) or StartTLSLDAPS requiredTLS required (HTTPS only)
Password policyFine-grained password policyppolicy overlayBuilt-in conditional access
Account lockoutLockout threshold + durationppolicy lockoutSmart lockout / risk-based
Audit loggingAdvanced Audit PolicyAccess log, error log, audit logSign-in logs, audit logs
Admin securityTier 0 admin model, PAWssudo/role-based adminPIM / privileged roles
Backup protectionAD backup with DSRM passwordLDIF export, directory backupCloud back-up and restore

Active Directory Security Recommendations

RecommendationCategoryImplementation
Deploy Tier 0 admin modelAdmin securitySeparate admin accounts, PAW workstations, restricted admin groups
Enable Advanced Audit PolicyAuditingAudit account logon, account management, directory service changes, privilege use
Implement Group Managed Service Accounts (gMSA)Service accountsAutomatic password rotation, SPN management
Restrict NTLMProtocol securityNTLM audit mode → block via Group Policy
Enable LAPSLocal admin passwordsManaged local admin password on all workstations and servers
Deploy RODCs in branchesCredential securityPassword replication policy for branch-specific accounts
Monitor for Golden Ticket attacksDetectionKRBTGT password change monitoring, event ID 4670, 4769

Directory Migration

Migration Approaches

ApproachComplexityRiskDurationUse Case
Domain migration (ADMT)HighMediumMonthsAD-to-AD migration (merger/acquisition)
Forest migrationVery HighHighMonths to YearMulti-forest consolidation
Cloud migration (Entra ID)MediumMediumMonthsOn-prem AD → Entra ID
IdP migrationMedium-HighHighMonthsOne IdP to another (Okta → Azure, Ping → Okta)

AD-to-Entra ID Migration

PhaseActivitiesDurationRisk
1. AssessmentApplication inventory, authentication method audit, SSO readiness2-4 weeksLow
2. PilotMigrate pilot user group, test authentication, validate app compatibility4-8 weeksMedium
3. Identity syncDeploy Entra ID Connect, sync identities, password hash sync / PHS4 weeksMedium
4. Phased migrationMigrate apps from AD auth to Entra ID, one application at a time8-16 weeksMedium-High
5. CutoverDisable AD authentication for migrated apps, redirect to Entra ID2-4 weeksHigh
6. DecommissionRemove remaining AD dependencies, decommission DCs4-8 weeksLow

Key Takeaways

  • Directory services form the backbone of identity infrastructure — the choice between AD, Entra ID, OpenLDAP, and cloud directories depends on existing investments, application requirements, and cloud adoption strategy
  • Active Directory replication topology requires careful design — 2+ DCs per site, RODCs in branch offices, custom replication schedules based on WAN topology, and regular replication health monitoring are essential
  • LDAP performance tuning centres on proper indexing, connection pooling, page sizing, cache sizing, and thread pool configuration — an untuned directory can add 100-500ms latency per lookup
  • Directory security hardening spans disabling weak protocols (NTLMv1, SMBv1), enforcing LDAPS, implementing strong password policies, deploying Tier 0 administrative models, enabling advanced audit policies, and deploying gMSAs and LAPS
  • AD-to-Entra ID migration is a phased process (assessment → pilot → sync → phased migration → cutover → decommission) — application readiness assessment is the most critical success factor
  • Cloud directories (Okta Universal Directory, JumpCloud) offer simplified management and cloud-native capabilities but may lack LDAP support and deep on-premises integration