Directory services are the backbone of identity infrastructure. They store identity attributes, authenticate users, and provide authorisation information to applications and services. Understanding directory architecture is essential for designing resilient, performant IAM systems.
Directory Types
Directory Type
Protocol
Primary Use Case
Strengths
Limitations
Active Directory
LDAP, Kerberos, NTLM
Enterprise user/computer management, Windows integration
Group Policy, Kerberos trust, application compatibility
Complex replication topology, Windows-centric
Entra ID (Azure AD)
REST, OAuth, OIDC
Cloud identity, SaaS SSO, device management
Cloud-native, conditional access, rich APIs
No LDAP, no Kerberos, different object model
OpenLDAP / 389 Directory
LDAP
Linux/Unix environments, custom schema
Open source, flexible schema, lightweight
No Kerberos, limited management tools
PingDirectory
LDAP, SCIM, REST
Large-scale directory, cloud-delivered
High performance, multi-tenancy, SCIM support
Commercial licensing
Okta Universal Directory
REST, SCIM, OIDC
Cloud application identity, lifecycle
Cloud-native, SCIM outbound, app integration
No LDAP, dependent on Okta platform
JumpCloud Directory
LDAP, RADIUS, SSH
Cloud-delivered directory
Multi-OS, simple management, MDM
Limited on-prem integration
Active Directory Architecture
Domain Topology
Component
Purpose
Scalability Consideration
Forest
Security boundary, contains one+ domains
Root domain in multi-forest: trust management
Domain
Replication boundary, contains OUs
Domain count kept minimal (1-3 typical for most orgs)
Organisational Unit (OU)
Administrative boundary, GPO application
Rationalised OU structure reduces GPO management overhead
Site
Physical network topology for replication
Site design affects replication traffic and logon performance
Domain Controller Roles
Role
Function
Recommendations
Global Catalog
Universal group membership, forest-wide search
All DCs should be GC in single-domain forest
PDC Emulator
Time sync, password changes, group policy
Most performant DC, backed up first, monitored most closely
RID Master
Security identifier allocation
Ensure sufficient RID pool; single-failure point but low-criticality
Migrate apps from AD auth to Entra ID, one application at a time
8-16 weeks
Medium-High
5. Cutover
Disable AD authentication for migrated apps, redirect to Entra ID
2-4 weeks
High
6. Decommission
Remove remaining AD dependencies, decommission DCs
4-8 weeks
Low
Key Takeaways
Directory services form the backbone of identity infrastructure — the choice between AD, Entra ID, OpenLDAP, and cloud directories depends on existing investments, application requirements, and cloud adoption strategy
Active Directory replication topology requires careful design — 2+ DCs per site, RODCs in branch offices, custom replication schedules based on WAN topology, and regular replication health monitoring are essential
LDAP performance tuning centres on proper indexing, connection pooling, page sizing, cache sizing, and thread pool configuration — an untuned directory can add 100-500ms latency per lookup
Directory security hardening spans disabling weak protocols (NTLMv1, SMBv1), enforcing LDAPS, implementing strong password policies, deploying Tier 0 administrative models, enabling advanced audit policies, and deploying gMSAs and LAPS
AD-to-Entra ID migration is a phased process (assessment → pilot → sync → phased migration → cutover → decommission) — application readiness assessment is the most critical success factor
Cloud directories (Okta Universal Directory, JumpCloud) offer simplified management and cloud-native capabilities but may lack LDAP support and deep on-premises integration