Want to learn the best practice for configuring Chromebooks with 802.1X authentication?

Sign up for a Webinar!

AD DS: Explained

The purpose of online directories is to store resources on the network in a way that it’s simple to access. Microsoft’s Active Directory (AD) has risen through the ranks to become the top online directory in the software industry.

What is AD DS?

Quote Banner Cloud Environment

In layman’s terms, Active Directory Domain Services (AD DS) is the legacy on-premise version of domain services within AD, the product line. From a fundamental standpoint, AD DS provides all the services of Active Directory, from storing user information to defining user access policies.

AD vs AD DS

AD is used to store information about network objects (users, computers, printers) and makes it easy for admins to find that information. AD DS covers the set of methods AD uses for storing and managing object information. AD DS is hosted on servers called Domain Controllers (DC), which respond to client authentication requests and store AD object data.

What makes AD DS so useful for organizations is the benefits it provides for network resource management, such as the ability to customize how your data is organized, built-in redundancy, and centralized network access rights.

AD DS became one of the top domain controllers in the industry, but the adoption of cloud-based services has led some struggles for AD DS.

AD DS Terms

Object

Objects are the virtual representations in AD of physical entities in a network, like computers, users, printers, etc.

Schema

Policies that dictate access levels and attributes for objects in AD.

Global Catalog

Storage for all the objects on the network. Allows the domain controller to provide information on any object.

QIM

The Query and Index Mechanism allows users to find any other user in AD. Similar to the Google auto-complete features, the QIM shows all possible matches when start searching in AD.

LDAP

Lightweight Directory Access Protocol is what AD uses to communicate with other servers. We have a whole page dedicated to LDAP.

AD DS in the Cloud

managed vs private pki

AD DS is designed for on-prem legacy systems, and any system built around AD will run into issues if admins want to adopt cloud solutions.

Microsoft rolled out Azure, which is a cloud-based software solution that works within Windows environments. On paper, it’s a great way for Windows admins to migrate their on-prem AD environments to the cloud, but in practice that’s not the case. Azure offers Azure AD (Microsoft Entra ID) which at first just seems like the cloud version of AD, but that’s not actually the case.

Azure AD is a cloud-based identity and access management service, providing user authentication for cloud applications. Azure AD doesn’t support LDAP, Kerberos, or Group Policy, making a cloud-based solution less versatile than an on-prem AD DS, if you can believe that.

Azure AD vs Azure AD DS

Azure AD DS is basically AD DS in the cloud and supports everything that Azure AD can’t, like Kerberos and NTLM authentication, group policies, and LDAP. This is for admins looking to move their environments cloudward while keeping their traditional AD DS.

Does Azure AD (Microsoft Entra ID) DS Support RADIUS?

On-prem Windows environments use NPS for RADIUS because it can communicate with LDAP. But Azure is cloud-based, so it uses OAuth or SAML instead of LDAP and doesn’t natively support RADIUS/NPS. Admins can connect NPS and Azure AD DS through an NPS MFA extension, but the configuration is left to the network admins, piling up their workload.

Ultimately, admins with on-prem legacy systems will have to add extension after extension for cloud capabilities, further entrench themselves with on-prem hardware. Plus, authenticating users with credentials brings more issues.

Vulnerabilities of AD Credential-based Authentication

Thousands of Windows environments authenticate users with AD credentials. While it eliminates the need for shared passwords, credentials can still be stolen, creating a major vulnerability in security for that network and depreciating user experience. The rise of social engineering attacks, especially during the Covid-19 pandemic, means credential-based authentication methods can’t protect networks.

Authentication methods like EAP-TTLS/PAP or PEAP-MSCHAPv2 serve no match for cyber attacks like the man-in-the-middle attack, leaving the entire network compromised and IT heads potentially on the chopping block.

AD and Azure AD environments can ditch credential-based authentication for the more secure and versatile digital certificate option. Instead of relying on shared passwords and dreadful password-reset policies, a user’s identifying information can be input and encrypted into a certificate. After equipping network servers with certificates as well, a server can validate a user or device with the matching certificate.

Configuring Azure with Certificates and a PKI

In order to administer certificates to every network device and service, you will need to build a Public Key Infrastructure (PKI). If that sounds difficult, it’s because it is. PKIs come with a multitude of components that all need to be configured correctly which requires a team of experts to deploy and manage.

Microsoft offers certificate services with AD CS, but, again, it’s an on-premise service not designed for the cloud. Any Windows admins looking to deploy certificates and migrate their network to the cloud will run into many problems with AD CS. Plus, setup takes time, time that many organizations simply don’t have.

Luckily, SecureW2 offers a turnkey PKI solution that can be setup in less than an hour and strengthens network security with certificate-based EAP-TLS authentication. EAP-TLS is the most secure authentication protocol because both the client and server are equipped with certificates for easy verification. No entity without an approved network certificate will be able to gain access.

Our PKI solution makes it easy for organizations to implement WPA2-Enterprise for their network and ensure only approved users can access the network. Our services can integrate with Azure AD so admins can input a user’s AD credentials and group policies onto a certificate and lock it into that user’s device.

Admins can use our onboarding software to configure all non-Windows devices for 802.1x settings. If an organization uses MDM software, like Intune, admins can build powerful SCEP Gateway APIs to administer certificates and network policies. In fact, here’s how you can do it with Intune.

Invest in Cloud RADIUS and a Managed PKI

While AD DS is great for on-prem infrastructures based around AD, it’s not as effective in the cloud, which is where the industry is moving as a whole. Admins with on-prem AD DS are getting left behind and need an easy solution to migrate to the cloud.

Luckily, that solution is Cloud RADIUS and a Managed PKI from SecureW2. Backed by certificate-based EAP-TLS authentication, over-the-air credential theft will be eliminated and your network will perform better all around. All this comes at an affordable price so organizations of any size can secure their networks with WPA2-Enterprise.

Learn about this author

Sam Metzler

Sam (aka Slammin Salmon, Street Hustler Sam, Samilstilskin) is a copywriter within the marketing team and a man of many nicknames. He has a degree in Marketing from the University of North Texas with previous experience in mortgage marketing and financial services.

AD DS: Explained