LDAP and Other AD Services

When and why is each needed?

LDAP - ESSENTIAL
Certificate Services (AD CS)

Only if you need:

  • Smart card logins
  • Internal SSL certificates
  • Email encryption
  • WiFi authentication

Federation Services (AD FS)

Only if you need:

  • Office 365 single sign-on (though Azure AD Connect is preferred now)
  • Partner company integrations
  • Complex web app SSO

Global Catalog

Automatic with AD, but additional GCs needed only if:

  • Multiple sites/locations
  • Slow WAN links
  • Many domains in forest

Lightweight directory Access protocol (LDAP)

  • Active Directory: The database and service provider
    • Stores actual directory data
    • Manages security policies
    • Handles replication between domain controllers
  • LDAP: The communication protocol
    • Provides the language for queries
    • Standardizes access methods
    • Enables cross-platform compatibility
  • Protocol for communicating with active directory over the web
  • Can query information from a directory such as:
    • ex: user information, email addresses, or permissions
  • Active directory provides the actually directories and services while LDAP is a way to request/modify that information

Why is it needed for AD:

  • Gives other devices standard ways to communicate with AD (compatibility with Linux/mac/etc)

Certificate Services (AD CS)

Purpose: Public Key Infrastructure (PKI) for the domain

  • Root CA: Top of certificate hierarchy
  • Subordinate CAs: Issue end-user certificates
  • Certificate Templates: Define certificate properties
  • Web Enrollment: Browser-based certificate requests

Uses:

  • Smart card authentication
  • Email encryption (S/MIME)
  • SSL certificates for internal websites
  • 802.1x authentication
  • Code signing

Federation Services (AD FS)

Purpose: Single Sign-On across organizational boundaries

  • Claims-based Authentication: Attribute assertions
  • SAML/OAuth Support: Industry standard protocols
  • Web Application Proxy: Secure external access
  • Multi-Factor Authentication: Enhanced security

Use Cases:

  • Office 365 hybrid deployments
  • Partner organization collaboration
  • SaaS application integration
  • B2B/B2C scenarios

Global Catalog (GC)

Purpose: Partial replica of all objects in the AD forest

  • Port 3268 (3269 for SSL)
  • Contains subset of attributes for all forest objects
  • Enables forest-wide searches
  • Critical for Universal Group membership
  • Required for user logon (UPN resolution)

Use Cases:

  • Cross-domain queries
  • Exchange Address Book
  • Universal Group enumeration
  • User Principal Name authentication