Microsoft’s Active Directory (AD) turned 25 this month. In technology years, which are rather like dog years, that makes it pretty geriatric.
To the uninitiated, AD acts like the spine of IT infrastructure. Through it, you can control access to resources belonging to a given organisation; manage users and computers (enforcing policies onto both) etc.
Crudely, if a machine doesn't exist in AD, it is not trusted by your domain. If a user doesn’t exist in AD, then they typically can’t login to a machine.
"Active Directory stores data as objects that represent different resources, such as users, computers, groups and org. units. The most common objects in an AD domain are user and computer objects. User objects represent real users, service accounts and built-in users such as the Kerberos Ticket Granting Ticket (KRBTGT) user object. Computer objects represent systems, such as servers and workstations in a domain. Every server and workstation that is joined to a domain has a corresponding computer object in AD. These objects are used… for authentication, authorisation and policy enforcement." – NSA.
Over the years, AD managed to push the likes of Banyan, IBM SNA servers and Novell Netware aside as competitors and become the dominant force when it comes to authentication and authorisation. It is entrenched.
As AJ Lindner, Active Directory specialist, Powershell enthusiast and Solutions Architect at One Identity, put it to The Stack: “It’s incredible to see any software solution survive as long as AD has, let alone do so while retaining such a massive foothold within organizations everywhere.
Entra ID is not going to replace AD
Lindner added: “There’s been an ongoing sentiment for well over a decade that ‘AD is going away’, to be replaced by cloud directories such as Microsoft’s own Entra ID, or various competing alternatives. Yet its continuing prevalence in the market stands testament to AD’s massive staying power, and Microsoft’s release of Forest Functional Level 2025, the first new AD update in 9 years, further reinforces the fact that, whether we like it or not, AD still isn’t going anywhere anytime soon.”
Sean Deuby, Principal Technologist at identity security firm Semperis, noted: “Interestingly, AD is arguably more important today than it was 10 years ago. Why? Because as organisations increasingly shift to the cloud, hybrid identity architectures have evolved to extend AD identities into cloud service providers like Microsoft Entra ID (formerly Azure AD).
“This hybrid approach allows enterprises to maintain their existing AD-based authentication while enabling cloud adoption, providing a bridge between on-prem infrastructure and modern SaaS applications…
“Many businesses are still tied to AD, simply because of the enormous investment in AD-integrated applications, policies, and workflows that have built up over two decades… replacing AD isn’t just a technical challenge – it’s a business risk. When I conduct polls I typically ask attendees when they plan to shut down AD. The overwhelming response? Almost three-quarters say ‘never.’ Will we be celebrating AD’s 30th birthday, or 40th? I wouldn’t bet against it,” Deuby added by email.
AD: "Susceptible to compromise"
AD, however, has long been a difficult thing to secure and riddled with issues. Both its ubiquity and its design make it a large attack surface.
As a large collection of Five Eyes cybersecurity agencies (CISA, NSA, NCSC etc.) put it in a September 2024 advisory [pdf]: “Active Directory is susceptible to compromise due to its permissive default settings, its complex relationships, and permissions; support for legacy protocols and a lack of tooling for diagnosing Active Directory security issues.”
Dmitry Sotnikov Chief Product Officer, Cayosoft, told The Stack: “Even a brand-new AD forest is insecure out of the box, with misconfigurations and toxic permission combinations that attackers exploit.
“One of the most critical issues? The built-in Administrator account lacks protections against delegation attacks, making it a prime target for privilege escalation. Attackers can abuse weak delegation settings, excessive default permissions, and legacy authentication protocols to move laterally and compromise an entire domain…”
He added: “Many organisations adopt Entra ID (formerly Azure AD) to modernise identity, but it is not a replacement for AD because it lacks key enterprise capabilities such as Group Policy, Kerberos authentication, structured OU-based administration, and deep control over identity delegation and permissions. Entra ID works for newer cloud-native companies… but for enterprises with legacy applications, on-prem workloads, and hybrid environments, AD remains essential.”
See also: NSA warns AD is an "exceptionally difficult to defend" attack surface
Ian Wood, Senior Director Systems Engineering at Commvault, added: “Often considered the ‘keys to the kingdom’, Active Directory is invaluable for around 610 million users worldwide. But we’re not the only people who recognise its value… Active Directory was the most targeted attack surface for ransomware in 2024, according to recent research.
“If you’re locked out of AD, it becomes near impossible for your employees to get into the network to attempt to resolve the situation. Even once they do regain access, rebuilding… is extremely complex.”
See also: Recovering from ransomware: Are your backups enough?
He added: “Imagine a forest full of trees. If a problem arises within the roots of one tree, this will affect the trunk, the branches, and the leaves.
When you try to ‘fix’ the tree, you wouldn’t put a loose leaf back onto a dying branch – you'd need to start at the root of the problem (literally, in this case). [AD recovery is tricky] You must recover the system in a very precise order, following a complex set of steps that typically number 50-100 or more. Make one wrong move, and you need to start again from scratch. Automation is making this challenge much less daunting…”
Deuby meanwhile added: “Hardening AD and Entra ID environments therefore requires constant monitoring of the identity attack surface to identify vulnerabilities – such as weak security configurations or admin accounts with excessive privileges – before attackers do. Use free community tools like Purple Knight to find vulnerabilities in your organisation and ongoing Identity Threat Detection and Response (ITDR) solutions to detect, prevent, and respond to identity-based threats.”
Some AD security enhancements in 2025?
New enhancements to Active Directory Domain Services (AD DS) and Active Directory Lightweight Domain Services (AD LDS) in 2025 aim to improve domain service management experience and security.
A few snapshots:
- "Improved algorithms for Name/SID Lookups: Local security authority (LSA) Name and SID Lookup forwarding between machine accounts no longer uses the legacy Netlogon secure channel. Kerberos authentication and the DC Locator algorithm are used instead. To maintain compatibility with legacy operating systems, it's still possible to use the Netlogon secure channel as a fallback option.
- "Improved security for confidential attributes: DCs and AD LDS instances only allow LDAP to add, search, and modify operations that involve confidential attributes when the connection is encrypted.
- "Improved security for default machine account passwords: Active Directory now uses default computer account passwords that are randomly generated. Windows 2025 DCs block setting computer account passwords to the default password of the computer account name.
Source: Microsoft
