Varonis announces strategic partnership with Microsoft to accelerate the secure adoption of Copilot.

Learn more

Active Directory Domain Services (AD DS): Overview and Functions

Active Directory Domain Services (AD DS) are the core functions that make AD work. Learn more about AD DS and how to defend AD against cyber attacks.
Michael Buckbee
3 min read
Published March 29, 2020
Last updated March 3, 2022

Active Directory Domain Services (AD DS) are the core functions in Active Directory that manage users and computers and allow sysadmins to organize the data into logical hierarchies.

AD DS provides for security certificates, Single Sign-On (SSO), LDAP, and rights management.

Get the Free PowerShell and Active Directory Essentials Video Course

Understanding AD DS is a top priority for Incident Response (IR) and cybersecurity practitioners because all cyberattacks will affect AD, and you need to know what to look for and how to respond to attacks when they happen.

Benefits of Active Directory Domain Services

There are several benefits to using AD DS for your basic network user and computer management.

  • You can customize how your data is organized to meet your companies needs
  • You can manage AD DS from any computer on the network, if necessary
  • AD DS provides built in replication and redundancy: if one Domain Controller (DC) fails, another DC picks up the load
  • All access to network resources goes through AD DS, which keeps network access rights management centralized

active directory domain services benefits

Active Directory Domain Services Terms to Know

In order to understand AD DS, there are some key terms to define.

  • Schema: The set of user configured rules that govern objects and attributes in AD DS.
  • Global Catalog: The container of all objects in AD DS. If you need to find the name of a user, that name is stored in the Global Catalog.
  • Query and Index Mechanism: This system allows users to find each other in AD. A good example would be when you start typing a name in your mail client, and the mail client shows you possible matches.
  • Replication Service: The replication service makes sure that every DC on the network has the same Global Catalog and Schema
  • Sites: Sites are representations of the network topology, so AD DS knows what objects go together to optimize replication and indexing.
  • Lightweight Directory Access Protocol: LDAP is a protocol that allows AD to communicate with other LDAP enabled directory services across platforms.

What Services are Provided in Active Directory Domain Services?

Here are the services that AD DS provides as the core functionality required by a centralized user management system.

  • Domain Services: Stores data and manages communications between the users and the DC. This is the primary functionality of AD DS.
  • Certificate Services: Allows your DC to serve digital certificates, signatures, and public key cryptography.
  • Lightweight Directory Services: Supports LDAP for cross platform domain services, like any Linux computers in your network.
  • Directory Federation Services: Provides SSO authentication for multiple applications in the same session, so users don’t have to keep providing the same credentials.
  • Rights Management: Controls information rights and data access policies. For example, Rights Management determines if you can access a folder or send an email.

Role of Domain Controllers with Active Directory Domain Services

Domain Controllers (DC) are the servers in your network that host AD DS. DCs respond to authentication requests and store AD DS data. DCs host other services that are complementary to AD DS as well. Those are:

  • Kerberos Key Distribution Center (KDC): The kdc verifies and encrypts kerberos tickets that AD DS uses for authentication
  • NetLogon: Netlogon is the authentication communication service.
  • Windows Time (W32time): Kerberos requires all computer times to be in sync.
  • Intersite Messaging (IsmServ): Intersite messaging allows DCs to communicate with each other for replication and site-routing.

complimentary active directory domain services hosted by domain controllers

AD must have at least one Domain Controller. DCs are the containers for the domains. Each domain is part of an AD Forest, which can include one or more domains organized in Organizational Units. AD DS manages trusts between multiple domains, so you can provide access rights to users in one domain to others in your forest.

The most important concept to understand is that AD DS is a framework for domain management, and the computer that users use to access AD is the DC

Modern cybersecurity depends on a deep understanding of Active Directory. Active Directory is central to attackers’ capabilities for infiltration, lateral movement, and data exfiltration.  No matter how stealthy or clever they are, attackers leave breadcrumbs in AD logs as they move through your network.

Varonis monitors AD for those breadcrumbs, as well as file activity, DNS calls, VPN activity, and more. Varonis correlates that data into a full picture for each user and computer in AD, compares the current activity to a normalized baseline and a catalog of data security threat models, and proactively identifies potential threats to your data.

Want to learn more about AD security? Check out our on-demand webinar “4 Tips to Secure Active Directory.”

What you should do now

Below are three ways we can help you begin your journey to reducing data risk at your company:

  1. Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
  2. Download our free report and learn the risks associated with SaaS data exposure.
  3. Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

the-12-pci-dss-requirements:-4.0-compliance-checklist
The 12 PCI DSS Requirements: 4.0 Compliance Checklist
Version 4.0 of the Payment Card Industry Data Security Standard (PCI DSS) is right around the corner. Prepare with our PCI DSS compliance checklist.
how-varonis-helps-with-pci-dss-3.1
How Varonis Helps with PCI DSS 3.1
The Payment Card Industry Data Security Standard (PCI-DSS) 3.1 is a set of regulations that govern how organizations manage credit card and other cardholder data. Many security professionals advocate that...
pci-dss-explained:-our-new-white-paper-decodes-the-complexity
PCI DSS Explained: Our New White Paper Decodes the Complexity
The Payment Card Industry Data Security Standard (PCI DSS) is not just another list of requirements for protecting data. In 2013, the number of credit and debit card transactions worldwide...
data-security:-definition,-explanation-and-guide
Data Security: Definition, Explanation and Guide
Data Security is a process of protecting files, databases, and accounts on a network by adopting a set of controls, applications, and techniques that identify the relative importance of different...