Skip to content

Häufig gestellte Fragen

What is Active Directory in simple terms?
Active Directory (AD) is the directory service developed by Microsoft in which Windows environments centrally manage users, computers, groups and permissions. Each employee generally has exactly one account in it, which they use to log on to their PC and to connected applications. Technically, AD stores these objects in a hierarchical database organised into domains, trees and forests. The service thus constitutes the authoritative identity source for who in an organisation may access which IT resources.
How long has Active Directory existed and which protocols does it use?
Active Directory was first introduced in February 2000 with Windows 2000 Server and has since been the backbone of identity management in countless corporate networks. For directory access, AD relies on the Lightweight Directory Access Protocol (LDAP); for authentication, it traditionally uses Kerberos as well as the older NTLM mechanism. Encrypted LDAP connections typically run over LDAPS (port 636) or StartTLS to protect credentials in transit. AD is not a single protocol but a complete directory service that bundles these standards.
What is the difference between Active Directory and Microsoft Entra ID?
Active Directory traditionally runs on-premise on Windows servers and uses protocols such as Kerberos, NTLM and LDAP, which are primarily designed for internal networks and older applications. Microsoft Entra ID is the cloud-based identity service that was known as Azure Active Directory until it was renamed in July 2023; the renaming changed only the name, not the functionality. Entra ID relies on modern web standards such as OAuth 2.0, OpenID Connect and SAML and is primarily designed for signing in to SaaS services and Microsoft 365. The two worlds can be coupled via synchronisation mechanisms so that employees use the same identities on-premise and in the cloud.
How is an ERP system connected to Active Directory?
The connection is usually made via an LDAP interface or direct AD synchronisation, often combined with single sign-on: the user logs on to Windows and is thereby also logged in to the ERP without entering credentials again. AD groups are mapped to ERP roles, so that a group membership in the directory automatically grants specific functional rights in the ERP. This allows users and permissions to be maintained centrally in the directory instead of managing them twice in the ERP, which avoids orphaned accounts and makes provisioning and deprovisioning easier when employees join or leave. Correct resolution of nested groups is important, as users may otherwise be able to log in but receive no permissions.
Do I need Active Directory for a cloud ERP?
A locally operated Active Directory is not strictly required for a cloud ERP, as many cloud-based systems can use a cloud identity service such as Microsoft Entra ID. Microsoft Dynamics 365, for instance, relies on Entra ID as its identity provider, while other cloud ERPs support SAML or OpenID Connect for sign-in. Organisations with an existing on-premise AD can connect it to the cloud via synchronisation, so that employees work with the same credentials everywhere. When selecting an ERP, it is therefore advisable to examine both the local and the cloud-side identity integration rather than committing to one variant.
What are the biggest security risks with Active Directory?
The best-known attack patterns include pass-the-hash, Kerberoasting, the takeover of privileged domain admin accounts and unpatched vulnerabilities such as Zerologon. Because AD is the central identity source in many companies, a compromised domain controller can open up far-reaching access to connected systems, including the ERP. Recognised countermeasures include multi-factor authentication, separate administrative accounts and tier-0 workstations for administrators, encrypted LDAPS connections and a service account with minimal privileges. In addition, prompt patching and continuous monitoring of logon activity ensure that anomalies are detected early.