Active Directory Architecture

beginner30 minWriteup

Understanding domains, forests, trusts, and AD structure

Learning Objectives

  • Understand AD components
  • Learn about domains and forests
  • Understand trust relationships
  • Know key AD objects

Imagine a massive phone book that not only lists everyone in a company but also knows their permissions, what computers they can access, and what software they can run. That's Active Directory (AD) - Microsoft's directory service that's the backbone of nearly every enterprise Windows network.

Understanding AD architecture is essential before attacking it. You need to know what forests, domains, and trusts are before you can exploit them. Think of this as learning the layout of the building before planning the heist.

AD is Everywhere

About 95% of Fortune 1000 companies use Active Directory. If you're doing enterprise penetration testing, you WILL encounter AD.

Core AD Components

Domain

A domain is a logical grouping of objects (users, computers, groups) that share the same AD database and security policies. Think of it as a company's main office - everyone inside shares resources and follows the same rules.

  • Has a unique name (e.g., corp.local, contoso.com)
  • Contains a shared database of objects
  • Has at least one Domain Controller (DC)
  • Enforces security policies across all members

Domain Controller (DC)

The Domain Controller is the server that runs AD and manages authentication and authorization. It's the crown jewel - compromise the DC, compromise the domain.

1DC Responsibilities:
2├── Stores the AD database (NTDS.dit)
3├── Handles authentication requests
4├── Replicates data to other DCs
5├── Enforces Group Policy
6└── Issues Kerberos tickets

Forest

A forest is a collection of one or more domains that share a common schema and global catalog. It's the highest level of organization - like a parent company with subsidiaries.

1Forest: corp.local
2├── Domain: corp.local (root domain)
3│   ├── Domain: us.corp.local
4│   ├── Domain: eu.corp.local
5│   └── Domain: asia.corp.local
6└── Shared: Schema, Global Catalog, Trust relationships

Organizational Units (OUs)

OUs are containers within a domain that organize objects. They're used to apply Group Policies and delegate administration. Think of them as departments within the company.

OUs vs Groups

OUs are containers for organizing objects. Groups are for assigning permissions. You put users in OUs to apply policies, and in groups to grant access.

AD Objects

Users

User accounts for authentication and authorization.

1User Attributes:
2├── sAMAccountName: jsmith (pre-Win2000 login)
3├── userPrincipalName: jsmith@corp.local
4├── distinguishedName: CN=John Smith,OU=Users,DC=corp,DC=local
5├── memberOf: [groups the user belongs to]
6└── servicePrincipalName: [for service accounts]

Computers

Machine accounts for domain-joined computers.

1Computer Attributes:
2├── sAMAccountName: WORKSTATION01$ (note the $)
3├── operatingSystem: Windows 10 Enterprise
4├── operatingSystemVersion: 10.0 (19043)
5└── dNSHostName: workstation01.corp.local

Groups

Collections of users, computers, or other groups.

  • Security Groups: Used for permission assignment
  • Distribution Groups: Used for email distribution
  • Domain Local: Used in a single domain
  • Global: Used across domains in forest
  • Universal: Used across forests

Important Built-in Groups

1High-Value Groups:
2├── Domain Admins - Full control over the domain
3├── Enterprise Admins - Full control over the forest
4├── Administrators - Local admin on DCs
5├── Schema Admins - Can modify AD schema
6├── Account Operators - Can manage user accounts
7├── Backup Operators - Can backup/restore files
8└── Server Operators - Can manage DCs

Trust Relationships

Trusts allow users in one domain to access resources in another. They're like partnerships between companies - "I trust your IDs, so your employees can enter my building."

Trust Types

  • Parent-Child: Automatic, two-way between parent and child domains
  • Tree-Root: Between root domains of different trees
  • Shortcut: Optimize authentication in large forests
  • External: Between domains in different forests
  • Forest: Between entire forests

Trust Direction

1One-way trust: A trusts B
2    Domain A (trusting) <---- Domain B (trusted)
3    Users in B can access A, but NOT vice versa
4 
5Two-way trust: A trusts B AND B trusts A
6    Domain A <----> Domain B
7    Users in both can access each other

Trust Attack Surface

Trusts are often misconfigured. Two-way trusts especially are dangerous - compromise one domain, pivot to the other. We'll cover trust attacks in later lessons.

Key AD Services

  • LDAP (389/636): Query and modify directory data
  • Kerberos (88): Authentication protocol
  • DNS (53): Name resolution (AD-integrated)
  • SMB (445): File sharing, Group Policy
  • RPC (135, dynamic): Remote procedure calls
  • Global Catalog (3268/3269): Forest-wide search
bash
1606070;"># Key ports to scan
2nmap -p 53,88,135,139,389,445,464,636,3268,3269 target
3 
4606070;"># These ports indicate a Domain Controller:
5606070;"># 88 (Kerberos), 389 (LDAP), 636 (LDAPS), 3268/3269 (GC)

AD Replication

Multiple DCs replicate data between each other for redundancy. This replication is exploitable via DCSync attacks - we pretend to be a DC and request the password database.

1Replication Flow:
2DC1 (Primary) <---> DC2 (Secondary)
3     ^                    ^
4     |                    |
5     +-----> DC3 <--------+
6 
7All DCs have identical copies of:
8├── User credentials (NTLM hashes)
9├── Computer accounts
10├── Group memberships
11├── Group policies
12└── KRBTGT password (golden ticket key)

Knowledge Check

Quick Quiz
Question 1 of 3

What is the difference between a domain and a forest?

Challenges

Map the Domain

Challenge
🌱 beginner

Given access to a domain-joined machine, identify: domain name, domain controller(s), forest structure, and trust relationships.

Need a hint? (4 available)

Key Takeaways

  • Active Directory is the backbone of most enterprise networks
  • A forest contains domains that share schema and global catalog
  • Domain Controllers store the AD database (NTDS.dit) with all credentials
  • Trusts allow cross-domain access and are often misconfigured
  • Domain Admins control one domain; Enterprise Admins control the forest
  • Key ports: 88 (Kerberos), 389 (LDAP), 445 (SMB), 636 (LDAPS)