THM – Active Directory Basics – Part 18

This is a continued series where I document my path through different tryhackme courses. I recommend everyone that wants to learn cyber security to subscribe to and take the courses there.


Active Directory is the directory service for Windows Domain Networks.

What is Active Directory?

It’s a collection of machine and servers connected inside of domains, that are part of a bigger forest of domains, that make up the Active Directory network. AD contains many functions:

  • Domain Controllers
  • Forest, Trees, Domains
  • Users + Groups
  • Trusts
  • Policies
  • Domain Services

Why use Active Directory

It allows for the control and monitoring of their users computers through a single domain controller. Allows a single user to sign in to any computer on the active directory network and have access to stored files and folders in the server, as well as the local storage on that machine. Allows for any user in the company to use any machine that the company owns, without having to set up multiple users on a machine.

Physical Active Directory

Domain Controllers

A domain controller is a Windows server that has Active Directory Domain Services (AD DS) installed and has been promoted to a domain controller in the forest. Domain controllers are the center of Active Directory – Control the rest of the domain. Tasks for the domain controller:

  • Holds the AD DS data store
  • Handles authentication and authorization services
  • Replicate updates from other domain controllers in the forest
  • Allows admin access to manage domain resources

AD DS Data Store

Active Directory Data Store holds the databases and process needed to store and manage directory information such as users, groups and services. Content and characteristics of AD DS Data Store:

  • Contain the NTDS.dit – a database that contains all of the information of an Active Directory domain controller as well as password hashes for domain users.
  • Stores by default in %SystemRoot%\NTDS
  • Accessible only by the domain controller

The Forest

Forest is what defines everything; container that holds all the other bits and pieces of the network together. Without the forest all the trees and domains would not be able to interact.

Forest Overview

A forest is a collection of one or more domain trees inside of an Active Directory network. It categorizes the parts of the network as a whole.

Forest consists of these parts:

  • Trees – a hierarchy of domains in Active Directory Domain Services
  • Domains – Used to group and manage objects
  • Organization Units (OUs) – Containers for groups, computers, users, printers and other OUs
  • Trusts – Allow users to access resources in other domains
  • Objects – Users, groups, printers, computers, shares
  • Domain services – DNS server, LLMNR IPv6
  • Domain Schema – Rules for object creation

Users + Groups

Users Overview

Users are the core to AD. No users – no need for AD. Four main types of users in AD network. Can be more depending on how a company manages the permissions of its users. Four type of users:

  • Domain Admins – they control the domains and are the only ones with access to the domain controller.
  • Service Accounts (Can be Domain Admins) – These are for the most part never used except for service maintenance, they are required by Windows for services such as SQL to pair a service with a service account
  • Local Administrators – These users can make changes to local machines as an administrator and may even be able to control other normal users, but they cannot access the domain controller
  • Domain Users – These are your everyday users. They can log in on the machines they have the authorization to access and may have local administrator rights to machines depending on the organization.

Groups overview

Groups make it easier to give permissions to users and objects by organizing them into groups with specified permissions. Two types of AD groups:

  • Security Groups – These groups are used to specify permissions for a large number of users
  • Distribution Groups – These groups are used to specify email distribution lists. As an attacker these groups are less beneficial to us but can still be beneficial in enumeration

Trusts + Policies

Help the domain and trees communicate with each other and maintain security inside of the network.

Domain Trust Overview

Trusts are a mechanism in place for users in the network to gain access to other resources in the domain. Trust outlines the way that the domains inside of a forest communicate to each other. Trusts can in some environments extend out to external domains and even forests in some cases.

Two types of trusts that determine how the domains communicate:

  • Directional – The direction of the trust flows from a trusting domain to a trusted domain
  • Transitive – The trust relationship expands beyond just two domains to include other trusted domains

Domain Policies Overview

Dictate how the server operates and what rules it will and will not follow. Acts as a rulebook for AD that a domain admin can modify and alter as necessary.

Active Directory Domain Services + Authentication

AD DS are the core functions of Active Directory network; allow for management of the domain, security certificates, LDAPs and much more.

Domain services are services that the domain controller provides to the rest of the domain or tree. Default domain services:

  • LDAP – Lightweight Directory Access Protocol; provides communication between applications and directory services
  • Certificate Services – allows the domain controller to create, validate, and revoke public key certificates
  • DNS, LLMNR, NBT-NS – Domain Name Services for identifying IP hostnames

Domain Authentication Overview

Most important part of AD – and most vulnerable part – is the authentication protocols. Two main types of authentications in place for AD: NTLM and Kerberos.

  • Kerberos – The default authentication service for Active Directory uses ticket-granting tickets and service tickets to authenticate users and give users access to other resources across the domain.
  • NTLM – default Windows authentication protocol uses an encrypted challenge/response protocol

AD in the cloud

Windows Server ADAzure AD
OU TreeFlat Structure
Domains and ForestsTenants

Similar Posts