Introduction

Active Directory is a directory service for Windows. It can be seen as distributed system with hierarchical structure, allowing the administration of organizational resources. From a technical viewpoint it is a huge read-only database for all user of a domain.

An important aspect regarding security-related aspects is that it is designed to be backward compatible, since large enterprise networks typically consist of different major versions of Windows.

Another aspect that has a significant impact on the security is that any user can perform enumerations without special permissions. This allows them to quickly discover misconfigurations and inadequately secured passwords. As a result network administrators must expend a great deal of effort to adequately manage a corporate network.

Structure

Active Directory is organized in a distributed and hierarchical structure, that can be visualized as a tree structure.

Conceptually, it is important to note that only the forest is the security perimeter. Once a domain is compromised, the entire forest is compromised. A forest can contain multiple domains that contain objects for access and interaction (user, groups, computer). A third layer within domains are containers called organizational units. These are the smallest forest container structures in Active Directory.

Example tree of a forest

DWSEC.LOCAL/
├── ADMIN.DWSEC.LOCAL
│   ├── GPOs
│   └── OU
│       └── EMPLOYEES
│           ├── COMPUTERS
│           │   └── KALI01
│           ├── GROUPS
│           │   └── Pentesters
│           ├── USERS
│               └── max.mustermann
│               
├── US.DWSEC.LOCAL
└── EU.DWSEC.LOCAL

It is common for multiple forests to be connected via trust relationships. Especially in large enterprise infrastructures. It is usually much easier to grant access through such trust relationships than to create each user or object multiple times for administrators. This feature should be used with caution, as it can lead to a massive security risk, resulting in the loss of multiple domains and forests.

See the linked page for more detailed information about the objects in the Active Directory structure:

Conceptual Functionalities

What are the benefits of such a distributed directory service?

In general, Active Directory should provides multiple benefits to an organization:

Centralized configuration and access management
Mechanisms for authorization
Automated application of various guidelines to new and existing devices
Integration of files and applications
Long history of usage in enterprise networks

Resulting in:

Centralized administration
Lower costs for organization

Because of these benefits, Active Directory is an essential and probably the most critical asset in an organization's infrastructure. Considering that most Active Directory environments have been in place for decades in large enterprise infrastructures with thousands of users and even more assets, it is easy to imagine how complex the administration can be and how quickly attackers can find holes to compromise a forest.

Roles

To implement these benefits, Active Directory uses 5 different roles that provide different functionality for a domain. These roles are name Flexible Single Master Operation (FSMO) and keep Active Directory Working:

Schema Master

Manages the read/write copy of the AD Schema. This schema contains the definition of possible attributes for all objects.

Domain Naming Master

Manages the naming of a domain. Is also security naming consistency (no duplicates in a domain)

Relative ID (RID) Master

Assigns different ranges of RIDs to each domain controller. It also ensures consistency with respect to RIDs.

PDC Emulator

Main DC within a domain → responds to all authentication and password change requests and manages Group Policy Objects (GPOs)

Infrastructure Master

Translates GUIDs, SIDs, and DNs between domains. Organizes the communication between domains in a forest. If this fails, SIDs are in the ACLs instead of the fully resolved names of the objects.

Domain Functional Levels

Another key concept is the use of domain feature levels to ensure backward compatibility. These are applied at the domain and forest levels. These specifies which version of Windows you can install on the DC, which Windows Server operating system, and compatibility with all objects in the domain.

List of functional levels:

Windows 2000 native, Windows Server 2003, Windows Server 2012, Windows Server 2012 R1

Please note that not all versions are compatible with each other. Further references can be found in the following Microsoft documentation:

Trusts

As mentioned earlier, the concept of trust implements a way to authenticate a domain user to another domain or forest.

For this AD implements several models:

Parent-child

Trust between two domains in the same forest.
The child domain has a bi-directional and transitive relationship with the parent domain.

Cross-link

Trust between child domains
The child domain has a bidirectional and transitive relationship with the parent domain.

External

Non-transitive relation between domains in another forest.
Note: Although the domains have a relationship, it does not mean the same for the forests.
SID filtering is used for this.

Tree-root

Bi-directional transitive trust between a forest root domain and a new tree root domain. This relationship is created when the tree root domain is added.

Forest

Transitive relationship between two forest root domains

Transitive in the context of AD trust: the trust relationship is extended with objects that exist in the already trusted child domain.
- Non transitive: only the child domain is trusted
Trust is often misconfigured. This leads to well-known and easily exploitable attack vectors ⚠️

A comprehensive glossary of terms commonly used in the Active Directory environment can be found on the following page:

PreviousFundamentals NextProtocols

Last updated 4 months ago

Was this helpful?