# Active Directory (AD) ## What is Active Directory? **Active Directory (AD)** is a system that allows to manage a set of computers and users connected in the same network from a central server. ``` ____ __ o | | |==| /|\ |____| <--------. .-----> | | / \ /::::/ | | |__| v v .---. / /| .---. | | | ' | |/ '---' ____ ^ ^ ____ o | | | | | | \o/ /|\ |____| <-------' '-----> |____| | / \ /::::/ /::::/ / \ ``` The above diagram is known as a domain. A **domain** is a set of connected computers that shares an Active Directory database, which is managed by the central servers of a domain, that are called **domain controllers**. ## Physical AD Components ### Domain Controller A **domain controller** is a server with the AD DS (Active Directory data store) server role installed that has specifically been promoted to a domain controller. It can: * host a copy of the AD DS * provide authentication and authorization services (Kerberos) * replicate updates to other domain controllers in the domain and forest * allow administrative access to manage user accounts and network resources ### AD DS The **AD DS** contains the database files and processes that store and manage directory information for users, services, and applications. It: * consists of the `Ntds.dit` file * is stored by default in the `%SystemRoot%\NTDS` folder on all domain controllers * is accessible only through the domain controller processes and protocols ## Logical AD Components ### AD Schema The **AD DS schema**: * defines every type of object that can be stored in the directory * enforces rules regarding object creation and configuration. For example: | Objects Types | Function | Examples | | ---------------- | --------------------------------------------- | -------------- | | Class Object | What objects can be created in the directory | User, Computer | | Attribute Object | Information that can be attached to an object | Display name | ### Domains **Domains** are used to group and manage objects in an organization. It is: * an administrative boundary for applying policies to groups of objects * A replication boundary for replicating data between domain controllers * An authentication and authorization boundary that provides a way to limit the scope of access to resources ### Trees A **tree** is a hierarchy of domains in AD DS. All domains in the tree: * share a contiguous namespace with the parent domain * can have additional child domains * by default create a two-way transitive trust with other domains ### Forests A **forest** is a collection of one or more domain trees. Forests: * share a common schema * share a common configuration partition * share a common global catalog to enable searching * enable trusts between all domains in the forest * share the Enterprise Admins and Schema Admins groups ### Organizational Units (OUs) **OUs** are AD containers that can contain users, groups, computers, and other OUs. OUs are used to: * represent your organization hierarchically and logically * manage a collection of objects in a consistent way * delegate permissions to administer groups of objects * apply policies ### Trusts **Trusts** provide a mechanism for users to gain access to resources in another domain. Types of trusts: ![Types of Trusts](https://3988450783-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MWVjG_njKgBtvmnKaJh%2Fuploads%2Fco6hZ14pFUmqowKP0QrK%2Fimage.png?alt=media\&token=3e9d4327-ca70-454d-ac8f-e67b3d73d2c4) * All domains in a forest trust all other domains in the forest * Trusts can extend outside the forest ### Objects ![Objects](https://3988450783-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MWVjG_njKgBtvmnKaJh%2Fuploads%2F8g73kI0TBK0ijzHgqnLr%2Fimage.png?alt=media\&token=774f2192-46fa-47bf-8364-7fd505d1edf2) ## NTLM Authentication **NTLM (NT LAN Manager)** authentication is used when a client authenticates to a server by IP address (instead of by hostname), or if the user attempts to authenticate to a hostname that is not registered on the AD integrated DNS server. Likewise, third-party applications may choose to use NTLM authentication instead of Kerberos authentication. The NTLM authentication is composed by 3 messages/phases: `NEGOTIATE`, `CHALLENGE` and `AUTHENTICATE`: ``` Client Server | | AcquireCredentialsHandle | | | | | v | | InitializeSecurityContext | | | | NEGOTIATE | '-------------> | -----------------> | ----------. | - flags | | | | v | | AcceptSecurityContext | | | | | challenge | CHALLENGE | | .-------------- | <----------------- | <---------' | | - flags | challenge | - challenge | | | - server info | v | | InitializeSecurityContext | | | | | | session response | | key | | AUTHENTICATE | '-------'---------> | -----------------> | ------.--------. | - response | | | | - session key | | | | (encrypted) | response session | - attributes | | key | + client info | | | | + flags | v v | - MIC | AcceptSecurityContext | | | | | v | | OK | | ``` ## Kerberos Authentication While NTLM authentication works through a principle of challenge-response, Windows-based Kerberos authentication uses a **ticket** system. Kerberos focuses on the use of tokens called "tickets" that allows an user to be authenticated against a principal. At a high level, Kerberos client authentication to a service in AD involves the user of a domain controller in the role of a **key distribution center (KDC)**. ## Reference {% embed url="" %} Attacking Active Directory: 0 to 0.9 - zer1t0 {% endembed %}