# Active Directory (AD)
## What is Active Directory?
**Active Directory (AD)** is a system that allows to manage a set of computers and users connected in the same network from a central server.
```
____ __
o | | |==|
/|\ |____| <--------. .-----> | |
/ \ /::::/ | | |__|
v v
.---.
/ /|
.---. |
| | '
| |/
'---'
____ ^ ^ ____
o | | | | | | \o/
/|\ |____| <-------' '-----> |____| |
/ \ /::::/ /::::/ / \
```
The above diagram is known as a domain. A **domain** is a set of connected computers that shares an Active Directory database, which is managed by the central servers of a domain, that are called **domain controllers**.
## Physical AD Components
### Domain Controller
A **domain controller** is a server with the AD DS (Active Directory data store) server role installed that has specifically been promoted to a domain controller. It can:
* host a copy of the AD DS
* provide authentication and authorization services (Kerberos)
* replicate updates to other domain controllers in the domain and forest
* allow administrative access to manage user accounts and network resources
### AD DS
The **AD DS** contains the database files and processes that store and manage directory information for users, services, and applications. It:
* consists of the `Ntds.dit` file
* is stored by default in the `%SystemRoot%\NTDS` folder on all domain controllers
* is accessible only through the domain controller processes and protocols
## Logical AD Components
### AD Schema
The **AD DS schema**:
* defines every type of object that can be stored in the directory
* enforces rules regarding object creation and configuration.
For example:
| Objects Types | Function | Examples |
| ---------------- | --------------------------------------------- | -------------- |
| Class Object | What objects can be created in the directory | User, Computer |
| Attribute Object | Information that can be attached to an object | Display name |
### Domains
**Domains** are used to group and manage objects in an organization. It is:
* an administrative boundary for applying policies to groups of objects
* A replication boundary for replicating data between domain controllers
* An authentication and authorization boundary that provides a way to limit the scope of access to resources
### Trees
A **tree** is a hierarchy of domains in AD DS. All domains in the tree:
* share a contiguous namespace with the parent domain
* can have additional child domains
* by default create a two-way transitive trust with other domains
### Forests
A **forest** is a collection of one or more domain trees. Forests:
* share a common schema
* share a common configuration partition
* share a common global catalog to enable searching
* enable trusts between all domains in the forest
* share the Enterprise Admins and Schema Admins groups
### Organizational Units (OUs)
**OUs** are AD containers that can contain users, groups, computers, and other OUs. OUs are used to:
* represent your organization hierarchically and logically
* manage a collection of objects in a consistent way
* delegate permissions to administer groups of objects
* apply policies
### Trusts
**Trusts** provide a mechanism for users to gain access to resources in another domain. Types of trusts:
* All domains in a forest trust all other domains in the forest
* Trusts can extend outside the forest
### Objects
## NTLM Authentication
**NTLM (NT LAN Manager)** authentication is used when a client authenticates to a server by IP address (instead of by hostname), or if the user attempts to authenticate to a hostname that is not registered on the AD integrated DNS server. Likewise, third-party applications may choose to use NTLM authentication instead of Kerberos authentication.
The NTLM authentication is composed by 3 messages/phases: `NEGOTIATE`, `CHALLENGE` and `AUTHENTICATE`:
```
Client Server
| |
AcquireCredentialsHandle | |
| | |
v | |
InitializeSecurityContext | |
| | NEGOTIATE |
'-------------> | -----------------> | ----------.
| - flags | |
| | v
| | AcceptSecurityContext
| | |
| | challenge
| CHALLENGE | |
.-------------- | <----------------- | <---------'
| | - flags |
challenge | - challenge |
| | - server info |
v | |
InitializeSecurityContext | |
| | | |
session response | |
key | | AUTHENTICATE |
'-------'---------> | -----------------> | ------.--------.
| - response | | |
| - session key | | |
| (encrypted) | response session
| - attributes | | key
| + client info | | |
| + flags | v v
| - MIC | AcceptSecurityContext
| | |
| | v
| | OK
| |
```
## Kerberos Authentication
While NTLM authentication works through a principle of challenge-response, Windows-based Kerberos authentication uses a **ticket** system. Kerberos focuses on the use of tokens called "tickets" that allows an user to be authenticated against a principal. At a high level, Kerberos client authentication to a service in AD involves the user of a domain controller in the role of a **key distribution center (KDC)**.
## Reference
{% embed url="" %}
Attacking Active Directory: 0 to 0.9 - zer1t0
{% endembed %}
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://ret2basic.gitbook.io/ctfnote/red-teaming/active-directory-ad.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.