# Active Directory
Active Directory is a distributed, hierarchical structure that enables centralized management of an organization's resources (including users, computers, groups, network devices and file shares, group policies, servers and workstations, and trusts).
***
## Organization
Active Directory is **organized** into:
* **Forest** (**one** or **more domains**)
* Ogni singolo oggetto creato da Active Directory viene identificato da un **Global Unique Identifier** (**GUID**).
* **Tree** hierarchical structure (a **domain** with related **subdomains**)\
Formed by:
* **Organizational Units** (OUs)\
Containers to organize users and machines.\
Keep in mind that a user can only be part of one organizational unit at a time.\
**GUI**: *Active Directory Users and Computers*
* Default: Builtin, Computers, Domain Controllers, Users, Managed Service Account.
* Others that can be created.
* **Security Principals**, which can be assigned to OUs.
* Everything the operating system can authenticate and have a [**Security Identifier**](https://ldapwiki.com/wiki/Wiki.jsp?page=Well-known%20Security%20Identifiers) (**SID**).\
**GUI**: *Active Directory Users and Computers*
* Users:\
They can be authenticated by the domain and have privileges on resources (they are People or Services).
* Computers:\
An account is assigned to the machines.\
Machine accounts are local administrators on the assigned machines.\
Note that having SYSTEM-level access on a host within a domain environment is almost equivalent to having a domain user account, as it is essentially just another type of user account.\
Machine: `DC01`\
Machine Account: `DC01$`
* Groups:\
Definition of groups to which users, machines and other groups can belong.\
Used to grant permissions on resources.
* Default: Domain Admins, Server Operators, Backup Operators, Account Operators, Domain Users, Domain Computers, Domain Controllers, [etc](https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-groups).
* **Group Policy Objects** (GPOs)\
A collection of settings that can be applied to Users, Computers, Groups and even OUs.\
**GUI**: *Group Policy Management (for local and AD management)*
* They are applied in the following order of precedence:
1. Local Security Policy
2. Site Policy
3. Domain Policy
4. Parent OU Policy
5. Child OU Policy
6. Link Order
Those processed last take precedence because they could potentially overwrite the settings in any GPO higher up in the hierarchy.\
`Enforced` option does not allow overwriting from lower levels.\
`Block inheritance` option does not inherit policies that are higher up. \
`Enforced` option takes precedence over the Block inheritance option.\
Updates by default run every 90 minutes with a random offset of +/- 30 minutes for users and computers (gpupdate /force to force update on machine).
* The 5 roles **Flexible Single Master Operations** (FSMO)
* Schema Master\
It is responsible for making changes to the Active Directory schema. The schema is the formal definition of all objects and attributes that can be created in the directory.
* Domain Naming Master\
It manages domain names and ensures that no two domains with the same name are created in the same forest.
* RID Master (Relative ID Master)\
It is responsible for distributing pools of RIDs (Relative Identifiers), which are combined together with the SIDs of domain objects to create the unique SID for users, groups or computers in the domain, verifying that they are not duplicated.\
Ex. `S-1-5-21-3842939050-3880317879-2865463114-`**`1111`** (domain SID + **user RID**) = user SID
* PDC Emulator (Primary Domain Controller Emulator)\
The host with this role would be the authoritative DC in the domain and would respond to authentication requests, password changes, and manage GPOs objects. It would also manage time synchronization within the domain.
* Infrastructure Master\
This role translates GUID, SID and DN between domains. It is responsible for managing cross-references between objects of different domains within a forest, helping to communicate.
* **Domain Controller** (DC)\
Server on which Active Directory runs and from which the AD domain is managed. It is the brain of an AD network and manages security, authentication, and authorization of users and resources. It also enforces security policies and stores information about every other object in the domain.
* Primary Domain Controller\
There can be several Domain Controllers.\
However, there is only one Primary Domain Controller, that of the `PdcRoleOwner` property of FSMO.
* Active Directory Domain Service (ADDS)\
It is the main component of Active Directory and allows the DC to manage user authentication, resource management, and network organization in a centralized way. It functions as a catalog containing all the information of all the objects that exist on the AD network.\
\&#xNAN;*“Active Directory Users and Computers”* is basically the graphical interface of of the Active Directory Domain Service.
* Key Distribution Center (KDC)\
The KDC is a key part of the Active Directory authentication system and is usually hosted within DCs, where it handles authentication, key distribution, and Ticket management operations. (`KRBTGT` account)
* NTDS.dit in `C:\Windows\NTDS`. \
Stored within the DC is the NTDS.dit file, a database that stores all object information (ex, passwords). This database is synchronized among all Domain Controllers within a domain.
* SYSVOL \
This is a key directory that stores copies of public files in the domain, such as system policies, Group Policy settings, login/disconnect scripts, and even other scripts. The contents of the SYSVOL directory are replicated to all DCs in the environment via File Replication Services (FRS). A structure can be found [HERE](https://networkencyclopedia.com/sysvol-share/).
* Global Catalog (GC)\
It is a DC that stores copies of all objects in an Active Directory forest. Standard domain controllers contain a complete replica of objects that belong to its domain but not those in different domains in the forest. Instead, the GC contains object in any domain in the forest. It thus performs the function of Authentication, Authorization, Search for objects.
* **Trust**\
\&#xNAN;*(ex., in acquisitions it is easier to provide access through trusts than to recreate all new users)*
**`Transitive`**: The trust is extended to objects that the child domain trusts. \
\&#xNAN;**`Bidirectional`**: Users of both trusting domains can access resources.
* Parent-child\
Between domains within the same forest, such as domain and subdomain. *(transitive and bidirectional)*
* Cross-link \
Between two subdomains of a forest.
* External \
Between two separate domains in different forests, which are not joined by a Forest trust. This type of trust uses SID filtering. *(non-transitive)*
* Tree-root \
Between a forest root domain and a tree-root domain. *(transitive and bidirectional)*
* Forest \
Between two distinct forest root domains. *(transitive)*
It is important to note that the presence of a trust relationship between domains does not automatically guarantee access to all resources on other domains. Once a trust relationship is established, you have the ability to authorize users on different domains, but it is up to you to decide what is actually authorized or not.
***
## Protocols
The **Protocols** needed in Active Directory are:
### **Authentication**
Whenever a user attempts to authenticate to a service using domain credentials, the service must ask the DC to verify that they are correct.
Kerberos
Used by any recent version of Windows. This is the default protocol in any recent domain. It runs on port 88, TCP and UDP.
`AS-REQ` and `AS-REP`
`TGS-REQ` and `TGS-REP`
`AP-REQ` and `AP-REP`
**Notes**:
* Ticket Granting Ticket (TGT) = **Golden** Ticket.
* Ticket Granting Service (TGS) = **Silver** Ticket.\
The TGT contains information regarding the user, domain, a timestamp, client IP address, and session key. It is typically valid for 10 hours.
* KDC checks that\
\- the timestamp is not duplicated and that it is valid\
\- username TGS-REQ = username TGT\
\- IP address of the client must match the IP address of the TGT.
* *Possible details* [*HERE*](https://datacadamia.com/iam/kerberos/kerberos)*.*
NetNTLM
Legacy authentication protocol maintained for compatibility reasons.
**Hash:**
* **`LM`**: DES, 2 blocks of 7 lowercase characters, 69 characters possible.
* **`NTLM`**: MD4, arbitrary length
**Version**:
* **`NTLMv1`**: Uses LM hash (if available) and NTLM for **single challenge-response** authentication with **DES**.
* **`NTLMv2`**: Uses NTLM hash for authentication with **double challenge-response** with **HMAC-MD5** to improve security.
**Notes**:
* Challenge = Nonce.
* The process described applies when a domain account is used. If a local account is used, the server can verify the response to the challenge itself without requiring interaction with the domain controller since the password hash is stored locally in its SAM.
* NTLM authentication is used when a client authenticates to a server **by IP address** (instead of by hostname), or if the user attempts to authenticate to a hostname that is not registered on the Active Directory-integrated DNS server.
* **Domain Cached Credentials** (DCC). \
The last ten hashes of domain credentials are stored to deal with instances of network problems. These hashes, stored in the registry, cannot be used in pass-the-hash attacks and are difficult to decrypt.
### DNS
It allows clients and Domain Controllers to locate each other and communicate. DNS resolves host names to IP addresses and vice versa, provides **`SRV records`** to help clients find DCs and other services needed for authentication and communication on the network.\
It runs on the usual port **`53`**, UDP and TCP.
### LDAP
It is the protocol used to communicate, access, modify, and query information stored within a directory service on a network, in this case AD. Interaction for authentication also takes place through it, and it is sometimes used for authentication itself (DAP bind).\
It runs on port **`389`** (LDAP) and **`636`** (LDAPS, over SSL), both TCP.\
Instead there is on port `3268` (LDAP Global Catalog) and `3269` (LDAP Global Catalog over SSL), both TCP.\
\&#xNAN;*(Just as Apache is a web server that uses the HTTP protocol, Active Directory is a directory server that uses the LDAP protocol.)*
We need a specific [LDAP ADsPath](https://learn.microsoft.com/en-us/windows/win32/adsi/ldap-adspath) in order to communicate with the AD service.\
A [DistinguishedName](https://learn.microsoft.com/en-us/previous-versions/windows/desktop/ldap/distinguished-names) (**DN**) is a part of the LDAP path and uniquely identifies an object in AD, including the domain itself.
{% code overflow="wrap" %}
```
LDAP://server01/CN=Jeff Smith,CN=users,DC=fabrikam,DC=com
```
{% endcode %}
### MSRPC
It is Microsoft's version of Remote Procedure Call (RPC), and is a communication protocol that allows processes running on one computer to communicate with processes running on another computer over the network. It has several **`interfaces`** that are specific implementations of services that expose methods and functionality for particular operations. These include specifics for Active Directory.\
It runs on port **`135`**, TCP.
* `lsarpc`\
A set of RPC calls to the Local Security Authority (LSA) system that manages local security policy on a computer, controls audit policies, and provides interactive authentication services.
* `netlogon`\
A Windows process that authenticates users and other services in a domain environment. It runs in the background, handling authentication requests.
* `samr`\
Remote SAM (samr) provides functionality to manage the domain account database, allowing IT administrators to create, read, update, and delete user and group information.
* `drsuapi`\
The Microsoft API that implements the Directory Replication Service (DRS) protocol for replication between DCs.
***
## Note
Groups:
`512` = Domain Admins
`519` = Enterprise Admins
Users:
`500` = Administrator
***
[Wll-known-SIDs](https://learn.microsoft.com/en-us/windows/win32/secauthz/well-known-sids)
[Active Directory PowerShell commands](https://learn.microsoft.com/en-us/powershell/module/activedirectory/?view=windowsserver2022-ps)
[Cheatsheet](https://wadcoms.github.io/)