Guidebooks
TerminalCode

Active Directory

Active Directory is a distributed, hierarchical structure that enables centralized management of an organization's resources (including users, computers, groups, network devices and file shares, group policies, servers and workstations, and trusts).

Organization

Active Directory is organized into:

  • Forest (one or more domains)

    • Ogni singolo oggetto creato da Active Directory viene identificato da un Global Unique Identifier (GUID).

    • Tree hierarchical structure (a domain with related subdomains) Formed by:

      • Organizational Units (OUs) Containers to organize users and machines. Keep in mind that a user can only be part of one organizational unit at a time. GUI: Active Directory Users and Computers

        • Default: Builtin, Computers, Domain Controllers, Users, Managed Service Account.

        • Others that can be created.

      • Security Principals, which can be assigned to OUs.

        • Everything the operating system can authenticate and have a Security Identifier (SID). GUI: Active Directory Users and Computers

        • Users: They can be authenticated by the domain and have privileges on resources (they are People or Services).

        • Computers: An account is assigned to the machines. Machine accounts are local administrators on the assigned machines. Note that having SYSTEM-level access on a host within a domain environment is almost equivalent to having a domain user account, as it is essentially just another type of user account. Machine: DC01 Machine Account: DC01$

        • Groups: Definition of groups to which users, machines and other groups can belong. Used to grant permissions on resources.

          • Default: Domain Admins, Server Operators, Backup Operators, Account Operators, Domain Users, Domain Computers, Domain Controllers, etc.

      • Group Policy Objects (GPOs) A collection of settings that can be applied to Users, Computers, Groups and even OUs. GUI: Group Policy Management (for local and AD management)

        • They are applied in the following order of precedence:

          1. Local Security Policy

          2. Site Policy

          3. Domain Policy

          4. Parent OU Policy

          5. Child OU Policy

          6. Link Order

          Those processed last take precedence because they could potentially overwrite the settings in any GPO higher up in the hierarchy. Enforced option does not allow overwriting from lower levels. Block inheritance option does not inherit policies that are higher up. Enforced option takes precedence over the Block inheritance option. Updates by default run every 90 minutes with a random offset of +/- 30 minutes for users and computers (gpupdate /force to force update on machine).

      • The 5 roles Flexible Single Master Operations (FSMO)

        • Schema Master It is responsible for making changes to the Active Directory schema. The schema is the formal definition of all objects and attributes that can be created in the directory.

        • Domain Naming Master It manages domain names and ensures that no two domains with the same name are created in the same forest.

        • RID Master (Relative ID Master) It is responsible for distributing pools of RIDs (Relative Identifiers), which are combined together with the SIDs of domain objects to create the unique SID for users, groups or computers in the domain, verifying that they are not duplicated. Ex. S-1-5-21-3842939050-3880317879-2865463114-1111 (domain SID + user RID) = user SID

        • PDC Emulator (Primary Domain Controller Emulator) The host with this role would be the authoritative DC in the domain and would respond to authentication requests, password changes, and manage GPOs objects. It would also manage time synchronization within the domain.

        • Infrastructure Master This role translates GUID, SID and DN between domains. It is responsible for managing cross-references between objects of different domains within a forest, helping to communicate.

      • Domain Controller (DC) Server on which Active Directory runs and from which the AD domain is managed. It is the brain of an AD network and manages security, authentication, and authorization of users and resources. It also enforces security policies and stores information about every other object in the domain.

        • Primary Domain Controller There can be several Domain Controllers. However, there is only one Primary Domain Controller, that of the PdcRoleOwner property of FSMO.

        • Active Directory Domain Service (ADDS) It is the main component of Active Directory and allows the DC to manage user authentication, resource management, and network organization in a centralized way. It functions as a catalog containing all the information of all the objects that exist on the AD network. “Active Directory Users and Computers” is basically the graphical interface of of the Active Directory Domain Service.

        • Key Distribution Center (KDC) The KDC is a key part of the Active Directory authentication system and is usually hosted within DCs, where it handles authentication, key distribution, and Ticket management operations. (KRBTGT account)

        • NTDS.dit in C:\Windows\NTDS. Stored within the DC is the NTDS.dit file, a database that stores all object information (ex, passwords). This database is synchronized among all Domain Controllers within a domain.

        • SYSVOL This is a key directory that stores copies of public files in the domain, such as system policies, Group Policy settings, login/disconnect scripts, and even other scripts. The contents of the SYSVOL directory are replicated to all DCs in the environment via File Replication Services (FRS). A structure can be found HERE.

        • Global Catalog (GC) It is a DC that stores copies of all objects in an Active Directory forest. Standard domain controllers contain a complete replica of objects that belong to its domain but not those in different domains in the forest. Instead, the GC contains object in any domain in the forest. It thus performs the function of Authentication, Authorization, Search for objects.

    • Trust (ex., in acquisitions it is easier to provide access through trusts than to recreate all new users)

      Transitive: The trust is extended to objects that the child domain trusts. Bidirectional: Users of both trusting domains can access resources.

      • Parent-child Between domains within the same forest, such as domain and subdomain. (transitive and bidirectional)

      • Cross-link Between two subdomains of a forest.

      • External Between two separate domains in different forests, which are not joined by a Forest trust. This type of trust uses SID filtering. (non-transitive)

      • Tree-root Between a forest root domain and a tree-root domain. (transitive and bidirectional)

      • Forest Between two distinct forest root domains. (transitive)

      It is important to note that the presence of a trust relationship between domains does not automatically guarantee access to all resources on other domains. Once a trust relationship is established, you have the ability to authorize users on different domains, but it is up to you to decide what is actually authorized or not.

Protocols

The Protocols needed in Active Directory are:

Authentication

Whenever a user attempts to authenticate to a service using domain credentials, the service must ask the DC to verify that they are correct.

Kerberos Used by any recent version of Windows. This is the default protocol in any recent domain. It runs on port 88, TCP and UDP.

Notes:

  • Ticket Granting Ticket (TGT) = Golden Ticket.

  • Ticket Granting Service (TGS) = Silver Ticket. The TGT contains information regarding the user, domain, a timestamp, client IP address, and session key. It is typically valid for 10 hours.

  • KDC checks that - the timestamp is not duplicated and that it is valid - username TGS-REQ = username TGT - IP address of the client must match the IP address of the TGT.

  • Possible details HERE.

NetNTLM Legacy authentication protocol maintained for compatibility reasons.

Hash:

  • LM: DES, 2 blocks of 7 lowercase characters, 69 characters possible.

  • NTLM: MD4, arbitrary length

Version:

  • NTLMv1: Uses LM hash (if available) and NTLM for single challenge-response authentication with DES.

  • NTLMv2: Uses NTLM hash for authentication with double challenge-response with HMAC-MD5 to improve security.

Notes:

  • Challenge = Nonce.

  • The process described applies when a domain account is used. If a local account is used, the server can verify the response to the challenge itself without requiring interaction with the domain controller since the password hash is stored locally in its SAM.

  • Domain Cached Credentials (DCC). The last ten hashes of domain credentials are stored to deal with instances of network problems. These hashes, stored in the registry, cannot be used in pass-the-hash attacks and are difficult to decrypt.

DNS

It allows clients and Domain Controllers to locate each other and communicate. DNS resolves host names to IP addresses and vice versa, provides SRV records to help clients find DCs and other services needed for authentication and communication on the network. It runs on the usual port 53, UDP and TCP.

LDAP

It is the protocol used to communicate, access, modify, and query information stored within a directory service on a network, in this case AD. Interaction for authentication also takes place through it, and it is sometimes used for authentication itself (DAP bind). It runs on port 389 (LDAP) and 636 (LDAPS, over SSL), both TCP. Instead there is on port 3268 (LDAP Global Catalog) and 3269 (LDAP Global Catalog over SSL), both TCP. (Just as Apache is a web server that uses the HTTP protocol, Active Directory is a directory server that uses the LDAP protocol.)

MSRPC

It is Microsoft's version of Remote Procedure Call (RPC), and is a communication protocol that allows processes running on one computer to communicate with processes running on another computer over the network. It has several interfaces that are specific implementations of services that expose methods and functionality for particular operations. These include specifics for Active Directory. It runs on port 135, TCP.

  • lsarpc A set of RPC calls to the Local Security Authority (LSA) system that manages local security policy on a computer, controls audit policies, and provides interactive authentication services.

  • netlogon A Windows process that authenticates users and other services in a domain environment. It runs in the background, handling authentication requests.

  • samr Remote SAM (samr) provides functionality to manage the domain account database, allowing IT administrators to create, read, update, and delete user and group information.

  • drsuapi The Microsoft API that implements the Directory Replication Service (DRS) protocol for replication between DCs.

Active Directory PowerShell commands: HERE

Cheatsheet: HERE

Last updated