General

Introduction

• Used to manage Windows domain networks

• "Phone book" for Windows -> stores information about computers, users, etc.

• Authentication uses Kerberos tickets

• Can be exploited using intended functionality

Physical AD Components

• Domain controller server -> AD DS server role installed

• Domain controllers

  • Host copy of AD DS directory store

  • Provides authentication & authorization

  • Replicate updates to other DCs in the domain and forest

  • Administrative access to manage user accounts and network resources

• AD DS data store

  • Contains db files and processes that store and manage directory information for users, services, and applications

  • Consists of the Ntds.dit file

  • Is stored by default in the %SystemRoot%\NTDS folder on all DCs

  • Accessible only through the DC processes and protocols

Logical AD Components

• AD DS schema

• Every type of object that can be stored

• Enforces rules for object creation & configuration

Domains

• Used to group and manage objects in an organization

• Administartive boundary for applying policies to groups and objects

• Replication boundary for replicating data between domain controllers

• Authentication & authorization boundary that provides a way to limit the scope of access to resources

Trees

• Hierarchy of domains in AD DS

• All domains in the tree

  • Share contiguous namepsace with parent domain

  • Can have additional child domains

  • By default create a two-way transitive trust with other domains

Forest

• Collection of one or more domain trees

• Share a common

  • schema

  • configuration partition

  • global catalog to enable searching

• Enable trusts between all domains in the forest

• Share the Enterprise Admins and Schema Admins groups

Organization Units (OUs)

• AD containers that can contain users, groups, computer and other OUs

• Used to

  • Represent organization hierarchically and logically

  • Manage a collection of objects in a consistent way

  • Delegate permissions to administer groups of objects

  • Apply policies

• Separate components only for applying GP

• Don't mix users and computers

Trusts

• Provide mecahnism for users to gain access to resources in antoher domain

• All domains in a forest trust all other domains in the forest

• Can extend outside the forest

• Types of trusts

  • Directional

  • Transitive

Objects

• User

• InetOrgPerson

• Contacts

• Groups

• Computers

• Printers

• Shared folders

Flexible Single Master Operations (FSMO) Roles

Schema Master

• Performs updates to the AD schema such as ADPREP/FORESTPREP, MS Exchange

• Must be online during schema updates

• Generally placed on the forest root PDC

Domain Naming Master

• Adds and removes domains and application partitions to and from the AD forest

• Must be online when domains and application partitions in a forest are added or removed

• Generally placed on the forest root PDC

PDC Emulator

• Manages password changes for computer and user accounts on replica domain controllers

• Consulted by replica domain controllers where service authentication requests have mismatched passwords

• Target DC for Group Policy updates

• Usually also the single authorative time server

• Target DC for legacy applications that perform writable operations and for some admin tools

• Must be online and accessible at all times

• Generally placed on higher-performance hardware in a reliable hub site alongside other DCs

RID Master

Allocates active and standby RID pools to replica DCs in the same domain Must be online for newly-promoted DCs to obtain a local RID pool or when existing DCs must update their current or standby RID pool allocation Generally placed on the forest root PDC

Infrastructure Master

• Updates cross-domain references and phantoms/tombstones from the Global Catalog

• A Separate infrastructure master is created for each application partition including the default forest-wide and domain-wide application partitions

• Can be placed on any DC in single-domain forest

• Generally placed on a DC that is not a Global Catalog in a multi-domain forest except when all DCs in the forest are Global Catalog then it can be placed on any DC