๐ข Lesson 1: Active Directory Architecture
Understanding the core components and structure of Active Directory
๐ Learning Objectives
By the end of this lesson, you will be able to:
- Understand Active Directory hierarchical structure
- Identify key AD components and their roles
- Explain forest and domain relationships
- Describe organizational unit (OU) structure
- Understand domain controller roles and functions
- Identify security implications of AD architecture
๐๏ธ Active Directory Hierarchical Structure
Forest Level
The forest is the top-level container in Active Directory. It represents the complete logical structure of the directory service and contains all objects within the organization.
๐ Key Forest Characteristics:
- Security Boundary: Forest is the ultimate security boundary
- Schema: Single schema applies to entire forest
- Global Catalog: Forest-wide search and authentication
- Trust Relationships: Can establish trusts with other forests
Domain Level
A domain is a logical grouping of network objects (users, computers, groups) that share a common directory database and security policies.
Domain Structure Example:
Forest: company.local
โโโ Domain: company.local (Root Domain)
โ โโโ DC: dc1.company.local
โ โโโ DC: dc2.company.local
โ โโโ OU: Corporate
โ โโโ Users
โ โโโ Computers
โ โโโ Groups
โโโ Domain: branch.company.local (Child Domain)
โโโ DC: dc1.branch.company.local
โโโ OU: Branch Office
โโโ Users
โโโ Computers
Organizational Units (OUs)
Organizational Units are containers within domains used to organize objects and apply Group Policy settings.
๐ฏ OU Best Practices:
- Delegation: OUs enable administrative delegation
- Group Policy: Apply policies to specific OU levels
- Organization: Reflect business structure
- Security: Implement least privilege access
๐ฅ๏ธ Domain Controller Roles and Functions
Primary Domain Controller (PDC) Emulator
Function: Manages password changes and time synchronization
๐ Security Implications:
- Target for password attacks
- Critical for time-based attacks
- Single point of failure
Relative ID (RID) Master
Function: Allocates unique security identifiers (SIDs)
๐ Security Implications:
- Controls SID generation
- Potential for SID enumeration
- Affects object creation
Infrastructure Master
Function: Updates references to objects in other domains
๐ Security Implications:
- Cross-domain reference attacks
- Object reference manipulation
- Trust relationship exploitation
Schema Master
Function: Manages the Active Directory schema
๐ Security Implications:
- Schema modification attacks
- Object class manipulation
- Forest-wide impact
Domain Naming Master
Function: Manages domain additions and removals
๐ Security Implications:
- Domain manipulation attacks
- Forest structure modification
- Trust relationship changes
๐๏ธ Active Directory Database (NTDS.dit)
Database Structure
The Active Directory database (NTDS.dit) stores all directory information and uses the Extensible Storage Engine (ESE).
๐ NTDS.dit Key Information:
- Location: %SystemRoot%\NTDS\NTDS.dit
- Size: Grows with directory objects
- Access: Exclusive access by LSASS process
- Backup: Critical for disaster recovery
Database Tables
| Table Name | Purpose | Security Relevance |
|---|---|---|
| datatable | Main object storage | Contains all AD objects and attributes |
| link_table | Relationship storage | Stores object relationships and references |
| sd_table | Security descriptors | Contains ACLs and permissions |
| msysobjects | Schema definitions | Defines object classes and attributes |
๐ Security Implications of AD Architecture
Attack Vectors
๐ฐ Forest Trust Attacks
Exploiting trust relationships between forests to gain unauthorized access.
- SID filtering bypass
- Kerberos delegation abuse
- Cross-forest privilege escalation
๐ฏ Domain Controller Compromise
Gaining control of domain controllers to access sensitive directory information.
- NTDS.dit extraction
- Golden ticket attacks
- DCSync exploitation
๐ Role-Based Attacks
Targeting specific FSMO roles for privilege escalation.
- PDC emulator password attacks
- Schema master manipulation
- RID master SID generation
Defense Strategies
๐ก๏ธ Network Segmentation
- Isolate domain controllers
- Implement firewall rules
- Use dedicated management networks
๐ Access Controls
- Implement least privilege
- Regular access reviews
- Multi-factor authentication
๐ Monitoring
- Audit FSMO role access
- Monitor NTDS.dit access
- Track administrative activities
๐งช Hands-On Exercise
Exercise: AD Architecture Analysis
Objective: Analyze Active Directory architecture and identify potential security vulnerabilities.
๐ Steps:
-
Domain Information Gathering
Use PowerShell to enumerate domain information:
Get-ADDomain | Select-Object Name, Forest, DomainMode, DomainControllers Get-ADForest | Select-Object Name, ForestMode, SchemaMaster, DomainNamingMaster -
FSMO Role Identification
Identify all FSMO role holders:
netdom query fsmo # Or using PowerShell: Get-ADForest | Select-Object SchemaMaster, DomainNamingMaster Get-ADDomain | Select-Object PDCEmulator, RIDMaster, InfrastructureMaster -
OU Structure Analysis
Examine organizational unit hierarchy:
Get-ADOrganizationalUnit -Filter * | Select-Object Name, DistinguishedName -
Trust Relationship Mapping
Document all trust relationships:
Get-ADTrust -Filter * | Select-Object Name, Direction, TrustType
๐ Deliverables:
- Domain architecture diagram
- FSMO role holder documentation
- Trust relationship map
- Security vulnerability assessment