> For the complete documentation index, see [llms.txt](https://kashz.gitbook.io/kashz-jewels/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://kashz.gitbook.io/kashz-jewels/active-directory/active-directory-101.md). # active directory 101 ## TLDR; 1. Let's start with a domain; say **(kashz.com)** 2. Hierarchy of domains forms a tree. * **(kashz.com)** * **(writeups.kashz.com)** * **(jewels.kashz.com)** 1. Different trees together forms a forest. Inside a domain: 1. Organization Units (OUs) - collection of objects. 2. Objects can be any of the following: 1. User 2. Contact 3. Groups 4. Computers 5. Printers 6. Shared Folders ## Long Explanation Active Directory consists of 1. **1 or more** Domain Controller (mainly for fault tolerance) 2. **1 or more** storage servers / user workstations ### Domain Controller * has the AD domain services data store installed * promoted to a domain controller in the forest * center of Active Directory; controls the rest of the domain * handles authentication and authorization services * replicate updates from other domain controllers in the forest * allows admin access to manage domain resources #### AD DS data store * Contains the `NTDS.dit` well as password hashes for domain users * Stored by default in `%SystemRoot%\NTDS` * accessible only by the domain controller Default Paths * Database folder: `C:\Windows\NTDS` * Log files folder: `C:\Windows\NTDS` * SYSVOL folder: `C:\Windows\SYSVOL` ### Forest Collection of one or more domain trees inside an Active Directory network. It can contain: * Trees - A hierarchy of domains in Active Directory Domain Services **(collection of domains)** * Domains - Used to group and manage objects * Organizational Units (OUs) - Containers for groups, computers, users, printers and other OUs * Trusts - Allows users to access resources in other domains * Objects - users, groups, printers, computers, shares * Domain Services - DNS Server, LLMNR, IPv6 * Domain Schema - Rules for object creation ### User + Groups Default DC comes with default groups and two default users: Administrator and guest. #### Users Four main types of users: * Domain Admins - control the domains and are the only ones with access to the DC * Service Accounts - for service maintenance * Local Administrators - can login to local machines as administrators; cannot access the DC * Domain Users - Normal users who can log in to machines they have the authorization to access. #### Groups Allows giving permissions to users and objects by organizing them into groups. * Security Groups - specify perms for a large number of users * Distribution Groups - specify email distribution lists. **Default Security Groups** * Domain Controllers - All domain controllers in the domain * Domain Guests - All domain guests * Domain Users - All domain users * Domain Computers - All workstations and servers joined to the domain * Domain Admins - Designated administrators of the domain * Enterprise Admins - Designated administrators of the enterprise * Schema Admins - Designated administrators of the schema * DNS Admins - DNS Administrators Group * DNS Update Proxy - DNS clients who are permitted to perform dynamic updates on behalf of some other clients (such as DHCP servers). * Allowed RODC Password Replication Group - Members in this group can have their passwords replicated to all read-only domain controllers in the domain * Group Policy Creator Owners - Members in this group can modify group policy for the domain * Denied RODC Password Replication Group - Members in this group cannot have their passwords replicated to any read-only domain controllers in the domain * Protected Users - Members of this group are afforded additional protections against authentication security threats. * Cert Publishers - Members of this group are permitted to publish certificates to the directory * Read-Only Domain Controllers - Members of this group are Read-Only Domain Controllers in the domain * Enterprise Read-Only Domain Controllers - Members of this group are Read-Only Domain Controllers in the enterprise * Key Admins - Members of this group can perform administrative actions on key objects within the domain. * Enterprise Key Admins - Members of this group can perform administrative actions on key objects within the forest. * Cloneable Domain Controllers - Members of this group that are domain controllers may be cloned. * RAS and IAS Servers - Servers in this group can access remote access properties of users ### Trusts + Policies #### Trusts Specify the way that the domains inside a forest communicate to each other. * Directional **(A -> B)** * Transitive **(A -> B -> C so A -> C)** #### Policies Dictates how the server operates and what rules it will and will not follow. ### AD Services Default domain services: * LDAP - provides communication between applications and directory services * Certificate Services - allows the domain controller to create, validate, and revoke public key certificates * DNS, LLMNR, NBT-NS - Domain Name Services for identifying IP hostnames ### AD Auth #### Windows * Kerberos - default auth service for AD; uses ticket-granting tickets and service tickets to authenticate users and give users access to other resources across the domain. * NTLM - default Windows auth protocol uses an encrypted challenge/response protocol #### Linux * RADIUS Protocl * LDAP ## Reference [TryHackMe AD Room](https://tryhackme.com/room/activedirectorybasics) --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://kashz.gitbook.io/kashz-jewels/active-directory/active-directory-101.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.