Active Directory Overview

Recently, I’ve been learning more about Active Directory and how it is used in today’s modern networks. This article attempts to provide a general overview of Active Directory basics and utilizes the TryHackMe room titled “Active Directory Basics”, created by the user Cryillic, to get some hands-on experience with the service.

What is Active Directory?

Active Directory is a directory service developed by Microsoft to manage Windows domain networks and is used to store information about network objects. The purpose of a directory service is to describe how network objects can be organized within an IT network, so as to allow IT administrators to control user access to these network resources. If a user wants to access a network resource, the directory service will require the user to authenticate their identity against the directory’s user database with a username and password. If the username and password are valid, the user can access that resource.

Directory Service.

How does Active Directory Work?

Active Directory is compromised of a database and a set of services that connect users with network resources. The services control the activity that occurs in the network environment and the database contains information about the network objects. The main Active Directory service is Active Directory Domain Services (AD DS). Microsoft provides the following description for AD DS:

A directory service, such as Active Directory Domain Services (AD DS), provides the methods for storing directory data and making this data available to network users and administrators. For example, AD DS stores information about user accounts, such as names, passwords, phone numbers, and so on, and enables other authorized users on the same network to access this information.

Any Windows server that has AD DS server role installed is called a Domain Controller (DC). Organizations can have multiple DCs, which are at the center of Active Directory and control the rest of the domain.

Domain Controller (DC).

The AD DS Store database (directory) contains information about the AD objects (i.e. users, computers, applications, printers, shared folders) in the domain and, is only accessible through the domain controller processes and protocols. It consists of the Ntds.dit file, a database that contains all of the information of an Active Directory DC as well as password hashes for domain users.

AD DS Store Data Directory.

When a DC is created, it comes with default groups and two default users (i.e. Administrator and Guest). The users and groups that are inside of an Active Directory are up to the administrator. The four main types of users you’ll find in an Active Directory network include:

• Domain Admins: control the domains and are the only ones with access to the DC.
• Service Accounts: these are for the most part never used except for service maintenance, they are required by Windows for services such as SQL to pair a service with a service account
• Local Administrators: can make changes to local machines as an administrator and may even be able to control other normal users, but they cannot access the domain controller
• Domain Users: these are your everyday users.

Active Directory groups make it easier to give permissions to users and objects by organizing them into groups with specified permissions. There are two overarching types of Active Directory groups:

• Security Groups: used to specify permissions for a large number of users.
• Distribution Groups: used to specify email distribution lists.

How is Active Directory Structured?

The Active Directory structure is comprised of several logical tiers:

• Organizational Units (OU): organizes objects within a domain. Contains users, groups, computers and other OUs. OUs let you organize objects within a domain, without the extra work and inefficiency of creating additional domains.
• Domains: used to group and manage objects. A domain creates a management boundary.
• Trees: a combination of multiple domains.
• Forests: a collection of one or more trees. A forest creates a security boundary and objects in different forests are not able to interact with each other unless the administrators of each forest create a trust between them.

The following figure illustrates the Active Directory data structure.

Active Directory Structure.

If a user wants to access resources in another domain, a trust relationship will need to be established. Trusts outline the way domains inside a forest communicate and can be extended out to external domains, and even forests in some cases. There are two types of trusts that determine how the domains communicate:

• Directional: the direction of the trust flows from a trusting domain to a trusted domain. In the example below, one-way trust means users in Domain A can access resources in Domain B but not vice versa. In a two-way trust, Domain A trusts Domain B and Domain B trusts Domain A.

Directional Trust Types.

• Transitive: the trust relationship expands beyond just two domains to include other trusted domains. A transitive trust can be used to extend trust relationships with other domains. A non-transitive trust can be used to deny trust relationships with other domains.

Transitive Trusts Types.

Active Directory also uses domain policies, which dictate how the server operates and what rules it will and will not follow. They simply act as a rulebook for Active Directory that a domain admin can modify and alter as they deem necessary.

Active Directory Domain Services & Authentication

Domain services are provided by the DC to the rest of the domain or tree to manage identities, permissions, and access to a network’s resources. Outlined below are the default domain services:

• Lightweight Directory Access Protocol (LDAP): provides communication between applications and directory services.
• Certificate Services: allows the domain controller to create, validate, and revoke public key certificates.
• DNS, LLMNR, NBT-NS: Domain Name Services for identifying IP hostnames.

There are two main types of authentication in place for Active Directory:

• Kerberos: the default authentication service for Active Directory uses ticket-granting tickets and service tickets to authenticate users and give users access to other resources across the domain.
• NTLM: default Windows authentication protocol uses an encrypted challenge/response protocol.

Active Directory Structure Example

Using the theory covered above, we can start to think about what an example of an Active Directory setup would look like. Let’s say you have a company called “Techsy”. Like any company, “Techsy” has multiple network resources (i.e. users, groups, computers, printers, applications, file shares, etc.). These network resources can be placed into logical administrative groups called Organizational Units (OU) and administrative tasks can be delegated by assigning permissions to OUs.

Organizational Unit (OU) Example.

We can now group related objects into domains. Typically, domains correspond to departments in a company or geographical locations. For example, “Techsy” might have Finance, Legal, and Sales departments. Since Active Directory domains use DNS naming conventions, you can create subdomains that are considered to be child domains. You should always create the top-level domain (e.g. techsy.com) for your entire network before you create any other domain. Then, you can create subdomains for each department.

Domains Example.

In the domains example above, there will be at least one domain controller (DC), which is a server that’s responsible for the domain. The domains example also represents a tree structure, since all three subdomains (i.e. sales, legal and finance) are derived from a common root domain (i.e. techsy.com). Those domains that make up a tree are related to each other through transitive trusts.

This can be taken a step further, where two trees can be connected to create a forest. For example, suppose “Techsy” acquires “Marketzen”, which already has its own root domain named “marketzen.com”, with a few subdomains of its own. Then, you can create a forest from these two domain trees so the domains can trust each other.

Forest Example.

Active directory forests also maintain a database called the global catalog. The global catalog is sort of a super-directory that contains information about all of the objects in a forest, regardless of the domain. Then, if a user account can’t be found in the current domain, the global catalog is searched for the account. The global catalog provides a reference to the domain in which the account is defined.

Active Directory Hands-On Lab

To get some hands-on experience, I will be using the TryHackMe room titled “Active Directory Basics”. I started up the browser-based machine in TryHackMe. After a few minutes, my machine is started and I am presented with the Server Manager management console. I can see that the server role AD DS is installed, which means this machine is a DC.

Server Roles.

I can also see that the Active Directory Certificate Services (AD CS) role is installed, which provides customizable services for issuing and managing public key infrastructure (PKI) certificates. The DNS server role is also installed, which AD DS requires when being installed. I can find out more information through the Tools link on the navigation tab.

Server Manager Tools.

If I select “Active Directory Users and Computers”, I can see the list of default OU’s that exist when AD DS is installed.

Organizational Units (OU).

In the “Users” default OU for new users and groups, I can get a list of all users on the domain. In the image below, we can see the two default users (i.e. Administrator and Guest) and additional users that were created by the domain admin. You might’ve also spotted that the password for the SQL service user is disclosed in the description.

Domain Users.

I can check the properties for each user and see what groups they have been assigned. For example, the “SQL Service” user account, with the password disclosed in the description, has administrator privileges (not very secure 😬!).

SQL Services User Account Group Membership.

If I select “Active Directory Domains and Trusts”, I can see that the FQDN for the computer is “CONTROLLER.local” and I can also check what trust relationships exists, which in this case is none. This information should also be located under “Active Directory Users and Computers”.

Domain Name and Trust Relationships.

PowerShell

PowerShell can also be used to look at the internal setup of Active Directory. PowerView is a handy PowerShell tool, which can be used to perform enumeration of a DC during a penetration test. To use PowerView, we can navigate to where the PowerShell script is stored, load a PowerShell shell with execution policy bypassed and import the PowerView module.

Import PowerView Module.

We can now gather the same information as seen earlier but by using PowerShell instead. Listing the domain users, I can see an additional user which was not listed earlier (i.e. “krbtgt”).

Domain users listed by PowerShell.

Domain groups listed by PowerShell.

This is just scratching the surface of what information you can gather using PowerView and it is worth exploring this further on your own time.

Closing Remarks

Hopefully this short article on Active Directory has helped provide a basic overview of what it is and how it works. Active Directory is a massive topic that is worth knowing more about and is used widely by the majority of large companies. Thank you for reading till the end and keep hacking! 😄