Active Directory (AD) is a directory service for Windows network environments. It is a distributed, hierarchical structure that allows for centralized management of an organization’s resources (objects), including users, computers, groups, network devices, file shares, group policies, devices, and trusts.
A directory service means it’s a central database + access system that stores information about network objects. Allows searching/querying that data. Controls authentication and authorization.
It makes information easy to find and use for administrators and users. AD is highly scalable, supports millions of objects per domain, and allows the creation of additional domains as an organization grows.
AD Structure (Hierarchy)
Active Directory is arranged in a hierarchical tree structure:
FOREST: company.local
│
├── TREE: company.local
│ │
│ ├── DOMAIN: company.local
│ │ │
│ │ ├── OU: HR
│ │ │ ├── Users
│ │ │ ├── Computers
│ │ │ └── Groups
│ │ │
│ │ ├── OU: IT
│ │ │ ├── Users
│ │ │ ├── Computers
│ │ │ └── Groups
│ │ │
│ │ ├── OU: Finance
│ │ │ ├── Users
│ │ │ ├── Computers
│ │ │ └── Groups
│ │ │
│ │ ├── Domain Controllers (DC1.company.local, DC2.company.local)
│ │ │
│ │ └── Group Policy Objects (GPO)
│ │
│ ├── CHILD DOMAIN: hr.company.local
│ │ └── (Same structure as domain)
│ │
│ └── CHILD DOMAIN: it.company.local
│ └── (Same structure as domain)
│
└── TREE: othercompany.local
│
└── DOMAIN: othercompany.local
└── (Same structure again)
Forest (top level)
A forest is the highest-level container in Active Directory. It contains one or more tree/domain. It defines the security boundary. All domains inside trust each other (by default)
Tree
A tree is a group of domains that share a common namespace. Example:
company.com
hr.company.com
it.company.com
These form a tree because they share the same root name company.com
Domain
A logical group of objects such as computers, users, OUs, groups, etc. Domains can operate entirely independently of one another or be connected via trust relationships.
Domain Controller (DC)
A server that runs AD services. Stores the AD database. Handles login requests. Enforces policies.
Organizational Units (OUs)
Containers used to organize objects, like:
- HR OU
- IT OU
- Finance OU
Not a security principal
Foreign Security Principals (FSP)
Represents users/groups from another domain/forest
Appears when trusts exist
Stores SID of external object
Attributes
Every object has an associated set of attributes to define the given object. A computer object contains attributes such as the hostname and DNS name.
Leaf
Leaf objects do not contain other objects and are found at the end of the subtree hierarchy.
Security Principals
objects that can be granted permissions on other objects or resources. Everything that can have access in the domain is a security principal.
Objects
ANY resource stored in AD, such as OUs, printers, users, DCs, etc.
Users
Security principal, has: SID + GUID
Cannot contain other objects (leaf object)
Most common attack target. Even low-priv users are an entry point for enumeration.
Contacts
Represent external people (vendors, clients)
NOT a security principal
- Has only GUID (no SID)
Cannot log in, Just informational.
Computers
Machines joined to domain. Security principal, has: SID + GUID
Computers can authenticate like users. Compromising a machine = often full domain enumeration
Printers
Represents a network printer. NOT a security principal
Shared Folders
Represent shared resources on systems. NOT a security principal
Groups
Container object (can contain users, computers, other groups)
Security principal, has SID
Used to assign permissions
Security Identifier (SID)
A unique identifier for a security principal or security group. Every account, group, or process has its own unique SID, which, in an AD environment, is issued by the domain controller and stored in a secure database.
A SID can only be used once. Even if the security principal is deleted, it can never be used again in that environment.
When a user logs in, the system creates an access token for them which contains the user’s SID, and the SIDs for any groups that the user is a member of. This token is used to check rights whenever the user performs an action on the computer.
SID Structure
A SID looks like this:
S-1-5-32-544
Sindicates it’s a SID1revision level5identifier authority (NT authority)32domain or local group indicator544RID (Relative Identifier), unique within that authority
The RID at the end is what defines the specific group or user.
Well-Known SIDs
Well-Known SIDs are predefined security identifiers that exist on all Windows systems, regardless of the domain or computer.
Here’s a handy table of important ones:
| SID | Name | Type | Description / Usage |
|---|---|---|---|
| S-1-0-0 | Null SID | Special | Represents no user. Used to indicate “no security context.” |
| S-1-1-0 | Everyone | Group | Includes all users. Often used in ACLs for “allow all” permissions. |
| S-1-5-32-544 | Administrators | Built-in group | Local machine admin group. Membership gives full control of the machine. |
| S-1-5-32-545 | Users | Built-in group | Standard user group on a machine. Basic privileges. |
| S-1-5-32-546 | Guests | Built-in group | Guest account group. Limited access. |
| S-1-5-32-547 | Power Users | Built-in group | Elevated privileges without full admin rights (legacy). |
| S-1-5-32-548 | Account Operators | Built-in group | Can manage accounts locally. |
| S-1-5-32-549 | Server Operators | Built-in group | Can manage servers locally. |
| S-1-5-32-550 | Print Operators | Built-in group | Manage printers. |
| S-1-5-32-551 | Backup Operators | Built-in group | Can back up and restore files regardless of ACLs. |
| S-1-5-domain-500 | Administrator | User account | Built-in admin user. Full local privileges; unique per domain/machine. |
| S-1-5-domain-501 | Guest | User account | Built-in guest user. Disabled by default. |
| S-1-5-domain-512 | Domain Admins | Group | Domain-wide administrators group. Grants full AD control. |
| S-1-5-domain-513 | Domain Users | Group | Default group for all domain users. |
| S-1-5-domain-514 | Domain Guests | Group | Default group for domain guest accounts. |
| S-1-5-domain-515 | Domain Computers | Group | Default group for all domain-joined computers. |
| S-1-5-domain-516 | Domain Controllers | Group | All domain controllers are members. |
| S-1-5-18 | Local SYSTEM | User account | Highest privilege account on the local machine. Runs most services. |
| S-1-5-19 | Local Service | User account | Minimal privileges; used by Windows services. |
| S-1-5-20 | Network Service | User account | Minimal local privileges; uses machine credentials on network. |
| S-1-5-32-554 | Enterprise Admins | Group | Full control across entire forest (AD). |
| S-1-5-32-555 | Schema Admins | Group | Can modify AD schema. Rarely used. |
Distinguished Name (DN)
the full path to an object in AD, showing exactly where it lives in the directory hierarchy. Example DN:
cn=bjones,ou=IT,ou=Employees,dc=inlanefreight,dc=local
| Part | Meaning |
|---|---|
cn=bjones |
Common Name the actual object (user, group, etc.) |
ou=IT |
Organizational Unit IT department |
ou=Employees |
Organizational Unit all employees |
dc=inlanefreight |
Domain Component first part of domain name |
dc=local |
Domain Component second part of domain name (full domain = inlanefreight.local) |
Relative Distinguished Name (RDN)
the single piece of a DN that uniquely identifies an object at its level. In our example:
cn=bjones // this is the RDN
Two objects cannot have the same RDN under the same parent container (two bjones in the same OU is not allowed)
But two objects in different OUs can have the same RDN because their full DN is different:
cn=bjones,ou=IT,dc=inlanefreight,dc=local
cn=bjones,ou=Dev,dc=inlanefreight,dc=local
Both are valid and unique in AD because their Distinguished Names are different, even though the RDN bjones is the same.
GUID (Globally Unique Identifier)
a 128-bit value (basically a very long random number) assigned to every object in AD
Stored in the objectGUID attribute of the object. Example format (typical GUID):
3f2504e0-4f89-11d3-9a0c-0305e82c3301
-
Globally Unique: No two objects in AD will ever share the same GUID.
-
Immutable: Once assigned, the GUID never changes, even if you rename the object, move it to a different OU, or change its attributes.
-
Identification: Searching by GUID ensures you are getting exactly the object you want, avoiding mistakes with duplicate names.
When mapping AD, using a GUID ensures you are querying the exact object, even if multiple objects have the same name.
PowerShell, LDAP, or APIs can retrieve an object directly by its objectGUID:
Get-ADUser -Identity <ObjectGUID>
sAMAccountName
The legacy login name for a user or computer in AD.
- Must be unique within the domain
- Maximum 20 characters (legacy limitation from older Windows versions)
- Used for pre-Windows 2000 logon compatibility
You can log in using this name on older systems or in environments that require backward compatibility.
userPrincipalName (UPN)
A modern logon name that looks like an email address.
<username>@<domain>
bjones@inlanefreight.local
- Not mandatory, AD allows accounts without a UPN
- Can be used to log in on modern systems and web-based services
- Usually matches the user’s email address but doesn’t have to
Useful for single sign-on (SSO), Office 365, Azure AD, and modern authentication
SPN (Service Principal Name)
A unique name that identifies a service in Active Directory.
When a client wants to access a service, it doesn’t authenticate directly to the account Instead:
- Kerberos uses the SPN to figure out: Which account is running this service? Then it issues a ticket for that account
FSMO (Flexible Single Master Operations) roles
special responsibilities assigned to one or more DCs in an AD environment to ensure consistency and avoid conflicts. Without FSMO roles, multiple DCs could fight over changes (last writer wins), potentially breaking AD.
FSMO roles assign master responsibilities to specific DCs to handle certain operations.
The Five FSMO Roles
There are 5 roles, divided between forest-wide and domain-wide roles:
Forest-wide Roles
| Role | Responsibility | Notes |
|---|---|---|
| Schema Master | Controls changes to the AD schema (structure/attributes) | Only 1 per forest |
| Domain Naming Master | Controls adding/removing domains in the forest | Only 1 per forest |
These roles are critical across the whole forest, not just a single domain.
Domain-wide Roles
| Role | Responsibility | Notes |
|---|---|---|
| Relative ID (RID) Master | Allocates blocks of RIDs to DCs for creating new security principals (users, groups, computers). The RID Master helps ensure that multiple objects are not assigned the same SID. | One per domain |
| PDC Emulator | Acts as a legacy Primary Domain Controller; handles time sync, password changes, and some group policy operations | One per domain |
| Infrastructure Master | Maintains group-to-user references when groups span multiple domains | One per domain; should NOT be on a DC that is also a Global Catalog in multi-domain forests |
How They Are Assigned
First DC in forest root domain gets all 5 roles. New domains added later get only the 3 domain-wide roles (RID, PDC Emulator, Infrastructure Master)
Roles can be transferred to other DCs if needed for maintenance or load balancing
Global Catalog (GC)
A special type of Domain Controller. It stores:
- Full copy of all objects in its own domain
- Partial attributes of objects from other domains in the forest
allow users and applications to find information about any object in the forest, even across domains.
When a user logs in, the GC helps create the access token with all the user’s group memberships, even groups in other domains. Ensures users get the correct permissions.
Without a GC, you could only search objects in your own domain. GC makes the forest transparent, so you can search using just one attribute (like bjones) to find users, computers, or groups anywhere.
How It Differs from a Standard Domain Controller
| – | Standard DC | Global Catalog DC |
|---|---|---|
| Copies of domain objects | Full copy of its own domain | Full copy of its own domain + partial copies of all other domains |
| Can authenticate users | Yes (only in its domain) | Yes (all domains in forest) |
| Object search across forest | No | Yes |
Read-Only Domain Controller (RODC)
a Domain Controller with a read-only copy of the Active Directory database. It cannot make changes to AD. Any changes must be made on a writable DC.
Replication
the process of copying and synchronizing AD objects from one DC to another. Ensures consistency across all DCs in a domain or forest.
Types of Replication
Intra-site replication
- Between DCs in the same physical site
Inter-site replication
- Between DCs in different physical locations
Tombstone
When an object is deleted in AD and AD Recycle Bin is NOT enabled, it’s moved to a tombstone state for a period of time known as the Tombstone Lifetime, and the isDeleted attribute is set to TRUE
Tombstoned objects cannot be fully restored after lifetime expires.
Attackers generally ignore tombstones because the object’s attributes are stripped.
AD Recycle Bin
preserves deleted objects fully so they can be restored with all attributes intact. Lifetime configurable (default ~60 days).
SYSVOL
system folder used to stores files that need to be shared consistently among all domain controllers (DCs) in a domain.
SYSVOL uses replication to ensure consistency across DCs:
- FRS (File Replication Service) legacy method (used in Windows Server 2003 and early 2008).
- DFS-R (Distributed File System Replication) modern method (recommended from Windows Server 2008 onward). It’s more efficient and reliable than FRS.
AdminSDHolder
Template object controlling ACLs for privileged accounts (Domain Admins, Enterprise Admins).
SDProp process runs hourly, applies the ACL from AdminSDHolder to all protected accounts.
Accounts with adminCount=1 are privileged accounts.
Modifying ACLs on these accounts is rolled back automatically by SDProp.
dsHeuristics
Forest-wide configuration string. Can exclude groups from AdminSDHolder protection. Rarely modified.
adminCount
Attribute on user accounts indicating SDProp protection.
1= protected (privileged)0or unset = not protected
ADUC (Active Directory Users and Computers)
GUI console to manage users, computers, groups, and OUs. Changes made here can also be scripted via PowerShell.
ADSI Edit
Advanced editor for AD objects. Can modify any attribute.
Used by attackers to escalate privileges or modify sensitive attributes.
sIDHistory
Stores previous SIDs assigned to a user (used in migrations). Helps maintain access when migrating domains.
attackers can use old SIDs to gain privileged access if SID filtering isn’t enabled.
MSBROWSE
Legacy protocol used to browse network resources in early Windows LANs. Mostly obsolete now.
Modern networks use SMB/CIFS instead.
Group Policy Object (GPO)
AD Database
stands for New Technology Directory Services, Directory Information Tree. It is the primary database file for Microsoft Active Directory Domain Services (AD DS) and acts as the central repository for all directory data in a Windows domain environment.
stored at C:\Windows\NTDS\NTDS.DIT.
Stores all user, group, and computer objects, password hashes/
LDAP (Lightweight Directory Access Protocol)
AD uses LDAP for queries.
LDAP Names
Each attribute has a standard LDAP name that is used when querying the directory, such as:
| Attribute in AD (UI) | LDAP Name | Meaning |
|---|---|---|
| Full Name | displayName |
User’s full name |
| First Name | givenName |
User’s first name |
| Last Name | sn |
User’s surname |
| Email Address | mail |
User email |
| Job Title | title |
User job title |
| Department | department |
Department name |
DNS
AD relies heavily on: DNS
Trusts
A trust is used to establish forest-forest or domain-domain authentication, allowing users to access resources in (or administer) another domain outside of the domain their account resides in. A trust creates a link between the authentication systems of two domains.
There are several trust types:
| Trust Type | Description |
|---|---|
| Parent-child | Domains within the same forest. The child domain has a two-way transitive trust with the parent domain. |
| Cross-link | A trust between child domains to speed up authentication. |
| External | A non-transitive trust between two separate domains in different forests. Uses SID filtering. |
| Tree-root | A two-way transitive trust between a forest root domain and a new tree root domain. Created automatically when adding a new tree. |
| Forest | A transitive trust between two forest root domains. |
Two-Way Trust
Both domains trust each other. Users from both sides can access each other’s resources (if allowed)
One-Way Trust
Only one side trusts the other
Example:
Users in B can access A
Users in A CANNOT access B