Active Directory Overview

Introduction to Active Directory

Active Directory (AD) is Microsoft's directory service that serves as the backbone of Windows-based enterprise networks. Think of it as the ultimate digital bouncer and filing system combined—it knows everyone who should have access to your network, remembers their preferences, and enforces the rules about what they can and cannot do.

What is Active Directory?

Active Directory is a hierarchical database service that stores information about network objects (users, computers, printers, applications) and provides authentication, authorization, and directory services. It's like a massive, intelligent phone book that not only tells you how to contact someone but also what they're allowed to do and where they're allowed to go.

Core Functions

Identity Management:

Centralized user account creation, modification, and deletion
Password policy enforcement across the entire network
Account lockout and security controls
User profile and preference management

Resource Management:

Computer and device registration and management
Network resource organization and discovery
Application and service registration
Printer and shared resource management

Security Services:

Single Sign-On (SSO) capability
Centralized authentication services
Authorization and access control
Security policy enforcement and compliance

Directory Services:

Hierarchical organization of network objects
Global catalog for cross-domain searches
Schema management for object definitions
Replication services for high availability

Why Organizations Implement Active Directory?

Administrative Benefits:

Centralized Management: One console to manage thousands of users and computers
Automated Provisioning: New employees get appropriate access based on their role
Consistent Policies: Security settings apply uniformly across the organization
Reduced Overhead: Fewer help desk calls and manual interventions

Security Advantages:

Unified Authentication: One set of credentials for all network resources
Granular Permissions: Fine-tuned control over who can access what
Audit Trails: Comprehensive logging of user and administrative activities
Policy Enforcement: Automatic application of security configurations

Business Benefits:

Improved Productivity: Users spend less time managing passwords and accessing resources
Compliance Support: Built-in controls help meet regulatory requirements
Scalability: Grows with the organization from dozens to millions of objects
Integration: Works seamlessly with Microsoft and many third-party applications

Active Directory Architecture

Physical Components

The Physical components represent the actual infrastructure and storage mechanisms that make Active Directory work:

Data Store:

The actual database files NTDS.dit that contain all Active Directory information
Stored locally on each Domain Controller
Contains the directory database, transaction logs, and checkpoint files
Uses Extensible Storage Engine (ESE) database technology

Domain Controllers:

Windows servers that host writable copies of the Active Directory database
Provide authentication and authorization services
Process directory queries and modifications
Participate in multi-master replication
Run essential services like KDC (Key Distribution Center) for Kerberos

Global Catalog Server:

Special Domain Controllers that maintain a partial replica of all objects in the forest
Enable forest-wide searches and queries
Required for universal group membership resolution
Typically the first Domain Controller in each site becomes a Global Catalog server

Read-Only Domain Controller (RODC):

Domain Controllers with read-only copies of the directory database
Designed for branch offices with limited physical security
Cache frequently accessed user credentials locally
Cannot process directory writes - must forward to writable DCs

Logical Components

The Logical components represent the organizational and structural elements:

Partitions:

Domain Partition: Contains all objects for a specific domain
Configuration Partition: Forest-wide configuration data shared by all DCs
Schema Partition: Defines object classes and attributes for the entire forest
Application Partitions: Custom partitions for specific applications (like DNS zones)

Schema:

The blueprint that defines what objects can exist in Active Directory
Specifies object classes (user, computer, group) and their attributes
Controls data validation and structure
Can be extended to support new object types and attributes

Domains:

Administrative and security boundaries within the forest
Contain users, computers, groups, and other directory objects
Have their own security policies and domain administrators
Minimum unit for authentication and authorization

Domain Trees:

Hierarchical arrangements of domains with contiguous DNS namespaces
Child domains automatically trust their parent domains
Example: company.com → sales.company.com → west.sales.company.com
Share common schema and configuration

Forests:

The ultimate security boundary in Active Directory
Collection of one or more domain trees
All domains in a forest share the same schema and configuration
Represents the scope of administrative control and trust

Sites:

Represent physical network locations with good connectivity
Help optimize replication traffic and authentication
Allow clients to locate nearby Domain Controllers
Control bandwidth usage for replication between locations

Organization Units (OUs):

Containers within domains for organizing objects logically
Enable delegation of administrative permissions
Primary targets for Group Policy application
Can be nested to create complex organizational hierarchies

How Physical and Logical Components Work Together

The Physical components provide the infrastructure and storage, while the Logical components provide the organizational structure and security boundaries. For example:

Domain Controllers (physical) host the Domain Partitions (logical)
Global Catalog Servers (physical) maintain information about all Domains in the Forest (logical)
Sites (logical) determine which Domain Controllers (physical) clients will use for authentication
The Schema (logical) is stored in the Data Store (physical) on every Domain Controller

This separation allows Active Directory to scale efficiently while maintaining security boundaries and administrative control.

Domain Controllers and FSMO Roles

Domain Controllers (DCs)

Domain Controllers are Windows servers that host a writable copy of the Active Directory database and provide authentication services to the network.

Core Functions:

Authentication Services: Verify user credentials and issue security tokens
Directory Database Storage: Maintain synchronized copies of AD data
Group Policy Distribution: Deliver policy settings to client computers
DNS Services: Provide name resolution for AD-dependent services
Time Synchronization: Maintain consistent time across the network

Types of Domain Controllers:

Read-Write Domain Controllers (RWDC):

Standard DCs that can accept changes to the directory
Process authentication requests and directory modifications
Participate in multi-master replication

Read-Only Domain Controllers (RODC):

Hold read-only copies of the directory database
Cache credentials for local authentication
Designed for branch offices with limited physical security
Don't replicate sensitive data like passwords

FSMO Roles (Flexible Single Master Operations)

While Active Directory uses multi-master replication, certain operations require a single authoritative source to prevent conflicts.

Forest-Wide FSMO Roles (One per Forest):

Schema Master:

Only DC authorized to modify the Active Directory schema
Controls object class and attribute definitions
Changes replicate to all DCs in the forest
Critical for schema extensions and upgrades

Domain Naming Master:

Controls addition and removal of domains from the forest
Ensures unique domain names across the forest
Maintains references to all domains
Required for domain creation/deletion operations

Domain-Wide FSMO Roles (One per Domain):

PDC Emulator:

Handles password changes and account lockouts
Provides time synchronization for the domain
Maintains compatibility with legacy systems
Processes urgent replication events

RID Master:

Allocates relative identifier (RID) pools to other DCs
Ensures unique security identifiers (SIDs) for new objects
Prevents SID duplication across the domain
Critical for object creation operations

Infrastructure Master:

Updates references to objects in other domains
Maintains cross-domain group membership information
Handles phantom object cleanup
Should not be a Global Catalog server (unless all DCs are GCs)

Global Catalog Servers

Global Catalog (GC) servers maintain a searchable catalog of all objects in the forest:

Complete Local Information: Full details for objects in their own domain
Partial Remote Information: Subset of attributes for objects in other domains
Universal Group Memberships: Forest-wide group membership data
Logon Processing: Required for user logon in multi-domain environments

Forests, Domains, and Organizational Units

Forest Design

Single Forest Benefits:

Simplified administration and trust relationships
Automatic trust between all domains
Shared Global Catalog and schema
Unified security boundaries

Multiple Forest Scenarios:

Security Requirements: Different security policies or admin teams
Political Boundaries: Separate business units or acquisitions
Geographic Isolation: Different regulatory requirements
Technical Constraints: Incompatible schema requirements

Domain Design Considerations

Single Domain Model:

Pros: Simplified administration, no trust relationships, easier management
Cons: Single point of failure, potential performance issues, limited delegation

Multiple Domain Model:

Pros: Distributed administration, improved performance, political boundaries
Cons: Complex trust relationships, increased overhead, replication complexity

Domain Design Factors:

Administrative Autonomy: Need for separate admin teams
Security Isolation: Different security requirements
Replication Control: Network bandwidth limitations
Political Requirements: Organizational boundaries

Organizational Unit Strategy

OU Design Models:

Geographic Model:

Company.com
├── North-America
│   ├── USA
│   │   ├── New-York
│   │   └── California
│   └── Canada
│       └── Toronto
└── Europe
    ├── UK
    └── Germany

Functional Model:

Company.com
├── Sales
├── Marketing
├── IT
├── HR
└── Finance

Administrative Model:

Company.com
├── Users
│   ├── Executives
│   ├── Managers
│   └── Employees
├── Computers
│   ├── Workstations
│   ├── Servers
│   └── Laptops
└── Resources
    ├── Printers
    └── Shared-Folders

Hybrid Model:

Company.com
├── Corporate
│   ├── Users
│   ├── Computers
│   └── Groups
└── Divisions
    ├── Sales
    │   ├── Users
    │   └── Computers
    └── IT
        ├── Users
        └── Computers

Trust Relationships

Trust Fundamentals

Trusts are authentication relationships between domains or forests that allow users in one domain to access resources in another domain.

Trust Direction:

One-Way Trust: Users in trusted domain can access resources in trusting domain
Two-Way Trust: Users in both domains can access resources in the other domain

Trust Transitivity:

Transitive: Trust relationships extend through a chain of trust
Non-Transitive: Trust relationships do not extend beyond direct participants

Trust Types

Automatic Trusts:

Parent-Child Trust:

Created automatically when a child domain is added
Two-way transitive trust
Enables seamless resource access within domain tree

Tree-Root Trust:

Created automatically between forest root and tree root domains
Two-way transitive trust
Enables forest-wide resource access

Manual Trusts:

External Trust:

One-way or two-way non-transitive trust
Between domains in different forests
Used for specific resource sharing scenarios

Forest Trust:

Two-way transitive trust between entire forests
Enables authentication and authorization across forests
Requires forest functional level compatibility

Realm Trust:

Trust with non-Windows Kerberos realms
Enables authentication with UNIX/Linux systems
Can be one-way or two-way

Shortcut Trust:

Improves authentication performance
Creates direct trust path between domains
Reduces authentication referral chain

Trust Security Considerations

SID Filtering:

Prevents SID history injection attacks
Enabled by default on external trusts
Blocks dangerous SIDs from trusted domains

Selective Authentication:

Requires explicit permission for cross-forest access
Users must be granted "Allowed to Authenticate" permission
Provides additional security layer for forest trusts

Authentication Policies:

Control how authentication occurs across trusts
Can restrict authentication methods and locations
Part of advanced threat protection strategies

Active Directory Objects

User Objects

User accounts represent people who need access to network resources.

User Account Types:

Regular User Accounts:

Standard employee accounts for daily work
Limited privileges by default
Subject to password policies and restrictions

Administrative Accounts:

Elevated privileges for system management
Should be separate from regular user accounts
Require enhanced security measures

Service Accounts:

Used by applications and services for authentication
Often have "logon as a service" rights
May have elevated privileges for specific functions

System Accounts:

Built-in accounts like SYSTEM and LOCAL SERVICE
Used by Windows components and services
Cannot be deleted or significantly modified

Key User Attributes:

sAMAccountName: Pre-Windows 2000 logon name
userPrincipalName: Modern logon name (email format)
distinguishedName: Complete LDAP path to the object
objectSID: Unique security identifier
memberOf: Groups the user belongs to
lastLogon: Last successful authentication time

Computer Objects

Computer accounts represent domain-joined machines and enable them to participate in domain authentication and receive Group Policy.

Computer Account Functions:

Machine Authentication: Computers authenticate to domain using machine account
Secure Channel: Maintains encrypted communication with domain controllers
Group Policy Reception: Computers receive and apply computer policies
Resource Access: Machine accounts can access domain resources

Computer Account Security:

Passwords change automatically every 30 days
Computer accounts can be members of security groups
Local admins on computer can extract computer account credentials

Group Objects

Groups enable efficient permission management by allowing assignment of permissions to collections of users.

Group Types:

Security Groups:

Used for permission assignment and access control
Can contain users, computers, and other groups
Appear in access control lists (ACLs)

Distribution Groups:

Used for email distribution lists
No security functions
Cannot be assigned permissions

Group Scopes:

Domain Local Groups:

Membership: Can contain principals from any domain in the forest
Usage: Can only be assigned permissions within the local domain
Purpose: Assign permissions to domain resources

Global Groups:

Membership: Can only contain principals from the same domain
Usage: Can be assigned permissions anywhere in the forest
Purpose: Organize users by role or department

Universal Groups:

Membership: Can contain principals from any domain in the forest
Usage: Can be assigned permissions anywhere in the forest
Purpose: Cross-domain group membership (requires Global Catalog)

Built-in Administrative Groups:

Domain Admins:

Complete administrative control over the domain
Members automatically added to local Administrators group on all domain computers
Highest level of domain privileges

Enterprise Admins:

Forest-wide administrative privileges
Can modify forest-level configuration
Only exists in forest root domain

Schema Admins:

Can modify Active Directory schema
Extremely powerful permissions
Should have minimal membership

Service Principal Names (SPNs)

SPNs uniquely identify service instances for Kerberos authentication:

Format: service/hostname:port
Examples: HTTP/webserver.company.com, MSSQLSvc/dbserver.company.com:1433
Required for Kerberos authentication to services
Can be automatically or manually registered

Authentication and Authorization

Kerberos Authentication

Kerberos is the primary authentication protocol in Active Directory, providing secure, efficient authentication without transmitting passwords over the network.

Kerberos Components:

Key Distribution Center (KDC): Authentication service running on domain controllers
Authentication Server (AS): Issues ticket-granting tickets (TGTs)
Ticket Granting Server (TGS): Issues service tickets
Principal: Any entity that can be authenticated (user, computer, service)

Kerberos Authentication Process:

Step 1: Initial Authentication (AS Exchange)

Client sends authentication request to KDC
KDC verifies credentials and returns TGT encrypted with user's password hash
Client decrypts TGT using password hash, proving identity

Step 2: Service Request (TGS Exchange)

Client requests service ticket from TGS, presenting TGT
TGS validates TGT and returns service ticket encrypted with service's password hash
Service ticket contains session key for client-service communication

Step 3: Service Authentication (AP Exchange)

Client presents service ticket to target service
Service decrypts ticket and validates client identity
Optional mutual authentication proves service identity to client

Kerberos Security Features:

Password Protection: Passwords never transmitted over network
Mutual Authentication: Both parties can verify each other's identity
Time-Limited Access: Tickets have expiration times
Replay Protection: Timestamps prevent reuse of intercepted tickets

NTLM Authentication

NTLM is a legacy authentication protocol still used in certain scenarios:

NTLM Usage Scenarios:

Authentication to servers using IP addresses instead of hostnames
Authentication across firewalls that block Kerberos ports
Legacy applications that don't support Kerberos
Local authentication on standalone systems

NTLM Authentication Process:

Client sends username to server
Server sends challenge (random string) to client
Client encrypts challenge with password hash and sends response
Server validates response with domain controller

NTLM Security Limitations:

No mutual authentication (servers don't prove their identity)
Vulnerable to pass-the-hash attacks
Susceptible to relay attacks
Weaker encryption than Kerberos

Authorization Model

Access Tokens: When users successfully authenticate, Windows creates an access token containing:

User SID and group SIDs
Privileges assigned to the user
Default DACL for objects created by the user
Session information

Access Control Lists (ACLs): Every securable object has an ACL containing:

Discretionary Access Control List (DACL): Permissions granted or denied
System Access Control List (SACL): Auditing settings

Access Control Entries (ACEs): Individual entries in ACLs specifying:

Security principal (user, group, computer)
Access rights (read, write, full control, etc.)
Access type (allow or deny)
Inheritance flags

Authorization Process:

User attempts to access resource
System compares user's access token against resource's DACL
System evaluates ACEs in order to determine access
First matching "deny" ACE blocks access
Matching "allow" ACEs grant access

Group Policy

Group Policy Architecture

Group Policy provides centralized management and configuration of users and computers in an Active Directory environment.

Group Policy Components:

Group Policy Objects (GPOs):

Containers holding configuration settings
Stored in Active Directory and SYSVOL
Can be linked to sites, domains, or OUs

Group Policy Management Console (GPMC):

Administrative tool for managing Group Policy
Provides centralized view of all GPOs
Enables modeling and reporting

Group Policy Client:

Service running on client computers
Downloads and applies Group Policy settings
Processes policies during startup, logon, and refresh cycles

Group Policy Processing

Processing Order (LSDOU):

Local GPO: Policies stored locally on the computer
Site GPOs: Policies linked to Active Directory sites
Domain GPOs: Policies linked to the domain
OU GPOs: Policies linked to organizational units (closest to object wins)

Processing Rules:

Last Writer Wins: Later policies override earlier ones for conflicting settings
No Override (Enforced): Higher-level policies can be marked as enforced
Block Inheritance: Lower-level containers can block inheritance
Security Filtering: GPOs can be filtered to specific security groups

Processing Events:

Computer Startup: Computer policies process during boot
User Logon: User policies process during logon
Background Refresh: Policies refresh periodically (default: 90 minutes ± 30 minutes)
Manual Refresh: Administrators can force immediate refresh

Group Policy Categories

Computer Configuration:

Security Settings (password policies, user rights, audit policies)
Software Installation (deploy and manage applications)
Administrative Templates (registry-based settings)
Scripts (startup and shutdown scripts)
Folder Redirection (redirect special folders to network locations)

User Configuration:

Software Installation (user-specific applications)
Administrative Templates (user interface and application settings)
Scripts (logon and logoff scripts)
Security Settings (restricted groups, system services)
Folder Redirection (redirect user folders to network shares)

Advanced Group Policy Features

Preferences:

Configure settings without enforcing them
Users can change settings if needed
More flexible than traditional Group Policy settings

Item-Level Targeting:

Apply preferences based on specific criteria
Criteria include: OS version, IP address range, group membership, registry values

Central Store:

Centralized location for Administrative Template files
Ensures consistent policy definitions across domain controllers
Located in SYSVOL at \\domain\SYSVOL\domain\Policies\PolicyDefinitions

DNS Integration

Active Directory DNS Requirements

Active Directory has a tight integration with DNS, as it relies on DNS for service location and name resolution.

DNS Functions for Active Directory:

Service Location: Clients find domain controllers through DNS SRV records
Name Resolution: Convert computer names to IP addresses for communication
Site Awareness: Help clients locate services in their local site
Replication: Domain controllers use DNS to find replication partners

AD-Integrated DNS Zones:

Multi-Master Updates: Any domain controller can update DNS records
Secure Dynamic Updates: Only authenticated computers can register records
Active Directory Replication: DNS changes replicate with Active Directory data
Zone Storage: DNS zone data stored in Active Directory database

Critical DNS Records for Active Directory

Service (SRV) Records:

_ldap._tcp.dc._msdcs.domain.com: Domain controller location
_kerberos._tcp.dc._msdcs.domain.com: Kerberos authentication services
_gc._tcp.domain.com: Global Catalog server location
_ldap._tcp.pdc._msdcs.domain.com: PDC Emulator location

Host (A) Records:

Domain controller IP addresses
Member server and workstation IP addresses
Service-specific host records

Alias (CNAME) Records:

Service aliases (mail.company.com → exchange.company.com)
Load balancing aliases
Application-specific aliases

DNS Security Considerations

Secure Dynamic Updates:

Only authenticated computers can register DNS records
Prevents unauthorized DNS record creation
Reduces DNS poisoning risks

DNS Scavenging:

Removes stale DNS records automatically
Prevents accumulation of obsolete entries
Maintains DNS database accuracy

Forwarders and Root Hints:

Configure DNS forwarders for external name resolution
Maintain root hints for Internet DNS resolution
Implement conditional forwarders for specific domains

Replication and Sites

Active Directory Replication

Replication ensures all domain controllers maintain synchronized copies of the Active Directory database.

Replication Types:

Intra-Site Replication:

Fast, uncompressed replication within a site
Uses RPC (Remote Procedure Call) over IP
Occurs automatically every 15 seconds for urgent changes
Change notification triggers immediate replication

Inter-Site Replication:

Slower, compressed replication between sites
Uses configurable schedules and intervals
Can use IP or SMTP transport protocols
Optimized for WAN connections

Global Catalog Replication:

Replicates partial attribute set from all domains
Enables forest-wide searches
Critical for user logon in multi-domain environments

Replication Topology

Connection Objects:

Define replication paths between domain controllers
Created automatically by Knowledge Consistency Checker (KCC)
Can be manually created for specific requirements

Bridgehead Servers:

Domain controllers responsible for inter-site replication
Automatically selected by KCC
Can be manually designated for specific sites

Replication Partners:

Domain controllers that replicate directly with each other
Form replication topology within and between sites
Maintain up-to-date vectors to track replication state

Site Management

Sites and Subnets:

Sites represent locations with fast, reliable connections
Subnets define IP address ranges associated with sites
Clients automatically discover their site based on IP address

Site Links:

Define connections between sites for replication
Include cost values to influence replication paths
Specify replication schedules and intervals

Site Link Bridges:

Enable transitive replication between sites
All site links are bridged by default
Can be disabled for manual replication control

Security Framework

Security Principals and Identifiers

Security Principals:

Users, groups, computers, and services that can be authenticated
Each principal has a unique Security Identifier (SID)
SIDs never change, even if objects are renamed or moved

SID Structure:

Format: S-R-I-S-S-S-RID
Example: S-1-5-21-1234567890-1234567890-1234567890-1001
Components: Revision, Authority, Domain Identifier, Relative Identifier (RID)

Well-Known SIDs:

Everyone: S-1-1-0
Authenticated Users: S-1-5-11
Domain Admins: S-1-5-21-{domain}-512
Enterprise Admins: S-1-5-21-{domain}-519

Access Control Model

Discretionary Access Control:

Resource owners control access to their objects
Permissions granted through Access Control Lists (ACLs)
Flexible but can lead to permission sprawl

Access Control Lists (ACLs):

Discretionary Access Control List (DACL):

Contains Access Control Entries (ACEs) that grant or deny permissions
Processed in order until access decision is made
Empty DACL denies all access

System Access Control List (SACL):

Contains ACEs that specify auditing requirements
Defines what access attempts should be logged
Requires "Manage auditing and security log" privilege

Access Control Entries (ACEs):

Access Allowed ACE: Grants specific permissions
Access Denied ACE: Explicitly denies permissions
System Audit ACE: Specifies auditing requirements

Delegation of Control

Benefits of Delegation:

Implements principle of least privilege
Reduces administrative overhead
Distributes administrative responsibilities
Improves security by limiting scope of administrative accounts

Delegation Scenarios:

Help desk password reset permissions
Department-specific user management
Computer account management for technicians
Group membership management for managers

Delegation Best Practices:

Create custom OUs for delegated administration
Use role-based security groups for delegation
Regularly audit delegated permissions
Document delegation assignments

Administrative Tools

Native Administrative Tools

Active Directory Administrative Center (ADAC):

Modern PowerShell-based interface
Advanced search and filtering capabilities
Recycle Bin management
Fine-grained password policies

Active Directory Users and Computers (ADUC):

Traditional MMC-based tool
User, group, and computer management
Attribute editing and advanced features
Most commonly used AD administration tool

Active Directory Sites and Services (ADSS):

Site, subnet, and replication management
Connection object configuration
Site link and site link bridge management
NTDS Settings and server configuration

Active Directory Domains and Trusts (ADDT):

Domain functional level management
Trust relationship creation and management
UPN suffix configuration
Forest-wide operations

Group Policy Management Console (GPMC):

Comprehensive Group Policy management
GPO creation, editing, and linking
Group Policy modeling and reporting
Starter GPO management

PowerShell for Active Directory

Active Directory PowerShell Module:

# Import the module
Import-Module ActiveDirectory

# Common cmdlets
Get-ADUser -Filter * -Properties *
Get-ADComputer -Filter * -Properties *
Get-ADGroup -Filter * -Properties *
Get-ADDomain
Get-ADForest

User Management Examples:

# Create new user
New-ADUser -Name "John Doe" -SamAccountName "jdoe" -UserPrincipalName "jdoe@company.com" -Path "OU=Users,DC=company,DC=com"

# Modify user properties
Set-ADUser -Identity "jdoe" -Department "IT" -Title "System Administrator"

# Add user to group
Add-ADGroupMember -Identity "IT-Admins" -Members "jdoe"

# Reset user password
Set-ADAccountPassword -Identity "jdoe" -Reset

Bulk Operations:

# Import users from CSV
$users = Import-Csv "users.csv"
foreach ($user in $users) {
    New-ADUser -Name $user.Name -SamAccountName $user.Username -UserPrincipalName "$($user.Username)@company.com"
}

# Disable inactive users
$date = (Get-Date).AddDays(-90)
Get-ADUser -Filter {LastLogonDate -lt $date -and Enabled -eq $true} | Disable-ADAccount

Third-Party Tools

Quest Active Roles:

Advanced delegation and workflow capabilities
Web-based administration interface
Automated provisioning and deprovisioning
Compliance and reporting features

ManageEngine ADManager Plus:

Web-based Active Directory management
Bulk operations and CSV import/export
Workflow automation
Reporting and auditing capabilities

Security Best Practices

Administrative Security

Tiered Administration Model:

Tier 0: Domain controllers, forest-level services
Tier 1: Servers and enterprise applications
Tier 2: Workstations and standard user systems

Administrative Account Security:

Use separate accounts for administrative tasks
Implement privileged access workstations (PAWs)
Enable multi-factor authentication for admin accounts
Regular password rotation for service accounts

Principle of Least Privilege:

Grant minimum necessary permissions
Use time-limited administrative access
Implement just-in-time (JIT) access where possible
Regular access reviews and cleanup

Domain Controller Security

Physical Security:

Secure physical access to domain controllers
Use hardware security modules (HSMs) where appropriate
Implement secure boot and measured boot
Regular hardware security assessments

Network Security:

Implement network segmentation for domain controllers
Use IPSec for domain controller communication
Restrict network access to essential services only
Monitor network traffic to and from domain controllers

System Security:

Keep domain controllers updated with security patches
Implement application whitelisting
Use Windows Defender or third-party antimalware
Regular security configuration reviews

Password and Authentication Security

Password Policies:

Implement strong password complexity requirements
Use appropriate password length (minimum 12 characters)
Enforce password history to prevent reuse
Set appropriate maximum password age

Account Lockout Policies:

Configure account lockout threshold (5-10 failed attempts)
Set appropriate lockout duration (15-30 minutes)
Reset lockout counter after appropriate interval
Balance security with usability

Kerberos Security:

Regularly rotate KRBTGT account password
Monitor for unusual Kerberos ticket requests
Implement Kerberos encryption upgrades (AES)
Use service account password management

Monitoring and Auditing

Essential Audit Categories:

Account logon events
Account management events
Directory service access
Logon events
Object access
Policy changes
Privilege use
System events

Log Management:

Centralize log collection with SIEM
Implement log retention policies
Monitor for security-relevant events
Regular log analysis and alerting

Security Monitoring:

Implement real-time alerting for critical events
Monitor for indicators of compromise
Track administrative account usage
Analyze authentication patterns

Common Attack Vectors and Defense

Password-Based Attacks

Password Spraying:

Attack: Trying common passwords against many accounts
Defense: Account lockout policies, monitoring for authentication patterns
Detection: Multiple failed logons across many accounts

Credential Stuffing:

Attack: Using breached passwords from other systems
Defense: Unique password policies, breach monitoring
Detection: Impossible travel scenarios, unusual access patterns

Brute Force Attacks:

Attack: Systematic password guessing against specific accounts
Defense: Strong password policies, account lockout
Detection: High volume of failed authentication attempts

Kerberos Attacks

Kerberoasting:

Attack: Requesting service tickets to crack service account passwords offline
Defense: Strong service account passwords, managed service accounts
Detection: Unusual TGS-REQ patterns, service ticket requests for non-existent services

AS-REP Roasting:

Attack: Targeting accounts without Kerberos pre-authentication
Defense: Enable pre-authentication for all accounts
Detection: AS-REQ requests without pre-authentication

Golden Ticket:

Attack: Forging Kerberos tickets using compromised KRBTGT hash
Defense: Regular KRBTGT password rotation, monitoring
Detection: TGT anomalies, impossible ticket lifetimes, unusual privilege assignments

Silver Ticket:

Attack: Forging service tickets using compromised service account hashes
Defense: Strong service account passwords, managed service accounts
Detection: Service ticket anomalies, access to services without TGT

Pass-the-Hash and Credential Theft

Pass-the-Hash (PtH):

Attack: Using NTLM hashes to authenticate without knowing passwords
Defense: Disable NTLM where possible, implement Credential Guard
Detection: NTLM authentication from unusual sources

Pass-the-Ticket (PtT):

Attack: Using stolen Kerberos tickets for authentication
Defense: Short ticket lifetimes, endpoint protection
Detection: Unusual ticket usage patterns, tickets from unexpected sources

Credential Dumping:

Attack: Extracting credentials from memory or registry
Defense: Credential Guard, Protected Process Light, endpoint protection
Detection: Memory access patterns, unusual LSASS process activity

Privilege Escalation

DCSync Attack:

Attack: Impersonating domain controller to request password data
Defense: Restrict "Replicating Directory Changes" permissions
Detection: Unusual replication requests, non-DC sources requesting sensitive data

DCShadow Attack:

Attack: Temporarily registering rogue domain controller
Defense: Monitor domain controller registration, network segmentation
Detection: Unexpected domain controller registration, unusual replication topology

AdminSDHolder Abuse:

Attack: Modifying AdminSDHolder to gain persistent permissions
Defense: Monitor AdminSDHolder modifications, regular permission audits
Detection: Unexpected AdminSDHolder changes, unusual high-privilege account permissions

Lateral Movement

SMB Relay:

Attack: Relaying SMB authentication to gain access to other systems
Defense: SMB signing, disable NTLM where possible
Detection: Unusual SMB connection patterns, authentication anomalies

WMI/PowerShell Remoting:

Attack: Using legitimate tools for malicious remote access
Defense: Constrained delegation, application whitelisting
Detection: Unusual remote command execution, PowerShell usage patterns

Service Account Abuse:

Attack: Compromising service accounts with broad network access
Defense: Principle of least privilege, managed service accounts
Detection: Service account usage from unexpected locations

Persistence Mechanisms

Skeleton Key:

Attack: Patching LSASS to accept master password
Defense: System integrity monitoring, endpoint protection
Detection: LSASS process modifications, unusual authentication patterns

Directory Services Restore Mode (DSRM):

Attack: Using DSRM credentials for persistence
Defense: Regular DSRM password changes, monitoring
Detection: DSRM account usage, unusual local logons on domain controllers

Group Policy Modification:

Attack: Modifying GPOs to deploy malicious code
Defense: GPO change monitoring, delegation restrictions
Detection: Unexpected GPO modifications, unusual policy deployments

Security Support Provider (SSP):

Attack: Installing malicious SSP to capture credentials
Defense: System integrity monitoring, application whitelisting
Detection: New SSP registration, unusual authentication provider activity

Monitoring and Troubleshooting

Key Performance Indicators

Authentication Metrics:

Authentication success/failure rates
Authentication response times
Peak authentication loads
Geographic distribution of authentication

Replication Health:

Replication latency between sites
Replication failures and errors
Replication backlog sizes
Connection object status

Directory Performance:

LDAP query response times
Directory search performance
Global Catalog query performance
Database size and growth trends

Essential Event IDs

Authentication Events:

4624: Successful logon
4625: Failed logon
4634: User logoff
4647: User initiated logoff
4648: Logon using explicit credentials

Account Management Events:

4720: User account created
4722: User account enabled
4723: User password change attempt
4724: User password reset attempt
4725: User account disabled
4726: User account deleted

Group Management Events:

4727: Security-enabled global group created
4728: Member added to security-enabled global group
4729: Member removed from security-enabled global group
4730: Security-enabled global group deleted

Directory Service Events:

4662: Operation performed on an object
5136: Directory service object modified
5137: Directory service object created
5138: Directory service object undeleted
5139: Directory service object moved

Troubleshooting Tools

Built-in Tools:

DCDiag (Domain Controller Diagnostic):

dcdiag /v
dcdiag /test:dns /v
dcdiag /test:replications

RepAdmin (Replication Administrator):

repadmin /showrepl
repadmin /syncall
repadmin /replsummary

NLTest (NetLogon Test):

nltest /dsgetdc:domain.com
nltest /query
nltest /trusted_domains

Advanced Troubleshooting:

Event Viewer Analysis:

System Log: Hardware and system-level issues
Security Log: Authentication and authorization events
Directory Service Log: AD-specific operational events
DNS Server Log: DNS-related issues

Performance Monitor:

NTDS performance counters
Kerberos authentication counters
LDAP performance counters
Network utilization metrics

Network Trace Analysis:

Kerberos authentication flows
LDAP query performance
Replication traffic patterns
DNS resolution issues

Common Issues and Solutions

Authentication Problems:

Time Synchronization Issues:

Symptoms: Kerberos authentication failures, event ID 4625
Diagnosis: Check time difference between client and domain controller
Solution: Configure NTP properly, ensure PDC Emulator syncs with external time source

DNS Resolution Problems:

Symptoms: Cannot locate domain controllers, slow authentication
Diagnosis: Test DNS resolution for SRV records
Solution: Verify DNS configuration, check DNS server availability

Trust Relationship Issues:

Symptoms: Cross-domain authentication failures
Diagnosis: Test trust relationship with nltest
Solution: Reset trust relationship, verify network connectivity

Replication Problems:

Replication Failures:

Symptoms: Inconsistent directory data, authentication issues
Diagnosis: Check replication status with repadmin
Solution: Force replication, check network connectivity, verify permissions

Bridgehead Server Issues:

Symptoms: Inter-site replication failures
Diagnosis: Check bridgehead server status and connectivity
Solution: Verify bridgehead server configuration, check site link settings

USN Rollback:

Symptoms: Replication errors, inconsistent data
Diagnosis: Check for USN rollback events
Solution: Demote and re-promote affected domain controller

Performance Issues:

Slow Authentication:

Symptoms: Long logon times, timeout errors
Diagnosis: Check domain controller performance, network latency
Solution: Add domain controllers, optimize network, check DNS

Large Groups:

Symptoms: Token bloat, slow authentication
Diagnosis: Check group membership counts, token size
Solution: Reduce group memberships, implement group nesting strategies

Database Issues:

Symptoms: High disk usage, slow queries
Diagnosis: Check database size, fragmentation
Solution: Database maintenance, consider additional domain controllers

Backup and Recovery

System State Backup:

Includes Active Directory database (NTDS.dit)
Registry settings and SYSVOL
Certificate Services database (if applicable)
Cluster service information

Backup Strategies:

Full System Backup: Complete server backup including OS and AD
System State Only: Just the AD-related components
Automated Backups: Scheduled backups with retention policies

Recovery Scenarios:

Authoritative Restore:

Restores objects and increments version numbers
Use when objects are accidentally deleted
Requires stopping AD services during restore

Non-Authoritative Restore:

Restores domain controller to previous state
Replication updates the restored DC
Use for hardware failures or corruption

Forest Recovery:

Complete forest rebuild from backup
Last resort for catastrophic failures
Requires careful planning and execution

Advanced Topics

Fine-Grained Password Policies

Password Settings Objects (PSOs):

Apply different password policies to specific users or groups
Override default domain password policy
Useful for administrative accounts requiring stronger passwords

PSO Configuration:

# Create new PSO
New-ADFineGrainedPasswordPolicy -Name "AdminPolicy" -MinPasswordLength 15 -PasswordHistoryCount 24 -MaxPasswordAge 30.00:00:00

# Apply PSO to group
Add-ADFineGrainedPasswordPolicySubject -Identity "AdminPolicy" -Subjects "Domain Admins"

Managed Service Accounts

Group Managed Service Accounts (gMSA):

Automatic password management
Multi-server service account support
Integrated with Kerberos authentication

gMSA Implementation:

# Create KDS root key
Add-KdsRootKey -EffectiveTime (Get-Date).AddHours(-10)

# Create gMSA
New-ADServiceAccount -Name "WebServiceAccount" -DNSHostName "webservice.company.com" -PrincipalsAllowedToRetrieveManagedPassword "WebServers"

# Install gMSA on server
Install-ADServiceAccount -Identity "WebServiceAccount"

Active Directory Federation Services (ADFS)

ADFS Components:

Federation Server: Issues and validates security tokens
Federation Server Proxy: Provides external access to federation services
Claims Provider: Authenticates users and creates claims
Relying Party: Consumes tokens and grants access

ADFS Benefits:

Single sign-on across organizational boundaries
Support for web-based applications
Integration with cloud services
Reduced password fatigue for users

Active Directory Certificate Services (ADCS)

ADCS Components:

Certification Authority (CA): Issues and manages digital certificates
Certificate Templates: Define certificate properties and usage
Certificate Revocation Lists (CRLs): Track revoked certificates
Online Certificate Status Protocol (OCSP): Real-time certificate validation

ADCS Security Considerations:

CA hierarchy design and security
Certificate template permissions
Key archival and recovery procedures
Regular CRL updates and distribution

Active Directory Lightweight Directory Services (AD LDS)

AD LDS Use Cases:

Application-specific directory services
Development and testing environments
Directory-enabled applications requiring custom schema
Perimeter network directory services

AD LDS Benefits:

Multiple instances on single server
Custom schema extensions
Independent of domain membership
Reduced attack surface

PreviousHow to use this guide?NextActive Directory Enumeration

Last updated 10 days ago

Was this helpful?