Introduction

Active Directory (AD) is Microsoft's directory service for Windows domain networks. It acts as a centralized database for users, groups, computers, printers, policies, and other network resources. Active Directory securely manages user identities, authenticates users, and authorizes access to resources across a network.

Without Active Directory, system administrators would need to manually manage user accounts, permissions, and configurations on each individual computer. With Active Directory, administration becomes centralized. Administrators can create users, organize them into groups, assign permissions to groups, enforce security policies, manage devices, and control access to network resources from a single location.

Architecture Overview

Many people think that using Active Directory Domain Services (AD DS) means you can only work within the Windows ecosystem. This is not true at all. Linux systems, macOS devices, printers, NAS devices, and many enterprise applications can integrate with Active Directory.

To understand this properly, we need to understand the major technologies and protocols that make up Active Directory.

You can think of Active Directory as an interconnection of several important components and protocols:

  1. Kerberos โ€” Authentication protocol
  2. LDAP โ€” Directory access and querying protocol
  3. DNS โ€” Service discovery and domain location
  4. Extensible Storage Engine (ESE) โ€” Database engine
  5. Group Policy โ€” Centralized configuration management

1. Kerberos Authentication

Kerberos is the primary authentication protocol used by Active Directory. It provides secure authentication without sending passwords directly over the network.

kerberos working

NOTE: Domain Controller acts as the Kerberos Key Distribution Center (KDC)

When a user logs into a domain-joined computer, the following simplified process occurs:

  1. The user enters their username and password.
  2. The client contacts the Domain Controller (DC).
  3. The Domain Controller verifies the credentials.
  4. The DC issues a Ticket Granting Ticket (TGT).
  5. The user can then request service tickets to access resources such as file servers, printers, or applications.

This ticket-based system provides both security and scalability. Linux systems can also integrate with Kerberos authentication using tools such as SSSD, Winbind, or realmd.
Kerberos uses a trusted authentication service known as Key Distribution centre It acts as the central authority that verifies identities and issues tickets that allow users and services to communicate securely without repeatedly transmitting passwords across the network. In Active Directory environments, the Domain Controller typically functions as the KDC.

2. LDAP (Lightweight Directory Access Protocol)

LDAP is the protocol used to query and interact with the Active Directory database.

Applications and administrators use LDAP to:

  • Search for users and groups
  • Retrieve directory information
  • Modify objects
  • Authenticate users
  • Organize resources

For example, when you search for a user in Active Directory Users and Computers, the tool communicates with AD using LDAP queries.

LDAP is platform-independent, which is why Linux applications, web applications, VPN servers, Jenkins, GitLab, and many enterprise tools can authenticate users against Active Directory.

3. DNS (Domain Name System)

DNS is one of the most important parts of Active Directory and is often overlooked by beginners.

Active Directory heavily depends on DNS to locate Domain Controllers and services. When a client wants to log into a domain, it first uses DNS to find the appropriate Domain Controller.

Without properly configured DNS, Active Directory authentication and domain services will fail.

Active Directory commonly uses SRV records in DNS to advertise services such as:

  • Kerberos authentication services
  • LDAP directory services
  • Global Catalog services

4. Extensible Storage Engine (ESE)

The Active Directory database itself is stored inside the file: 

NTDS.dit

This database uses Microsoft's Extensible Storage Engine (ESE), sometimes called JET Blue.

The database stores:

  • User accounts
  • Passwords (hashed)
  • Group memberships
  • Computer objects
  • Security policies
  • Organizational Units (OUs)

Domain Controllers continuously replicate this database between each other to maintain consistency across the environment.

5. Group Policy

Group Policy allows administrators to centrally manage and configure computers and users in the domain.

Using Group Policy, administrators can:

  • Enforce password policies
  • Disable USB devices
  • Deploy software
  • Configure firewalls
  • Map network drives
  • Run startup scripts
  • Apply security baselines

This is one of the most powerful features of Active Directory because it enables large scale administration and standardization across thousands of systems.

6. Domain Controller

A Domain Controller (DC) is a server that runs Active Directory Domain Services. It stores a copy of the Active Directory database and responds to authentication requests from users and computers.

A Domain Controller is responsible for:

  • User authentication
  • Authorization
  • Policy enforcement
  • Directory queries
  • Replication

In enterprise environments, multiple Domain Controllers are usually deployed for redundancy and high availability.

7. Organizational Units (OUs)

Organizational Units (OUs) are containers used to organize objects inside Active Directory.

For example: 

Company
 โ”œโ”€โ”€ Users
 โ”œโ”€โ”€ Servers
 โ”œโ”€โ”€ HR
 โ”œโ”€โ”€ Finance
 โ””โ”€โ”€ IT

Administrators can apply different Group Policies to different OUs, allowing fine-grained control over systems and users.

8. Active Directory and Linux

Linux systems can integrate with Active Directory using technologies such as:

  • SSSD
  • realmd
  • Winbind
  • Samba
  • Kerberos

This allows Linux machines to:

  • Join Active Directory domains
  • Authenticate users using AD credentials
  • Apply centralized access controls
  • Use single sign-on (SSO)

This is why Active Directory is widely used even in mixed Windows-Linux enterprise environments.

Domains, Trees & Forests

Active Directory uses a hierarchical structure to organize and manage large enterprise environments. The hierarchy consists of domains, trees, and forests.

1. Domains

A domain is the fundamental administrative boundary in Active Directory. It contains users, groups, computers, policies, and other objects that share a centralized directory database and security policies.

Examples: 

corp.example.com
research.example.com
sales.example.com

Each domain has at least one Domain Controller responsible for authentication, authorization, and replication.

2. Trees

A tree is a collection of multiple domains that share a contiguous namespace. It is a A Domain Tree is a collection of domains grouped together in a hierarchical parent-child structure. 

example.com
 โ”œโ”€โ”€ sales.example.com
 โ”œโ”€โ”€ hr.example.com
 โ””โ”€โ”€ research.example.com

Domains inside a tree automatically establish two-way transitive trust relationships with one another.

3. Forests

A forest is the top-level logical structure in Active Directory. A forest can contain multiple trees that may or may not share the same namespace.

All domains inside a forest share:

  • A common schema
  • A global catalog
  • Forest-wide trust relationships

NOTE: The Schema is the blueprint that defines what data can exist, while the Global Catalog is a distributed index that helps you find that data across the entire forest.

The forest acts as the primary security boundary in Active Directory.

Domain, tree and forest.

Note that a single domain (bye.com) is also a part of a tree.

4. Trust Relationships

Trusts allow users in one domain to access resources in another domain.

  • One-way trust โ€” access flows in one direction
  • Two-way trust โ€” both domains trust each other
  • Transitive trust โ€” trust extends automatically
  • External trust โ€” connects separate forests/domains
  • Forest trust โ€” trust between entire forests

AD Objects: Users, Groups & OUs

Everything stored inside Active Directory is represented as an object. Each object contains attributes that describe it.

1. User Accounts

User objects represent identities used for authentication and authorization. These accounts can belong to employees, administrators, applications, or services.

2. Groups

Groups simplify permission management by assigning permissions to groups instead of individual users.

Security Groups

Used to assign permissions to resources.

Distribution Groups

Used primarily for email distribution lists and cannot assign permissions.

Group Scopes

  • Domain Local โ€” permissions within a domain
  • Global โ€” users from the same domain
  • Universal โ€” users across multiple domains

3. Organizational Units (OUs)

OUs are containers used to logically organize objects inside Active Directory. 

Company
 โ”œโ”€โ”€ Servers
 โ”œโ”€โ”€ Workstations
 โ”œโ”€โ”€ HR
 โ”œโ”€โ”€ Finance
 โ””โ”€โ”€ IT

Administrators commonly apply Group Policies to OUs.

4. Computer Objects

Domain-joined systems are represented as computer objects inside AD. These objects allow centralized management and authentication.

5. Service Accounts

Service accounts are accounts used by applications and services to interact with resources securely.

Modern environments commonly use:

  • Managed Service Accounts (MSA)
  • Group Managed Service Accounts (gMSA)

Group Policy Objects (GPO)

Group Policy Objects (GPOs) provide centralized configuration management for users and computers.

Administrators can configure:

  • Password policies
  • Firewall rules
  • Windows Updates
  • USB restrictions
  • Security baselines
  • Software deployment

1. GPO Processing Order

Policies are applied using LSDOU order: 

Local โ†’ Site โ†’ Domain โ†’ Organizational Unit

NOTE:In Active Directory, a Site is a physical boundary based on IP subnets and network connectivity. A Domain is a logical boundary that groups users and computers for central administration, security, and directory database (NTDS.dit) replication

Policies applied later can override earlier settings.

2. Inheritance & Enforcement

Child OUs inherit policies from parent containers unless inheritance is blocked. Administrators can enforce critical policies to prevent overriding.

3. WMI Filtering

WMI filters allow GPOs to target specific operating systems, hardware, or system configurations.

Replication & FSMO Roles

Active Directory uses multi-master replication, meaning multiple Domain Controllers can update the directory database.

1. Replication

Changes made on one Domain Controller replicate to others to maintain consistency.

Replication can occur:

  • Within a site
  • Between sites

2. Sites & Site Links

Sites represent physical network locations. Site links control replication traffic between locations.

3. KCC (Knowledge Consistency Checker)

The KCC automatically builds replication topologies between Domain Controllers.

4. FSMO Roles

Although AD is multi-master, certain operations are handled by special roles known as FSMO (Flexible Single Master Operations) roles.

  • Schema Master โ€” controls schema modifications
  • Domain Naming Master โ€” manages domain additions/removals
  • RID Master โ€” allocates Relative IDs
  • PDC Emulator โ€” time sync, password updates, legacy support
  • Infrastructure Master โ€” updates cross-domain references

Authentication: Kerberos & NTLM

1. Kerberos

Kerberos is the default authentication protocol in modern Active Directory environments.

Kerberos authentication flow:

  1. User authenticates to the Authentication Server (AS)
  2. The AS issues a Ticket Granting Ticket (TGT)
  3. The client sends the TGT to the Ticket Granting Server (TGS)
  4. The TGS issues service tickets
  5. The user accesses network services securely

The Key Distribution Center (KDC) running on the Domain Controller contains both the AS and TGS components.

2. NTLM

NTLM is an older Microsoft authentication protocol still used for compatibility.

Unlike Kerberos, NTLM relies on challenge-response authentication and does not support modern delegation and mutual authentication features.

Because NTLM is more vulnerable to attacks such as relay attacks and pass-the-hash attacks, organizations are encouraged to minimize or disable it.

3. SPNs & Delegation

Service Principal Names (SPNs) uniquely identify services in Kerberos. Improper SPN configuration can lead to authentication failures or attacks such as Kerberoasting.

Hardening & Security Considerations

Because Active Directory controls authentication and authorization across an enterprise, compromising AD often means compromising the entire organization.

4. Security Best Practices

  • Implement least privilege access
  • Use separate admin accounts
  • Enable MFA for privileged users
  • Use tiered administration
  • Disable NTLMv1
  • Enable SMB signing
  • Use LDAPS instead of plain LDAP
  • Rotate local admin passwords using LAPS
  • Enable auditing and centralized logging

5. Protected Users Group

The Protected Users group provides additional protections for privileged accounts by disabling weaker authentication mechanisms.

6. Credential Guard

Credential Guard isolates sensitive credentials using virtualization-based security to reduce credential theft.

Common Attacks & Mitigations

1. Pass-the-Hash

Attackers steal NTLM password hashes and reuse them for authentication without knowing the actual password.

Mitigation:

  • Use Credential Guard
  • Restrict lateral movement
  • Disable NTLM where possible

2. Kerberoasting

Attackers request Kerberos service tickets associated with SPNs and attempt offline password cracking.

Mitigation:

  • Use strong service account passwords
  • Use gMSAs
  • Monitor abnormal ticket requests

3. AS-REP Roasting

Targets accounts with Kerberos preauthentication disabled.

4. DCSync

Attackers simulate Domain Controller replication to extract password hashes.

Mitigation:

  • Restrict replication permissions
  • Monitor replication requests

5. Golden Ticket

Attackers forge Kerberos TGTs using the KRBTGT account hash.

Mitigation:

  • Protect Domain Controllers
  • Rotate KRBTGT passwords after compromise

6. BloodHound

BloodHound maps Active Directory relationships and attack paths to identify privilege escalation opportunities.

Useful Tools & Commands

1. Windows Administrative Tools

  • Active Directory Users and Computers (ADUC)
  • Group Policy Management Console (GPMC)
  • Active Directory Administrative Center
  • RSAT Tools

2. PowerShell Commands

Get-ADUser -Filter *
Get-ADGroupMember "Domain Admins"
Get-ADComputer -Filter *

3. Diagnostic Tools

dcdiag
repadmin /replsummary
nltest /dclist:domain.local

4. Linux LDAP Queries

ldapsearch -x -H ldap://dc.domain.local

5. Security Assessment Tools

  • BloodHound
  • SharpHound
  • PingCastle
  • Mimikatz

Conclusion

Active Directory is one of the most important identity management systems in modern enterprise infrastructure. Understanding its architecture, authentication mechanisms, administrative model, and security weaknesses is essential for system administrators, security engineers, penetration testers, and DevOps professionals.

A properly designed and secured Active Directory environment provides scalable centralized identity management, while a poorly secured one can become the single point of compromise for an entire organization.
To see how to setup this in your server click the link below:
Setup AD DS

To see how to connect windows and linux clients to the domain and also setup ubuntu as a samba file system click here