Skip to content

Active Directory Basics

Task 1 Introduction

Active Directory a network of computer workstaions, servers, and other network appliances grouped into domains. These domains are then grouped into forests which help to create a logical topology of an organization’s network.

There are several components within Active Directory.

  • Domain Controllers
  • Forests, Trees, Domains
  • Users + Groups 
  • Trusts
  • Policies 
  • Domain Services

Organizations like to use Active Directory because it simplifies network administration. It enables users to log into any computer within the organizations network and have access to their files from anywhere on the network. It also centralizes administration and security monitoring to the central domain controller.

No answer needed

Task 2 Physical Active Directory

A domain controller is a Windows Server that has Active Directory Domain Services installed and has been promoted to Forest Domain Controller. Active Directory revolves around domain controllers. Their primary responsibilities are:

  • Holding the AD DS data store
  • Authentication and Authorization
  • Replicate updates from other domain controllers in the forest
  • Allow admin access to manage domain resources

The Data Store contains the Active Directory database and information needed to manage the directory.

  • Contains NTDS.dit (Database with all AD information and password hashes for domain users.)
  • Stored by default in %SystemRoot%\NTDS
  • Only accessible by the Domain Controller

What database does the AD DS contain?


Where is the NTDS.dit stored?


What type of machine can be a domain controller?

Windows Server

Task 3 The Forest

Per TryHackMe:

A forest is a collection of one or more domain trees inside of an Active Directory network. It is what categorizes the parts of the network as a whole.

The Forest consists of these parts which we will go into farther detail with later:

  • Trees – A hierarchy of domains in Active Directory Domain Services
  • Domains – Used to group and manage objects 
  • Organizational Units (OUs) – Containers for groups, computers, users, printers and other OUs
  • Trusts – Allows users to access resources in other domains
  • Objects – users, groups, printers, computers, shares
  • Domain Services – DNS Server, LLMNR, IPv6
  • Domain Schema – Rules for object creation

What is the term for a hierarchy of domains in a network?


What is the term for the rules for object creation?

Domain Schema

What is the term for containers for groups, computers, users, printers, and other OUs?

Organizational Units

Task 4 Users + Groups

Four User Types

  1. Domain Admins – Head admin role. The primary root account for the entire domain.
  2. Service Accounts – Not regularly used by actual people. Accounts required for services.
  3. Local Admin – Admin for the local system but unable to access domain controller.
  4. Domain User – Regular users, possible to be local admins.

Two Group Types

There are two main types of groups.

  1. Security Groups – Used for setting permissions
  2. Distribution Groups – Used to set email distribution lists

Default Security Groups

  • Domain Controllers – All domain controllers in the domain
  • Domain Guests – All domain guests
  • Domain Users – All domain users
  • Domain Computers – All workstations and servers joined to the domain
  • Domain Admins – Designated administrators of the domain
  • Enterprise Admins – Designated administrators of the enterprise
  • Schema Admins – Designated administrators of the schema
  • DNS Admins – DNS Administrators Group
  • DNS Update Proxy – DNS clients who are permitted to perform dynamic updates on behalf of some other clients (such as DHCP servers).
  • Allowed RODC Password Replication Group – Members in this group can have their passwords replicated to all read-only domain controllers in the domain
  • Group Policy Creator Owners – Members in this group can modify group policy for the domain
  • Denied RODC Password Replication Group – Members in this group cannot have their passwords replicated to any read-only domain controllers in the domain
  • Protected Users – Members of this group are afforded additional protections against authentication security threats. See for more information.
  • Cert Publishers – Members of this group are permitted to publish certificates to the directory
  • Read-Only Domain Controllers – Members of this group are Read-Only Domain Controllers in the domain
  • Enterprise Read-Only Domain Controllers – Members of this group are Read-Only Domain Controllers in the enterprise
  • Key Admins – Members of this group can perform administrative actions on key objects within the domain.
  • Enterprise Key Admins – Members of this group can perform administrative actions on key objects within the forest.
  • Cloneable Domain Controllers – Members of this group that are domain controllers may be cloned.
  • RAS and IAS Servers – Servers in this group can access remote access properties of users

Which type of groups specify user permissions?

Security Groups

Which group contains all workstations and servers joined to the domain?

Domain Computers

Which group can publish certificates to the directory?

Cert Publishers

Which user can make changes to a local machine but not to a domain controller?

Local Administrator

Which group has their passwords replicated to read-only domain controllers?

Allowed RODC Password Replication Group

Task 5 Trusts + Policies

Security in Active Directory is implemented by trusts and policies. Trusts and policies put into place rules that decide what the domain is allowed to do. They can determine how trees and domains communicate with each other or with external domains.

Trusts determine how domains inside a forest are allowed to communicate with each other. There are generally two types of trusts.

  1. Directional – Trust flows from trusting domain to trusted domain
  2. Transitive – Trust extends out beyond just the two domains in question

Trusts can be abused by attackers to move across the network.

Domain policies are similar to groups except they use rules instead of permissions. These rules determine what a domain may do.

What type of trust flows from a trusting domain to a trusted domain?


What type of trusts expands to include other trusted domains?


Task 6 Active Directory Domain Services + Authentication

Domain Services are services that the controller provides for the domain. Default services that run on domains include LDAP, certificate services, DNS, LLMNR, NBT-NS

One of the main selling points of Active Directory is its ability to authenticate users to give them access to network resources. Active Directory has two primary methods to authenticate users, Kerberos and NTLM. Kerberos is the default authentication for Active Directory and uses tickets. NTLM is the default Windows Authentication protocol that uses an encrypted challenge-response protocol.

What type of authentication uses tickets? 


What domain service can create, validate, and revoke public key certificates?

Certificate Services

Task 7 AD in the Cloud

Active Directory has the ability to connect to the cloud through services such as Azure AD. It has a more secure default configuration than its on-premise counterpart. Azure connects the user signing on with the Active Directory domain. By having this handled by Azure, sign-on is more secure and many Active Directory attacks are pre-empted.

What is the Azure AD equivalent of LDAP?


What is the Azure AD equivalent of Domains and Forests?


What is the Windows Server AD equivalent of Guests?


Task 8 Hands-On Lab

This lab uses the tool PowerView to obtain information on the Active Directory domain and its users.

Deploy the Machine

No answer needed

What is the name of the Windows 10 operating system?

To get the answer to this I ran the command Get-NetComputer -fulldata | select operating system. It gave me a few options. The second one worked.

Windows 10 Enterprise Evaluation

What is the second “Admin” name?

I needed to find the users of the domain. To have powershell output these users, I used the command Get-NetUser | select cn

One of the users was named Admin2 which was the only other administrator type user besides the main administrator.


Which group has a capital “V” in the group name?

For this question I needed to get a list of groups for the domain. To do this I used the command Get-NetGroup * | select-string -pattern "V" -casesensitive

I found the group Hyper-V Administrators in the output.

Hyper-V Administrators

When was the password last set for the SQLService user?

By using the powershell command Get-NetUser -UserName SQLService to find the properties for the SQLService user. One of the last properties was pwdlastset with the value of 5/13/2020 8:26:58 PM

5/13/2020 8:26:58 PM

Leave a Reply

Your email address will not be published. Required fields are marked *