Introduction
This blog post is part one of the Cyb3r-S3c Microsoft's Active Directory Domain Services (AD DS) series. Whether you're interested in IT, Blue Team or Red Team operations, a strong grasp of Active Directory (AD) is crucial for success. It is estimated that over 95% of Fortune 1000 companies use AD. In this blog post, I will provide a comprehensive overview of Microsoft's Active Directory Domain Services (AD DS), including its key components such as forests, domains, sites, domain controllers, organizational units (OUs), and user and group management. With this foundational knowledge, you'll be better equipped to efficiently manage and administer complex network environments. If you're interested in cybersecurity, please regularly check back on Cyb3r-S3c and check out my YouTube channel, Cyb3r_0verWatch, for more informative content.
AD Decoded: Navigating the Depths of AD DS?
If your organization uses Windows operating systems, then chances are AD and its related services serve as the foundation of your enterprise network. All domain objects, such as user accounts, computer accounts, and groups, are centrally stored in AD. With a powerful, searchable, and hierarchical directory, AD allows for efficient configuration and security settings across the enterprise. To optimize performance, it's crucial to have a comprehensive understanding of how these components work together. Additionally, AD provides a range of options to perform essential tasks, including installing, configuring, and updating applications, managing security infrastructure, enabling Remote Access Service and DirectAccess, and managing the Public Key Infrastructure (PKI), such as issuing and managing digital certificates.
The Anatomy of AD: Unveiling the Components
AD comprises several logical components that are essential for designing and implementing an AD infrastructure.
Logical Component | Description |
Partition | Active Directory divides its database into partitions, also known as naming contexts, to organize the data into different sections. Each partition in the Ntds.dit database file stores specific data. For example, the configuration partition contains configuration objects for the forest, while the domain partition stores objects such as user accounts, computer accounts, groups, and other domain-specific data. In addition, the schema partition contains a copy of the Active Directory schema.Active Directory divides its database into partitions, also known as naming contexts, to organize the data into different sections. Each partition in the Ntds.dit database file stores specific data. For example, the configuration partition contains configuration objects for the forest, while the domain partition stores objects such as user accounts, computer accounts, groups, and other domain-specific data. In addition, the schema partition contains a copy of the Active Directory schema. |
Schema | The schema in Active Directory plays a crucial role in defining the types of objects and their attributes that can be created within the directory. It acts as a blueprint, outlining the structure and properties of various objects that can be stored in AD. This enables administrators to maintain consistency and ensure that objects are created with the appropriate attributes to function correctly.The schema in Active Directory plays a crucial role in defining the types of objects and their attributes that can be created within the directory. It acts as a blueprint, outlining the structure and properties of various objects that can be stored in AD. This enables administrators to maintain consistency and ensure that objects are created with the appropriate attributes to function correctly. |
Domain | In AD, a domain is a logical administrative container that serves as a boundary for managing objects such as user accounts, computer accounts, and groups. Each domain corresponds to a specific partition in the AD database. Domains can be organized with parent-child relationships to form a hierarchical structure known as a domain tree. Domains within a domain tree share a common namespace, and the root of the domain tree is known as the forest root domain. The forest can contain multiple domain trees, each with its own namespace, and all domains within a forest share a common schema and configuration partition.In AD, a domain is a logical administrative container that serves as a boundary for managing objects such as user accounts, computer accounts, and groups. Each domain corresponds to a specific partition in the AD database. Domains can be organized with parent-child relationships to form a hierarchical structure known as a domain tree. Domains within a domain tree share a common namespace, and the root of the domain tree is known as the forest root domain. The forest can contain multiple domain trees, each with its own namespace, and all domains within a forest share a common schema and configuration partition. |
Domain Tree | A domain tree is a hierarchical structure of one or more domains that share a common root domain and a contiguous Domain Name System (DNS) namespace. Domains within a domain tree are organized in a parent-child relationship and share a common naming context, meaning they have a shared directory database. The root domain of the domain tree is the top-level domain, and child domains are created under it. The DNS namespace of a domain tree is contiguous, which means that each domain name within the domain tree is a subset of the parent domain's name.A domain tree is a hierarchical structure of one or more domains that share a common root domain and a contiguous Domain Name System (DNS) namespace. Domains within a domain tree are organized in a parent-child relationship and share a common naming context, meaning they have a shared directory database. The root domain of the domain tree is the top-level domain, and child domains are created under it. The DNS namespace of a domain tree is contiguous, which means that each domain name within the domain tree is a subset of the parent domain's name. |
Forest | A forest in AD is the highest level of the Active Directory hierarchy and consists of one or more domain trees that share a common schema, configuration, and global catalog. The forest is identified by a forest root domain, which is the first domain created in the forest and is used to define the namespace for the entire forest. All domains within a forest share a common schema, which defines the structure and rules for objects within the forest. The global catalog is a distributed data repository that contains a partial replica of all objects in the forest, making it easier to locate objects across domains. The use of forests enables the consolidation of multiple AD environments and provides a way to manage trust relationships between different domains and forests.A forest in AD is the highest level of the Active Directory hierarchy and consists of one or more domain trees that share a common schema, configuration, and global catalog. The forest is identified by a forest root domain, which is the first domain created in the forest and is used to define the namespace for the entire forest. All domains within a forest share a common schema, which defines the structure and rules for objects within the forest. The global catalog is a distributed data repository that contains a partial replica of all objects in the forest, making it easier to locate objects across domains. The use of forests enables the consolidation of multiple AD environments and provides a way to manage trust relationships between different domains and forests. |
Organizational Unit (OU) | An Organizational Unit (OU) in AD is a type of container object used for organizing and managing users, groups, computers, and other objects within a domain or forest. OUs provide a flexible framework for delegation of administrative rights and application of Group Policy Objects (GPOs) to specific objects. By assigning permissions and policies to OUs, administrators can delegate control of specific resources or systems to other users or groups. OUs can be created to reflect the structure of an organization, and they can be nested to create a hierarchical structure that reflects the organization's departments, teams, or geographic locations. GPOs can be linked to OUs to apply specific settings to all objects within the OU, allowing administrators to manage groups of objects consistently and efficiently. Overall, OUs provide a powerful tool for organizing and managing the resources in an AD environment. An Organizational Unit (OU) in AD is a type of container object used for organizing and managing users, groups, computers, and other objects within a domain or forest. OUs provide a flexible framework for delegation of administrative rights and application of Group Policy Objects (GPOs) to specific objects. By assigning permissions and policies to OUs, administrators can delegate control of specific resources or systems to other users or groups. OUs can be created to reflect the structure of an organization, and they can be nested to create a hierarchical structure that reflects the organization's departments, teams, or geographic locations. GPOs can be linked to OUs to apply specific settings to all objects within the OU, allowing administrators to manage groups of objects consistently and efficiently. Overall, OUs provide a powerful tool for organizing and managing the resources in an AD environment. |
Container | A container is a basic object in AD used to organize other objects, such as users, groups, and computers. It provides a simple organizational structure, but unlike OUs, it cannot be used to delegate administrative control or apply GPOs. The default containers, such as Users and Computers, cannot be deleted, but custom containers can be created to help organize objects in a meaningful way. Containers can be nested within other containers or OUs to create a hierarchical structure, but they do not have any inherent access or management capabilities beyond their organizational function.A container is a basic object in AD used to organize other objects, such as users, groups, and computers. It provides a simple organizational structure, but unlike OUs, it cannot be used to delegate administrative control or apply GPOs. The default containers, such as Users and Computers, cannot be deleted, but custom containers can be created to help organize objects in a meaningful way. Containers can be nested within other containers or OUs to create a hierarchical structure, but they do not have any inherent access or management capabilities beyond their organizational function. |
Domain controller | A domain controller (DC) is a crucial server in Active Directory that stores a writable copy of the AD database and performs authentication and authorization for users and computers within the domain. The AD database contains information about objects such as user accounts, group policies, and security principals. The primary function of a DC is to ensure that the AD database is consistent and up-to-date. With multiple domain controllers in a domain, changes made to the AD database can be processed and replicated to all other domain controllers automatically. This ensures that each DC has a current copy of the AD database. This distributed architecture provides redundancy and fault tolerance, ensuring that authentication and authorization services are always available even if one or more domain controllers are offline. DCs are also responsible for managing replication of the AD database between domain controllers, which is critical for the proper functioning of Active Directory. |
Data store | In Active Directory, every domain controller holds a replica of the directory database that contains all the directory information for the domain. This directory database is stored in the Ntds.dit file and its associated log files, which utilize the Microsoft Jet database technology. By default, these files are located in the C:\Windows\NTDS folder on each domain controller. Any changes made to the database on one domain controller are automatically replicated to all other domain controllers in the domain, which ensures that all domain controllers have the most current copy of the AD database. This replication process allows administrators to make changes at any domain controller, and the changes are automatically propagated to all other domain controllers, providing redundancy and ensuring the availability of up-to-date directory information. |
Global catalog server | A global catalog (GC) server is a specialized domain controller in Active Directory that stores a partial, read-only copy of all objects in a multi-domain forest. The global catalog contains information about every object in the forest and serves as a central directory for locating objects across domains. Without a global catalog, searches for objects that might be stored on domain controllers in different domains in the forest would require multiple queries and take longer to complete. Having a global catalog server significantly speeds up these searches and allows for more efficient access to directory information across the forest. |
Read-only domain controller (RODC) | An RODC, or Read-Only Domain Controller, is a deployment option of AD that provides a read-only copy of the Active Directory database to reduce the security risk of credentials being stolen in remote locations with less than optimal physical security or less advanced IT support than main corporate centers. RODCs do not store passwords locally, and any changes made to the AD database are forwarded to a writable domain controller in a hub site, which then replicates the changes to all other domain controllers in the domain. RODCs can be useful for line-of-business applications that need to run on a domain controller while limiting the risk of unintended modifications to the AD database. |
Site | A site in AD is a logical construct that represents a physical location within an organization. It contains objects such as domain controllers, computers, and services that are specific to that location. Sites help optimize network traffic and communication between domain controllers and clients by grouping them based on proximity and network connectivity. By associating a subnet with a site, AD can determine which domain controller is closest to the client and reduce authentication and replication traffic over WAN links. In contrast, a domain represents a logical structure of objects such as users, groups, and computers within an organization. Domains are typically used to manage security and administrative boundaries within an organization. |
Subnet | A subnet is a network segment or logical subdivision of an organization's network, identified by a specific IP address range, that is assigned to computers and other devices in a site. The purpose of subnetting is to divide a large network into smaller, more manageable segments that can be managed and secured separately. Subnets are usually defined by the physical layout of a network and can span multiple locations, buildings, or floors. In a site, multiple subnets can be configured to represent different physical locations or network segments within the site. This allows for efficient routing and communication between devices within the same subnet and reduces network congestion and latency.
|
Building Blocks of AD: Users, Groups, and Computers in Focus
In AD, users are objects that represent people who use computers and network resources. They can log in to a domain and have permissions assigned to them for accessing resources.
Groups: are objects that contain collections of user accounts, computer accounts, and other groups. Groups simplify the management of user and computer permissions by allowing administrators to assign permissions to a group rather than to individual users or computers.
Computers: are objects that represent the physical or virtual machines that are members of a domain. They can be used to log in to the domain and can have permissions assigned to them for accessing network resources.
Users: are entities that interact with a computer system or application by providing input, receiving output, and accessing resources. In an AD environment, a user account is a security principal object that is used to represent a human or a computer that can authenticate and interact with the domain. Each user account has a unique security identifier (SID) that is used to control access to resources, such as files and printers. User accounts can be organized into groups to simplify security management and access control.
Lets Create a User Object
In AD, a user is an object representing a person, group, or service requiring network resource access. A user account provides a unique identifier for authentication and network resource access. Users have attributes like name, password, email, and group membership. User accounts manage access to shared resources such as files, printers, and applications, and delegate administrative rights.
A user account in AD represents a person, group, or service that needs access to network resources. It will include a unique username and password, as well as attributes like email and group memberships. User accounts manage access to shared resources and delegate admin rights. The user objects also have configurable settings like password and lockout policies, and user profile settings to meet organizational needs. The image below shows how configurable a user object is.
Use the following applets to create and manage user objects in AD:
Active Directory Administrative Center
Active Directory Users and Computers
Windows Admin Center
Windows PowerShell
The dsadd command-line tool
Managed Service Accounts: Security and Simplicity
Services are commonly used in applications to support their functionality, and they are typically installed on the server. These services often run automatically at server startup or in response to specific events, and they typically operate in the background without requiring any user interaction. To start and authenticate a service, a service account is used. This account can either be a local account on the server, such as the built-in Local Service, Network Service, or Local System accounts, or it can be a domain-based account located in AD that has been configured as a service account.
Using a domain-based account to run program services can provide benefits such as centralized administration and meeting program requirements. However, there are also challenges associated with this approach, including:
Increased administration effort may be required to securely manage the service account password.
It can be challenging to identify where a domain-based account is being used as a service account.
Additional administration effort may be necessary to manage the service principal name (SPN).
Addressing these challenges requires careful planning and implementation, such as establishing a process for regularly changing service account passwords and keeping track of service account usage. Additionally, properly configuring SPNs and monitoring for unauthorized access attempts can help mitigate security risks associated with domain-based service accounts.
A managed service account is a special AD object class in Windows Server that is designed to simplify the management of service accounts. Managed service accounts provide several benefits, including simplified password and service principal name (SPN) management. With a managed service account, the operating system automatically handles password changes and SPN updates, reducing the administrative burden of managing service accounts. Additionally, managed service accounts can only be used on a single computer, providing improved security over traditional domain-based service accounts.
Group Managed Service Accounts: Safeguarding Access, Simplifying Administration
Group Managed Service Accounts (gMSAs) are a useful extension of standard managed service accounts, as they allow multiple servers to use the same account. This is particularly valuable in server farm scenarios, where system or program services must run under a common service account. Standard managed service accounts cannot provide the same functionality to services running on multiple servers, but gMSAs enable you to configure multiple servers to use the same managed service account, while still benefiting from features like automatic password maintenance and simplified SPN management. You need to create a KDS root key on a domain controller in your domain in order to use group managed service accounts. The KDS root key is used to generate and distribute keys for each gMSA that is created in the domain.
Create a KDS root key
To create the KDS root key, you can use the Add-KdsRootKey cmdlet in the Active Directory Module for Windows PowerShell. This cmdlet generates a new KDS root key and immediately publishes it to the domain. Once created, the KDS root key is used to generate and distribute gMSA keys to all domain controllers in the domain.
The command to create the KDS root key is:
Add-KdsRootKey -EffectiveImmediatelyNote that this command must be run on a Windows Server domain controller and requires domain administrator credentials.
To create a group managed service account, you can use the New-ADServiceAccount cmdlet in Windows PowerShell and specify the -PrincipalsAllowedToRetrieveManagedPassword parameter.
Here's an example command:
New-ADServiceAccount -Name AcmeSQLCluster -PrincipalsAllowedToRetrieveManagedPassword AC-SQL1, AC-SQL2, AC-SQL3In this example, "AcmeSQLCluster" is the name of the new group managed service account, and "AC-SQL1", "AC-SQL2", and "AC-SQL3" are the computer accounts that are allowed to retrieve the account's managed password.
Group Objects for Resource Management
Assigning permissions and rights to individual user accounts in small networks may be feasible, but as the size of the network increases, this approach becomes impractical and inefficient. To illustrate, if several users require the same level of access to a folder, it would be more efficient to create a group that includes the necessary user accounts and then grant the appropriate permissions to the group. This way, any changes to permissions can be made to the group, rather than to individual user accounts, which can be a time-consuming and error-prone process. Additionally, by using groups, administrators can more easily manage user access and reduce the risk of unauthorized access.
Groups in AD are an essential component of user and resource management. To effectively implement groups in your organization, it's essential to understand the scope of different AD group types and how they can be used to manage access to resources or assign management rights and responsibilities.
The following are the four types of groups in AD:
Domain Local groups: These groups grant permissions to resources within a single domain. They can contain user accounts and global groups from any domain but can only be assigned permissions to resources within the same domain.
Global groups: These groups can contain user accounts from the same domain and can be used to assign permissions to resources in any domain in the same forest.
Universal groups: These groups can contain user accounts and groups from any domain in the same forest and can be used to assign permissions to resources in any domain in the same forest.
Built-in groups: These are groups that are created automatically when AD is installed. They provide default permissions to resources and rights to perform administrative tasks on domain controllers.
By understanding the scope and purpose of these group types, you can use them effectively to manage access to resources and assign management rights and responsibilities.
In a Windows Server enterprise network, there are two main types of groups: security groups and distribution groups.
Security groups: are used to assign permissions to various resources and control security for resource access. They are security-enabled, meaning they can be used in permission entries in access control lists (ACLs) to help manage security. If you want to use a group to manage security, it must be a security group.
Distribution groups: are used for email applications and are not security-enabled. They are used for sending email messages to multiple recipients at once. While security groups cannot be used for email distribution, you can use distribution groups to manage access to resources by assigning them permissions in ACLs.
Group Scope: Shine a Light on Access Control
Group scopes determine both the range of a group’s abilities or permissions and the group membership in a Windows Server environment. There are four group scopes available:
Local: This type of group is used for standalone servers or workstations, on domain-member servers that are not domain controllers, or on domain-member workstations. Local groups are available only on the computer where they exist. The important characteristics of a local group are: - You can assign abilities and permissions on local resources only, meaning on the local computer. - Members can be from anywhere in the AD forest.
Domain-local: This type of group is primarily used to manage access to resources or to assign management rights and responsibilities. Domain-local groups exist on domain controllers in an AD DS domain, and so, the group’s scope is local to the domain in which it resides. The important characteristics of domain-local groups are: - You can assign abilities and permissions on domain-local resources only, which means on all computers in the local domain. - Members can be from anywhere in the AD forest.
Global: This type of group is primarily used to consolidate users who have similar characteristics, such as users who are part of a department or a geographic location. The important characteristics of global groups are: - You can assign abilities and permissions anywhere in the forest. - Members can be from the local domain only and can include users, computers, and global groups from the local domain.
Universal: This type of group is most often used in multidomain networks because it combines the characteristics of both domain-local groups and global groups. Specifically, the important characteristics of universal groups are: - You can assign abilities and permissions anywhere in the forest similar to how you assign them for global groups. - Members can be from anywhere in the AD forest.
Computer Objects: Streamlining Management in AD
Computers are essential components of a Windows Server network, and computer objects represent these computers in Active Directory. Like users, computers are security principals, meaning they have an account with a sign-in name and password that Windows automatically changes on a periodic basis.
Computer objects are used to authenticate computers with the domain, and like users, they can belong to groups and have access to resources that can be configured using Group Policy. The lifecycle of a computer account begins when you create the computer object and join it to your domain.
As an administrator, day-to-day tasks related to computer objects include configuring computer properties, moving computers between OUs, managing the computer itself, and performing tasks like renaming, resetting, disabling, enabling, and eventually deleting the computer object when necessary.
Computers Container
When creating a computer object in AD, you need to specify where to put it. By default, the computer account is placed in the Computers container, which is a built-in container in an AD DS domain.
It's important to note that the Computers container is not an organizational unit (OU). It's an object of the Container class with the common name CN=Computers. This means that you cannot create an OU within a container, and you cannot link a Group Policy Object to it. As a best practice, it is recommended to create custom OUs to host computer objects rather than using the Computers container.
Creating custom OUs allows you to better organize and manage computer objects by applying Group Policy Objects to specific OUs, delegating administration to specific groups, and enforcing security policies. In addition, it enables you to more easily move, rename, and disable computer objects as needed.
Conclusion
To sum up in "Active Directory Fundamentals (Part One: ADDS and its Components)", AD is a crucial foundation for enterprise networks that utilize Windows operating systems. AD provides a powerful, hierarchical directory to efficiently configure and manage security settings across the enterprise. In this video, I provided some insight about the key components of AD, including forests, domains, sites, domain controllers, organizational units (OUs), and user and group management. I covered the importance of users, computers, and groups, and how to create and manage user objects in AD. Additionally, I discussed the use of managed service accounts and group managed service accounts to simplify service account management and improve security. Overall, a strong grasp of AD is essential for efficient network management and administration, and this video provides a comprehensive overview to help you achieve success in IT, Blue Team or Red Team operations.
Thank you for reading "Active Directory Fundamentals (Part One: ADDS and its Components)" part one of four in the Active Directory Fundamentals series on Cyb3r-S3c. If you find this content informative and you are interested in cybersecurity, please regularly check back on the Cyb3r-S3c website. For more free content, please like and subscribe to the Cyb3r-0verwatch channel. Until next time keep learning, the only way to improve is to keep learning.
/Signing Off
Pragmat1c_On3
Comentarios