Confusion: AD vs AD DS vs AAD?
AD (Active Directory) is the product line which contains services such as AD DS, AD LDS, AD FS, and AD RMS.
In older versions of Active Directory (before 2008) this didn’t exist, the Active Directory services were just called Active Directory.
In a nutshell, in the Windows Server versions before 2008 there is only Active Directory (AD) which is the name for both the Microsoft product and the directory services. Since 2008 Windows Server version, Microsoft integrated more services into the Active Directory such as Domain Services, that’s where the name Active Directory Domain Services (AD DS) came from. So, before 2008, the directory service is called Active Directory (AD) and after 2008, the directory service is called Active Directory Domain Services (AD DS). Basically, it’s just a confusing branding by Microsoft.
And lastly, AAD (Azure Active Directory) – a new-ish product by Microsoft, it’s basically AD on the cloud.
So, now that we know that, let’s talk about AD DS.
What’s an Active Directory Domain Service?
Active Directory Domain Service (sometimes abbreviated AD DS) is a directory service that is commonly used in organizations for structure and networking. AD DS holds information about network’s objects and makes it simple for users to find and use that information.
According to Microsoft’s documentation, AD DS uses a secure hierarchical containment structure called logical structure to store and organize objects on a network. Basically, AD DS allows administrators to organize objects (e.g.: a group, a computer, various other devices) into a hierarchical collection of containers that are called logical structure. Essentially, it simplifies the administration and moderation of a network.
The AD DS Schema contains a set of rules for every object class that can be created in AD DS.
An object is a single element (e.g.: a group, a user, a computer, an application, a shared folder). Objects can contain other objects.
An object has unique attributes that identify it. For example, the attributes for a user object could be a username, e-mail address, first and last name, phone number.
Forest, domain and trees
An AD DS domain is a collection of objects within a network. It is the core unit of a logical structure. A domain holds a database containing information about objects which helps to identify them.
A domain tree (sometimes just called tree) is a collection of domains.
A forest is a collection of trees.
Organizational Unit (OU)
An OU is a container within an AD DS domain which can hold multiple objects. Typically, OUs are implemented to make the administration and management simpler. For example, you can group multiple same level users into an OU to simplify permission assignment. OU can contain multiple OUs within itself.
Note: it is the smallest unit which can have Group Policy settings or account permissions.
Domain Controller (DC)
A domain controller is a server that is running Windows Server OS and has AD DS installed.
Basically, domain controller:
- owns a copy of the data (directory) store for the domain in which it is located in
- contains schema and configuration directory for the entire forest
- provides authentication of users accessing the domain resources (f.e. Kerberos authentication – Kerberos Authentication Overview
- is used to perform updates on other domain controllers in the domain and forest
- has administrative access to manage objects such as users, network resources
Note: a domain can have one or more domain controllers.
As mentioned earlier, DC contains a data store which contains the Ntds.dit file.
Ntds.dit file is a database that contains Active Directory data such as information about objects, and, more importantly, password hashes for all users in that domain.
In a penetration test, if a DC is compromised, obviously you’d want to get the Ntds.dit file.
A trust is a relationship between domains, it makes it possible for one user in a domain to get authenticated by a domain controller in another domain. So, trusts can enable users to gain access to resources in another domain.
A trust can be one-way or two-way:
- Two-way – domain A can access domain B resources and domain B can access domain B resources.
- One-way – only domain A can access domain B resources.
Types of trusts:
- Non-transitive (sometimes called directional) trust enables the domain A to trust just the domain B.
- Transitive trust enables the domain A to trust the domain B. However, domain A also trusts everything that domain B trusts. Meaning that, if domain B has trusts in another forest that domain A is not part of, after enabling transitive trust between domain A and domain B, the domain A will also trust domain B’s trusted domains or trees.