Why understand AD before attacking it
Active Directory is present in 95% of Fortune 500 companies. It is the central identity and access management system in enterprise Windows environments. Compromising AD means compromising the entire organization.
But to attack it effectively, you first need to understand what it is — its structure, its components, and how its objects interact with each other.
Active Directory is a centralized directory that manages users, computers, groups, and security policies in an enterprise Windows network.
The Domain — the basic unit
An Active Directory domain is a group of objects (users, computers, groups) that share a common database and a centralized security policy. Each domain has a unique DNS name, for example corp.local or acme.com.
Everything that happens in a domain is managed by a Domain Controller (DC).
Domain is the basic administrative unit of Active Directory.
Domain Controller is the server that hosts and manages the AD database.
Key components of Active Directory
The Domain Controller (DC)
This is the central server. It stores the AD database (NTDS.dit), authenticates users, applies Group Policy Objects (GPOs), and manages permissions. Compromising the DC = compromising the entire domain.
AD objects
Everything in AD is an object. The most important objects for an attacker:
| Object type | Description | Offensive interest |
|---|---|---|
| User | Human user account | Primary target — credentials, access |
| Computer | Domain-joined machine | Pivot for lateral movement |
| Group | Collection of objects with shared permissions | "Domain Admins" = full domain access |
| Service Account | Account used by services/applications | Kerberoasting target — often poorly secured |
| GPO | Group Policy applied to objects | Can deploy malicious scripts if writable |
Organizational Units (OUs)
OUs are containers that organize AD objects hierarchically. Example: OU=Computers,OU=Paris,DC=corp,DC=local. GPOs can be applied per OU.
The Forest
A forest is a set of domains that share a common AD schema and trust relationships. It is AD’s highest security boundary. Multiple domains in a forest can trust each other — which opens inter-domain attack paths.
The NTDS.dit database
NTDS.dit is the Active Directory database file stored on the DC at C:\Windows\NTDS\NTDS.dit. It contains:
- All AD objects (users, computers, groups)
- The password hashes of all domain users
- The attributes of each object
This is the holy grail of an AD attack. Extracting NTDS.dit = retrieving the hashes of all users, including Domain Admins. This is exactly what DCSync does (lesson 14).
Privileged groups to know
These are the priority targets in an AD attack:
| Group | Privilege level | What it gives you |
|---|---|---|
| Domain Admins | Maximum | Admin on all machines in the domain |
| Enterprise Admins | Maximum (forest) | Admin across the entire AD forest |
| Schema Admins | Very high | Can modify the AD schema |
| Backup Operators | High | Can read NTDS.dit — often overlooked |
| Account Operators | High | Can create/modify accounts |
Trust relationships (Trusts)
When two domains trust each other, users from one domain can access resources in the other. That’s useful in enterprises — and dangerous for security.
| Trust type | Direction | Risk |
|---|---|---|
| One-way trust | A → B (A trusts B) | Compromising B enables access to A |
| Two-way trust | A ↔ B | Compromising one domain threatens the other |
| Forest trust | Between forests | Cross-forest compromise is possible |
What is a Domain Controller (DC)?
What does the NTDS.dit file contain?
Why are service accounts priority targets?
What is the difference between an AD domain and an AD forest?
Practical exercises
Exercise 1 — On your Windows lab (which you’ll configure in lesson 3), open “Active Directory Users and Computers” on the DC. Navigate through the OUs and identify the Domain Admins and Enterprise Admins groups. Who is a member?
Exercise 2 — Find where the NTDS.dit file is located on your lab DC. Try to copy it directly — what happens? Why does Windows prevent it?
Question 1 — Why is DNS critical in Active Directory?
Next Lesson
Now that you understand AD structure, the next lesson covers the core protocols that make Active Directory work—LDAP, Kerberos, and SMB.
Next: AD Protocols: LDAP, Kerberos and SMB