What problem does AD solve?
Without Active Directory, every server maintains its own user list. A 500-user organisation with 50 servers means 25,000 separate accounts — if Alice changes her password, it needs updating in 50 places. AD introduces centralised identity: one account, one password, one policy. Alice authenticates once via Kerberos, and that identity is trusted by every server in the domain.
Core AD components
| Component | What it is |
|---|
| Domain | The fundamental unit — objects sharing a directory database, security policies, and trust. Named like a DNS domain: corp.example.com |
| Domain Controller (DC) | Windows Server running AD DS. Stores the database, handles authentication, replicates to other DCs. Always deploy at least two. |
| Forest | One or more domains sharing a schema and Global Catalog. The security boundary in AD. |
| Tree | Contiguous namespace within a forest. corp.example.com and eu.corp.example.com form a tree. |
| Organizational Unit (OU) | Container for organising objects. Where GPOs are linked and admin rights are delegated. |
| Schema | Defines object types and attributes. One per forest. Schema changes are irreversible. |
AD logical structure
Forest: example.com (security boundary)
│
├── Tree: example.com (root domain)
│ └── Domain: corp.example.com
│ ├── OU: Servers
│ │ ├── OU: Domain Controllers
│ │ └── OU: Member Servers
│ └── OU: Users
│ ├── OU: IT
│ └── OU: Finance
│
└── Tree: subsidiary.com (separate tree, same forest)
AD relies entirely on DNS
Active Directory is completely dependent on DNS. DCs register SRV records so clients can locate them. When a machine joins a domain it queries DNS for _ldap._tcp.corp.example.com. If DNS breaks, AD breaks.
🔑 Key ruleAlways point domain-joined machines to an AD-integrated DNS server (the DC itself) — never to external DNS like 8.8.8.8 as the primary resolver. External DNS has no knowledge of your internal SRV records.
How Kerberos works
Kerberos is a ticket-based protocol. Instead of sending passwords over the network it issues cryptographic tickets that prove identity. The KDC (Key Distribution Center) runs on every DC.
Step 1 — AS-REQ / AS-REP (getting a TGT)
Client → KDC: "I'm Alice" + encrypted timestamp
KDC → Client: here's your
TGT (encrypted with krbtgt key — client can't read it)
Step 2 — TGS-REQ / TGS-REP (getting a service ticket)
Client → KDC: "I have a TGT, I need to reach \FileServer"
KDC → Client: here's a
Service Ticket for \FileServer
Step 3 — AP-REQ (using the service ticket)
Client → FileServer: "here's my Service Ticket"
FileServer decrypts, verifies, grants access ✓
✅ Why Kerberos is goodThe password never crosses the network. Tickets are short-lived (10 hours by default). Mutual authentication is possible: the client can verify the server is genuine.
NTLM — the legacy fallback
NTLM is used when Kerberos cannot be: accessing resources by IP address instead of hostname, non-domain environments, some legacy apps. NTLM is vulnerable to Pass-the-Hash attacks — an attacker with your hash can authenticate without knowing the password. Minimise NTLM wherever possible.
Common Kerberos errors
| Error | Meaning | Fix |
|---|
| KDC_ERR_PREAUTH_FAILED | Wrong password or locked account | Check lockout status, verify password |
| KRB_AP_ERR_SKEW | Clock skew > 5 minutes between client and DC | Fix NTP — domain members should sync to the DC |
| KDC_ERR_S_PRINCIPAL_UNKNOWN | SPN not found | Check/register SPN with setspn |
| KRB_ERR_RESPONSE_TOO_BIG | Ticket too large (too many group memberships) | Reduce group memberships or increase MaxTokenSize |
Before you deploy
- Choose your domain name carefully. Use a subdomain of a real domain you own:
corp.example.com, not corp.local. The .local suffix conflicts with mDNS and causes TLS certificate issues. You cannot rename a domain without rebuilding.
- Static IP on the DC. DCs must have a static IP. Dynamic IPs cause DNS record staleness and client connectivity failures.
- Deploy at least two DCs from day one. A single DC is a single point of failure for your entire network.
Installing AD DS and promoting
# Install the AD DS and DNS roles
Install-WindowsFeature -Name AD-Domain-Services, DNS -IncludeManagementTools
# Create a NEW forest (very first DC ever)
Install-ADDSForest `
-DomainName "corp.example.com" `
-DomainNetBiosName "CORP" `
-ForestMode "WinThreshold" `
-DomainMode "WinThreshold" `
-InstallDns:$true `
-SafeModeAdministratorPassword (ConvertTo-SecureString "P@ss!DSRM" -AsPlainText -Force)
# Add a SECOND DC to an existing domain
Install-ADDSDomainController `
-DomainName "corp.example.com" `
-InstallDns:$true `
-Credential (Get-Credential) `
-SafeModeAdministratorPassword (ConvertTo-SecureString "P@ss!DSRM" -AsPlainText -Force)
🔴 DSRM PasswordThe Directory Services Restore Mode password is used to recover AD if the database corrupts. It is NOT the same as the domain Administrator password. Document it somewhere secure — you may not touch it for years.
FSMO roles
| Role | Scope | What it does |
|---|
| Schema Master | Forest | Only DC that can modify the AD schema. |
| Domain Naming Master | Forest | Controls adding/removing domains from the forest. |
| PDC Emulator | Domain | Password changes, account lockout, time sync source, GPO updates. Most critical. |
| RID Master | Domain | Issues pools of Relative IDs to DCs so they can create new SIDs. |
| Infrastructure Master | Domain | Updates cross-domain group-to-user references. |
# Find which DC holds each FSMO role
netdom query fsmo
Get-ADDomain | Select-Object PDCEmulator, RIDMaster, InfrastructureMaster
Get-ADForest | Select-Object SchemaMaster, DomainNamingMaster
How replication works
AD uses multi-master replication — changes can be made on any DC and propagate to all others. Changes are tracked via USNs (Update Sequence Numbers). Within a site, replication triggers within seconds. Between sites it's scheduled and compressed to conserve WAN bandwidth.
Sites and Site Links
Sites represent physical network locations with fast internal connectivity. Site links connect sites and define replication schedule and cost. The KCC (Knowledge Consistency Checker) auto-builds the replication topology.
Site: London-HQ Site: New-York
DC-LDN-01 DC-LDN-02 ←─────────────→ DC-NYC-01 DC-NYC-02
Site Link
Cost:100 / 180min
# View replication status across all DCs
repadmin /replsummary
# Detailed replication links and last sync times
repadmin /showrepl
# Force immediate replication after a change
repadmin /syncall /AdeP
Common replication errors
| Error | Meaning | Fix |
|---|
| 8614 — Time skew | Clock difference >5 min between DCs | Fix NTP. PDC Emulator syncs to external source; all other DCs sync to PDC Emulator. |
| 8453 — Access denied | Replication permission denied | Check "Replicating Directory Changes" rights on domain NC. |
| 1722 — RPC unavailable | Cannot reach DC | Check network/firewall: TCP 135 and dynamic ports 49152–65535. |
| 8606 — Lingering objects | Deleted object still present past tombstone lifetime | Run repadmin /removelingeringobjects |
Managing user accounts
# Create a new user
New-ADUser `
-Name "Alice Smith" `
-SamAccountName "asmith" `
-UserPrincipalName "asmith@corp.example.com" `
-Path "OU=Finance,OU=Users,DC=corp,DC=example,DC=com" `
-AccountPassword (ConvertTo-SecureString "TempP@ss1!" -AsPlainText -Force) `
-ChangePasswordAtLogon $true -Enabled $true
# On departure: disable and move (don't delete immediately)
Disable-ADAccount -Identity "asmith"
Move-ADObject `
-Identity "CN=Alice Smith,OU=Finance,OU=Users,DC=corp,DC=example,DC=com" `
-TargetPath "OU=Disabled,DC=corp,DC=example,DC=com"
# Find accounts inactive for 90+ days
Search-ADAccount -AccountInactive -TimeSpan 90.00:00:00 -UsersOnly
Group scopes
| Scope | Members from | Assign permissions in | Use for |
|---|
| Domain Local | Anywhere (any domain) | Same domain only | Assigning permissions on local resources |
| Global | Same domain only | Anywhere in forest | Grouping users by role or department |
| Universal | Anywhere in forest | Anywhere in forest | Cross-domain group memberships |
🔑 AGDLP PatternAccounts →
Global groups (by role) →
Domain
Local groups (by resource) →
Permissions. Assign permissions only to Domain Local groups, never directly to Global groups or users.
Organising with OUs
OUs serve two purposes: GPO application — policies linked to an OU apply to all objects inside — and delegating admin rights without giving full domain admin.
# Create OUs
New-ADOrganizationalUnit -Name "Finance" -Path "OU=Users,DC=corp,DC=example,DC=com"
# Delegate password reset to Helpdesk group for an OU
dsacls "OU=Users,DC=corp,DC=example,DC=com" /G "CORP\Helpdesk:CA;Reset Password;User"
Joining a computer to the domain
# Join and place in a specific OU
Add-Computer `
-DomainName "corp.example.com" `
-OUPath "OU=Workstations,DC=corp,DC=example,DC=com" `
-Credential (Get-Credential) -Restart
# Verify after restart
(Get-WmiObject Win32_ComputerSystem).Domain
Get-ADComputer -Filter {Name -eq "WORKSTATION01"} -Properties DistinguishedName
⚠️ Default Computers containerWithout -OUPath, new machines land in CN=Computers — a container, not an OU. GPOs cannot be linked to it. Always specify a target OU.
The secure channel and "trust relationship failed"
A domain-joined computer has a password stored locally and in AD that auto-rotates every 30 days. If this relationship breaks (e.g. after restoring an old VM snapshot), users get "The trust relationship between this workstation and the primary domain failed".
# Test the secure channel
Test-ComputerSecureChannel -Verbose
# Repair a broken secure channel (fastest fix, no disjoin needed)
Test-ComputerSecureChannel -Repair -Credential (Get-Credential CORP\DomainAdmin)
GPO processing order — LSDOU
GPOs apply in order: Local → Site → Domain → OU. Later wins for conflicting settings — so child OU GPOs override domain GPOs.
1. Local GPO (on the machine itself)
↓ overridden by
2. Site GPOs (linked to the AD site)
↓ overridden by
3. Domain GPOs (linked at domain root)
↓ overridden by
4. OU GPOs (parent OU, then child OU last — child wins)
💡 ExceptionsEnforced: a GPO marked Enforced cannot be overridden by child OUs — use for security baselines.
Block Inheritance: an OU can block all inherited policies from above. Blocked by Enforced GPOs.
Computer vs User configuration
| Section | Applies to | When processed | Examples |
|---|
| Computer Configuration | Computer accounts in the OU | At startup, every 90 min | Security settings, Windows Update, startup scripts |
| User Configuration | User accounts in the OU | At logon, every 90 min | Drive mappings, logon scripts, folder redirection |
Creating and troubleshooting GPOs
# Create and link a GPO to an OU
New-GPO -Name "Security Baseline - Workstations"
New-GPLink `
-Name "Security Baseline - Workstations" `
-Target "OU=Workstations,DC=corp,DC=example,DC=com" `
-LinkEnabled Yes
# Force immediate refresh on a remote computer
Invoke-GPUpdate -Computer "WORKSTATION01" -Force
# Troubleshoot — show which GPOs applied and why
gpresult /r
gpresult /h C:\gp-report.html
Domain password and lockout policy
# View current domain password policy
Get-ADDefaultDomainPasswordPolicy
# Configure (applies via Default Domain Policy)
Set-ADDefaultDomainPasswordPolicy `
-MinPasswordLength 14 `
-PasswordHistoryCount 24 `
-LockoutThreshold 5 `
-LockoutDuration "00:30:00" `
-LockoutObservationWindow "00:30:00" `
-Identity "corp.example.com"
Critical security settings to configure via GPO
- Disable LLMNR and NetBIOS — These are exploited by Responder attacks to capture credentials. Computer Config → Admin Templates → Network → DNS Client → Turn off multicast name resolution.
- Restrict local Administrators — Control who is in the local Administrators group on workstations via Local Users and Groups GPO preferences.
- Enable Credential Guard — Isolates LSASS using VBS. Prevents Pass-the-Hash even if an attacker has SYSTEM access.
- Enable audit policies — Logon events, account management, privilege use. Without auditing you are blind during incident response.
- Require SMB signing — Prevents relay attacks. Security Options → "Microsoft network server: Digitally sign communications (always)".
- Disable NTLMv1 and SMBv1 — Legacy protocols with well-known critical vulnerabilities.
GPO troubleshooting commands
# Resultant Set of Policy for a specific user on a specific machine
Get-GPResultantSetOfPolicy `
-ReportType HTML -Path "C:
sop.html" `
-Computer "WORKSTATION01" -User "CORP�smith"
# Check GPO inheritance on an OU
Get-GPInheritance -Target "OU=Workstations,DC=corp,DC=example,DC=com"
AD-integrated vs standard DNS zones
| Feature | Standard DNS | AD-integrated DNS |
|---|
| Storage | Text zone file on the DNS server | Stored in AD database, replicated with AD |
| Replication | Manual zone transfer | Automatic via AD replication — no extra config |
| Multi-master writes | Primary only is writable | Every DC with DNS is fully writable |
| Dynamic update security | Anyone can register records | Only authenticated domain computers can register |
SRV records and diagnostics
# Verify SRV records are registered correctly
nslookup -type=SRV _ldap._tcp.corp.example.com
nslookup -type=SRV _kerberos._tcp.corp.example.com
# Force a DC to re-register its DNS records
nltest /dsregdns
# Or restart Netlogon:
Restart-Service Netlogon
# Full AD diagnostics including DNS health
dcdiag /test:DNS /v
DNS scavenging
Dynamic DNS leaves stale records for decommissioned machines. Without scavenging, your zone accumulates thousands of ghost records that cause name resolution to return wrong IPs.
# Enable scavenging on the DNS server
Set-DnsServerScavenging -ScavengingState $true -ScavengingInterval 7.00:00:00
# Enable aging on a specific zone
Set-DnsServerZoneAging `
-Name "corp.example.com" `
-Aging $true `
-NoRefreshInterval 7.00:00:00 `
-RefreshInterval 7.00:00:00
🔴 WarningDon't enable scavenging without understanding the intervals. Too aggressive and you'll delete records for live servers with static IPs that don't re-register DNS frequently. Standard safe settings: 7 days NoRefresh + 7 days Refresh.
What is LSASS and why does it matter?
LSASS (Local Security Authority Subsystem Service) is the Windows process responsible for enforcing security policy and handling authentication on a local machine. Every time a user logs in interactively, LSASS validates the credentials against AD and then stores session material in memory so you don't have to re-authenticate for every resource.
| What LSASS holds | Why it's sensitive |
|---|
| Kerberos TGTs for active sessions | A stolen TGT can impersonate the user for its remaining lifetime (up to 10 hours) — no password needed |
| NTLM password hashes | Usable directly in Pass-the-Hash attacks without cracking the plaintext password |
| Kerberos session keys | Used to decrypt service tickets; exposure enables impersonation |
Credential caching: interactive vs network logon
Not all logon types cache the same material. Interactive logons (sitting at the console, RDP) deposit the richest credential material into LSASS memory. Network logons (accessing a file share) do not — only the connecting machine holds session context. This distinction matters when deciding which machines are high-value targets for credential theft.
Interactive logon (console / RDP)
→ LSASS stores: TGT, NTLM hash, session keys
→ Attacker with SYSTEM can extract all of these
Network logon (UNC share, WinRM, etc.)
→ Kerberos service ticket consumed at the server
→ No long-lived credential material left on the target server
→ Far safer for admin access than interactive RDP
The attacks — and why they're covered in AD Advanced
- Pass-the-Hash — An NTLM hash extracted from LSASS is used directly to authenticate as the victim. No password cracking required.
- Pass-the-Ticket — A stolen Kerberos TGT is injected into a different session. The attacker operates as the victim user until the TGT expires.
- Overpass-the-Hash — The NTLM hash is used to request a Kerberos TGT, converting a hash into a fully functional Kerberos ticket.
📚 In AD AdvancedAD Advanced covers
Credential Guard, which moves LSASS into a
VBS-isolated enclave where even a SYSTEM-level attacker cannot read the credential material. It also covers
Protected Users, which restricts the credential types that can be stored in LSASS at all.
What is a service account?
A service account is an AD user account used by a Windows service or application to authenticate to the network — not by a human. Services like SQL Server, IIS app pools, scheduled tasks, and backup agents all need an identity to access resources.
| Account type | Best for | Password management |
|---|
| Standard user account | Legacy apps that cannot use MSAs | Manual — rotation is painful and often skipped |
| MSA | Single-server services | Auto-rotated by AD every 30 days |
| gMSA | Multi-server services (clusters, NLB) | Auto-rotated by AD; multiple hosts can retrieve the password |
🔑 Always prefer gMSAgMSAs eliminate the biggest service account risks: stale passwords, manual rotation failures, and Kerberoasting. If your application supports Windows authentication, it almost certainly supports gMSAs. AD Advanced covers Kerberoasting in depth — gMSA is the primary defence.
SPNs and Kerberos service tickets
When a service registers an SPN, it tells AD "I am reachable at this hostname/port as this account." When a client wants to talk to that service, it asks the KDC for a service ticket — encrypted with the service account's password hash. This is what makes Kerberoasting possible: any authenticated user can request that ticket and take it offline to crack.
# List SPNs registered to a specific account
Get-ADUser -Identity svc-sql -Properties ServicePrincipalNames | Select-Object -ExpandProperty ServicePrincipalNames
# Create a gMSA (eliminates Kerberoasting risk for that account)
New-ADServiceAccount -Name "gmsa-sql" -DNSHostName "gmsa-sql.corp.example.com" `
-PrincipalsAllowedToRetrieveManagedPassword "SQL-Servers" `
-ServicePrincipalNames "MSSQLSvc/sql01.corp.example.com:1433"
Delegation: letting a service act on a user's behalf
Kerberos delegation allows a service to present a user's identity to a backend resource — a web server authenticating to a SQL server as the calling user, for example.
| Delegation type | Scope | Risk |
|---|
| Unconstrained | Service can impersonate the user to any backend | Critical — if the service host is compromised, attacker gets TGTs for every user who connects |
| Constrained (KCD) | Service can only impersonate to named backends | Medium — limits blast radius; still has protocol transition risks |
| Resource-Based (RBCD) | Backend controls who can delegate to it | Lower — configured on the resource, not the front-end service |
🔴 Unconstrained delegationUnconstrained delegation is a major attack vector. AD Advanced covers how attackers exploit it using the "printer bug" to coerce DC authentication and extract the DC's TGT — enabling Domain Admin-level access. Audit it with: Get-ADComputer -Filter {TrustedForDelegation -eq $true}
What is a digital certificate?
A digital certificate binds a public key to an identity using a cryptographic signature from a trusted authority. Think of it as a signed passport: anyone who trusts the issuing authority can verify that the key really belongs to who it claims to.
| Field | What it contains |
|---|
| Subject | Who the certificate identifies (e.g. CN=webserver.corp.example.com) |
| Public key | The asymmetric key that clients use to encrypt data only the subject can decrypt |
| Validity period | Not before / not after dates — certificates expire |
| Issuer | The CA that signed the certificate |
| Signature | Cryptographic proof that the CA vouches for this binding |
| SAN | Additional names/IPs the cert is valid for — critical for AD CS security |
Chain of trust: Root CA → Issuing CA → End-entity
PKI uses a hierarchy. The Root CA is the ultimate trust anchor — its certificate is self-signed. It signs the Issuing CA certificate. The Issuing CA signs end-entity certificates (servers, users, computers). Clients trust everything in the chain as long as they trust the Root CA.
Root CA (self-signed, kept OFFLINE)
│ Signs the Issuing CA certificate
▼
Issuing CA (domain-joined, handles daily issuance)
│ Signs end-entity certificates
├── Server cert (webserver.corp.example.com)
├── User cert (asmith@corp.example.com — smart card logon)
└── Computer cert (WORKSTATION01 — machine auth)
💡 Why keep the Root CA offline?The Root CA's private key is the most sensitive asset in your PKI — it can sign certificates trusted by every machine in your organisation. Keeping it offline (ideally air-gapped and powered off) eliminates the network attack surface against that key. The Issuing CA handles routine issuance and stays online.
Where AD CS fits in
AD CS (Active Directory Certificate Services) is Microsoft's built-in CA role. It integrates with AD to enable auto-enrollment: domain computers and users automatically receive certificates via GPO without manual requests. This powers smart card logon, EFS, LDAPS, and 802.1X network access control.
📚 In AD AdvancedAD Advanced covers the full deployment of a two-tier AD CS hierarchy, certificate templates, auto-enrollment, and critically — the ESC1-ESC8 attack vectors that arise from misconfigured templates. Misconfigurations in AD CS can allow low-privileged users to obtain certificates that impersonate Domain Admins. Understanding the chain of trust above is essential to grasp why those attacks work.