Back to posts
Jin 2026-03-15 16 min read
Active Directory Windows Cybersecurity Red Team

Active Directory Basics

Introduction

Active Directory

If you work in IT or cybersecurity, you are going to encounter Active Directory. It is the backbone of almost every corporate network. Trying to learn it by reading disconnected documentation can be frustrating because every concept seems to rely on three other concepts you have not learned yet.

This guide is built to solve that problem. We will walk through the components one by one so you have a clear mental map of how a corporate network functions behind the scenes.

What Active Directory Is

Active Directory is a directory service created by Microsoft for Windows domain networks. It is a centralized database that stores information about everything on a corporate network.

Organizations use it because managing computers individually is impossible at scale. If a company has five hundred employees, the IT team cannot manually create five hundred local user accounts on five hundred separate laptops. They need centralized identity and access management. This means having one central authority that decides who people are and what they are allowed to touch.

Active Directory solves major administrative problems. If an employee leaves the company, an administrator disables their account in one place, and that person immediately loses access to every computer, file share, and internal application. If a new security policy requires passwords to be fifteen characters long, the administrator pushes that rule out centrally instead of configuring each machine by hand.

The Core Structure of Active Directory

Before we look at the individual pieces of data stored in Active Directory, we need to understand the containers that hold everything together.

To see how the largest boundaries relate to each other, it helps to look at a high-level map first.

Forest Boundary

Tree: example.com

Tree: acquired-company.com

Domain: example.com

Domain: asia.example.com

Domain: europe.example.com

Domain: acquired-company.com

Now we can break down what each of these containers actually does.

Forest

A forest is the top level of the Active Directory structure. It is a collection of one or more domains. You can picture a forest as a large parent corporation that owns several different office buildings. Each building might have its own name and its own internal rules, but they all ultimately belong to the same parent organization. The forest defines the outermost security boundary.

Tree

A tree is a collection of domains within a forest that share a continuous naming structure. If the parent company is example.com, they might have a tree containing asia.example.com and europe.example.com. The job of a tree is simply to organize domains logically based on geography or business unit while keeping their names related.

Domain

A domain is the logical boundary for a group of objects like users and computers. Think of a domain like a fenced-in office building. Everyone and everything inside that fence follows the same rules and shares the same directory. A domain usually looks like a standard web address, such as corp.example.com. Its job is to group resources together so they can be managed under one security policy.

Domain Controller

A domain controller is a server that runs Active Directory Domain Services and responds to authentication and directory requests. If the domain is the office building, the domain controller is the security desk at the front lobby holding the master guest list. Its job is to respond to security authentication requests. When a user tries to log in, their computer talks directly to the domain controller to verify their credentials.

Organizational Unit (OU)

An Organizational Unit is a folder inside a domain used to organize objects. If the domain is the building, OUs are the specific departments like Human Resources or Accounting. OUs exist so administrators can apply specific rules to a targeted group of computers or delegate management tasks. For example, an IT administrator might put all the servers in a “Servers” OU and all the employee laptops in a “Workstations” OU, applying stricter security policies to the servers.

Visualizing the Hierarchy

Because Active Directory is a hierarchical database, all of these containers nest inside each other. Here is what a typical Active Directory structure looks like in practice once you start drilling down into a specific domain:

  • Forest (example.com)
    • Domain (corp.example.com)
      • Domain Controllers
        • DC01 (Server)
        • DC02 (Server)
      • Accounting OU
        • Alice (User)
        • Bob (User)
        • Accounting-FS (Computer)
      • IT OU
        • Admin (User)
        • Helpdesk (Group)
    • Domain (asia.example.com)
      • Users and Computers

Trust

A trust is a relationship established between two domains. By default, someone in Domain A cannot access files in Domain B. A trust acts as a secure hallway connecting two separate office buildings. Its job is to allow users from one domain to be authenticated by a domain controller in another domain. For example, if a company acquires a smaller business, administrators will set up a trust so the new employees can access the parent company intranet.

Active Directory Objects

Inside those domains and OUs, Active Directory stores objects. An object is just a record representing a real thing on the network.

Users

A user object represents a real human being. It exists to give an employee a unique identity on the network, linking that identity to credentials and permissions. Administrators use user objects to track logins, assign phone numbers in the company directory, and grant access to files. A simple example is a user object named jsmith for John Smith.

Groups

A group is a collection of users, computers, or other groups. It exists to make permission management efficient. Instead of adding fifty individual users to a folder’s permission list, administrators create a group called “Accounting Team,” give that group access to the folder, and simply add users to the group.

Computers

A computer object represents a physical or virtual machine joined to the domain. Computers need identities just like humans do. A computer object exists so the domain controller can verify that a specific laptop is actually company property before allowing it onto the secure network. An example is a machine named WORKSTATION-01.

Service Accounts

A service account is a special user account created for software to use, rather than a human. Applications like database servers or backup software need to log in to the network to do their jobs. Service accounts exist because tying a critical database to a human administrator’s personal account is dangerous. If that administrator leaves the company and their account is deleted, the database breaks. A common example is an account named svc_sql used exclusively to run an SQL database.

Group-Managed Service Accounts (gMSA)

A Group-Managed Service Account is an upgraded, automated version of a service account. With a normal service account, an administrator has to create a password, configure it manually in the application, and remember to rotate it regularly. This often leads to passwords never being changed. A gMSA exists to solve this problem. The domain controller automatically generates a massive, complex password for the gMSA and rotates it regularly without any human intervention.

Why gMSAs Matter
Standard service accounts are frequently targeted by attackers because their passwords rarely change. Using gMSAs significantly improves network security by removing human error from password management.

Authentication and Authorization

These two concepts sound similar but handle completely different jobs in Active Directory.

Authentication is the process of proving who you are. When you show your passport at an airport, you are authenticating. You are proving your identity matches your name.

Authorization is the process of determining what you are allowed to do. When you try to board a specific flight, the gate agent checks your ticket. Having a valid passport does not mean you are authorized to board any plane you want.

Active Directory handles authentication by verifying your credentials, such as your password, against its directory data. Once you are authenticated, Active Directory handles authorization by providing a list of all the groups you belong to. The target resource reads that list to decide if you are allowed inside.

Core Protocols and Services

Active Directory is not just one program. It is a collection of several background services working together.

DNS (Domain Name System)

DNS is the system that translates human-readable names into IP addresses. In Active Directory, DNS acts as the GPS for the network. It matters immensely because computers rely entirely on DNS to locate a domain controller. When a computer boots up, it asks DNS “where is the server that handles logins?” If DNS is broken, nobody can log in.

LDAP (Lightweight Directory Access Protocol)

LDAP is the language used to read and write information in the Active Directory database. While DNS helps you find the server, LDAP is how you ask the server a question. If an email program wants to look up John Smith’s phone number, it sends an LDAP query to the domain controller.

Kerberos

Kerberos is the primary authentication protocol used by Active Directory. It exists to verify identities without sending passwords over the network. It interacts with the domain controller by exchanging encrypted tickets. A user gets a ticket from the domain controller and presents that ticket to a file server to prove their identity.

NTLM

NTLM is the older, legacy authentication protocol. It exists mostly for backwards compatibility with older software or specific network setups where Kerberos fails. It uses a challenge and response mechanism. The server sends a mathematical puzzle to the computer, and the computer uses the user’s password to solve it and send the answer back.

Kerberos in Detail

Because Kerberos is the default way users log in, understanding its specific parts is crucial.

The Components of Kerberos

The Key Distribution Center (KDC) is the service running on the domain controller that actually hands out tickets. Think of the KDC as the main ticket booth at an amusement park.

The Ticket Granting Ticket (TGT) is the master ticket you receive after proving your password. It is like an all-day wristband. You do not use the TGT to ride a specific ride. You show the TGT to the staff to prove you paid, so they can hand you specific ride tickets.

The Ticket Granting Service (TGS) is the specific part of the KDC that looks at your TGT and issues you those specific ride tickets.

A Service Ticket is the specific ticket required to access a target resource. If you want to access the shared accounting drive, you need a service ticket strictly for that drive.

A Service Principal Name (SPN) is the unique identifier for a specific service running on a server. It acts as the name tag on the rollercoaster. When you ask the TGS for a service ticket, you use the SPN to specify exactly what service you want to access.

The Step-by-Step Login Process

Here is exactly what happens behind the scenes when a user logs into a domain-joined computer and tries to access a file share.

Shared Network DriveKDC / Domain ControllerDomain-Joined ComputerShared Network DriveKDC / Domain ControllerDomain-Joined ComputerLook up the user account and stored password hash.Decrypt the timestamp to verify the password.User is now authenticated to the domainValidate the TGT and issue a Service Ticketfor the requested file share.UserLog in with username and password1AS-REQSend timestamp encrypted with the user's password2AS-REPReturn Ticket Granting Ticket (TGT)3Open the shared network drive4TGS-REQPresent TGT and request access to the drive's SPN5TGS-REPReturn Service Ticket for the shared drive6Present Service Ticket7Verify ticket and grant access8User

If the diagram is difficult to read, here is the same process in a simplified step-by-step format:

1

Request TGT

The computer takes the current time, encrypts it using the user’s password, and sends it to the Key Distribution Center (KDC) on the domain controller.
2

Verify Password

The KDC looks up the user, grabs their stored password hash, and attempts to decrypt the time. If it works, the KDC knows the user entered the correct password.
3

Issue TGT

The KDC sends back a Ticket Granting Ticket (TGT). The user is now fully authenticated to the domain.
4

Request Service Ticket

Later, the user clicks on a shared network drive. The computer looks at the drive, determines its unique SPN, and sends the TGT back to the Ticket Granting Service (TGS), requesting access.
5

Issue Service Ticket

The TGS verifies the TGT is valid and sends back a Service Ticket specifically for that shared drive.
6

Access Resource

The computer presents the Service Ticket directly to the shared network drive. The drive verifies the ticket and grants access.

Understanding the Differences

The difference between a TGT and a Service Ticket comes down to scope. A TGT is only used to talk to the domain controller to ask for more tickets. A Service Ticket is used to talk to the actual server you want to access.

The difference between Kerberos and NTLM is about who does the verification. In Kerberos, a trusted third party (the domain controller) hands out a secure ticket, and the target server trusts that ticket. In NTLM, the target server challenges the client directly, and then the server secretly asks the domain controller if the client’s answer was correct.

Policies, Permissions, and Control

Creating users is only half the job. Controlling what those users can touch is the other half.

Group Policy Objects (GPOs)

A GPO is a collection of configuration settings applied to users or computers. Administrators use GPOs to enforce standards. Instead of walking to fifty computers to set the corporate desktop wallpaper, an administrator links a GPO to a specific OU, and all fifty computers update themselves automatically. GPOs control everything from password complexity rules to deciding which users are allowed to use USB drives.

ACLs and DACLs

An Access Control List (ACL) is a master list attached to a file, folder, or object that defines security rules. Think of it as the guest list at a private event.

A Discretionary Access Control List (DACL) is the most common part of an ACL. It is the specific list of who is allowed in and who is kept out. A DACL contains individual entries saying things like “Allow the Accounting Group to read this file” and “Deny John Smith from deleting this file.” Administrators manage DACLs every day to secure sensitive data.

Delegation

Delegation is the act of giving a lower-level employee specific administrative powers over a limited area. It matters because you do not want to give the helpdesk staff the master keys to the entire domain just so they can reset user passwords. Administrators use delegation to allow the helpdesk to manage users only inside the “Sales” OU, keeping the rest of the network secure.

Replication and Shared Data

A corporate network usually has multiple domain controllers so that if one breaks, people can still log in. Those servers need a way to share data.

SYSVOL

SYSVOL is a hidden shared folder that exists on every single domain controller. It stores the critical files needed to log on, primarily the Group Policy Objects and login scripts. It matters because when a computer logs in, it pulls its security policies from the SYSVOL share.

Replication

Replication is the process where domain controllers synchronize their databases with each other. If an administrator resets a password on Domain Controller A, replication is the background process that copies that new password over to Domain Controller B. If replication fails, the network becomes split. A user might be able to log in successfully using one server but get locked out if their computer accidentally talks to a different server holding outdated data.

Golden Ticket and Silver Ticket

If you spend time learning about Active Directory, you will hear these terms. They describe severe security compromises related to Kerberos.

A Golden Ticket is a forged Ticket Granting Ticket (TGT).

A Silver Ticket is a forged Service Ticket.

The names matter because they perfectly describe the scope of the problem. If an attacker creates a Golden Ticket, they hold a forged master wristband. They can request a service ticket for absolutely any resource in the entire domain. A Silver Ticket is a forged ticket for one specific ride. It grants the attacker access to one specific service on one specific server.

Beginners should recognize these terms because they illustrate why Kerberos security is critical. If the keys used to sign these tickets are stolen, the mathematical trust holding the domain together collapses.

How Everything Connects Together

To solidify this map, let us walk through one complete example from start to finish.

Alice works in Accounting and wants to open a budget spreadsheet.

Her computer, which is joined to the corp.example.com domain, boots up. The computer queries DNS to locate a domain controller. Alice types her password. The computer talks to the KDC on the domain controller, proving her identity (authentication). The domain controller hands her a TGT.

While logging in, her computer downloads a GPO from the SYSVOL share. This GPO automatically maps a network drive letter (the Z: drive) to the accounting server.

Alice clicks the Z: drive to open the budget spreadsheet. Her computer knows it needs access, so it sends her TGT to the domain controller and asks for a Service Ticket for the file server. The domain controller verifies her TGT and sends the Service Ticket back.

Alice’s computer hands the Service Ticket to the accounting file server. The file server accepts the ticket, knowing exactly who Alice is. Next, the file server needs to know if she is allowed to view the document (authorization). It looks at the document’s DACL, which states that anyone in the “Accounting” group is allowed to read it. The file server checks Alice’s ticket, sees she is a member of that group, and opens the file.

Common Beginner Confusions

Here are the most common concepts that get tangled up, and the direct differences between them:

Domain vs Forest: A domain is a single organization boundary. A forest is the entire collection of domains.

Forest vs Tree: The forest is the whole ecosystem. A tree is just a grouping of domains within that forest that happen to share a naming convention.

Authentication vs Authorization: Authentication verifies who you are. Authorization verifies what you are allowed to touch.

Kerberos vs NTLM: Kerberos uses tickets and trusts the domain controller to issue them. NTLM relies on a direct challenge and response between the client and the server.

TGT vs TGS: The TGT is the digital ticket data stored in your computer’s memory. The TGS is the software service running on the server that reads your TGT.

TGT vs Service Ticket: A TGT is used to request other tickets. A Service Ticket is used to access an actual target resource.

ACL vs DACL: An ACL is the entire container of security rules for an object. The DACL is the specific sub-list inside the ACL that dictates who is allowed or denied access.

User Account vs Service Account: A user account is built for a human being. A service account is built for a background software application.

Service Account vs gMSA: A standard service account has a static password typed in by a human. A gMSA has its password managed and rotated automatically by the domain controller.

Domain Controller vs Domain: A domain controller is the physical server or virtual machine running the domain services. The domain is the logical boundary of the network that the server manages.

If you understand how these pieces fit together, you already have a strong foundational grasp of how Active Directory works. You can always refer back to this map when a specific protocol or object type slips your mind.

Spot a mistake? Report it on GitHub.

Jin

Security research, reverse engineering, and technical writeups.

Buy me a coffee