Try Hack Me: Active Directory Basics

What makes up the Active Directory?

  • Domain Controllers

  • Forests, Trees, Domains

  • Users + Groups

  • Trusts

  • Policies

  • Domain Services

Why do we need it?

  • It makes it easy for a company to manage and monitor users by having one domain controller.

  • Users can use any machine to access the network and personal resources; this eliminates the process of having to create accounts on each machine.

Physical AD

Domain Controllers

  • Domain controllers are the core of AD and it needs to have AD DS(Domain Services installed)

  • manages authentication & Authorization

  • stores AD DS store

AD DS Data Store

  • it holds databases and processes needed to store and manage directory information (users, groups and services)

  • it has NTDS.dit; it's a database that has password hashes for users and domain controller data.

  • data is stored in %Systemroot%\NTDS

  • only the domain controller can access it


it is a collections of one or more domain trees inside the AD network.

  • Tree - a hierarchy of domains

  • Domain Schem - Rules for Object Creation

  • Organizational Units (OUs) - containers for groups, computers, users, printers, and other OUs.

User Types

  1. Domain Admins - control the domains and they are the only ones who have access to the domain controller.

  2. Service Accounts - can also be domain Admins, mostly used for maintenance.

  3. Local Admins - they can control local machines but not the domain controller

  4. Domain Users


  • Security groups - they are used to specify permissions for a large number of users

  • Distribution Groups - They are used to specify email lists.

Trusts and Policies

Trusts are a mechanism in place for users in the network to gain access to other resources in the domain. For the most part, trusts outline the way that the domains inside of a forest communicate to each other, in some environments trusts can be extended out to external domains and even forests in some cases.

There are two types of trusts that determine how the domains communicate. I'll outline the two types of trusts below:

  • Directional - The direction of the trust flows from a trusting domain to a trusted domain

  • Transitive - The trust relationship expands beyond just two domains to include other trusted domains

Domain Services

these services are used for the entire domain or tree

  • LDAP - Lightweight Directory Access Protocol; provides communication between applications and directory services

  • Certificate Services - allows the domain controller to create, validate, and revoke public key certificates

  • DNS, LLMNR, NBT-NS - Domain Name Services for identifying IP hostnames

Domain Authentication

  • most vulnerable protocols (NTLM and Kerberos)

  • Kerberos - The default authentication service for Active Directory uses ticket-granting tickets and service tickets to authenticate users and give users access to other resources across the domain.

  • NTLM - default Windows authentication protocol uses an encrypted challenge/response protocol

Powerview commands with powershell

powershell -ep bypass load a powershell shell with execution policy bypassed

. .\PowerView.ps1 - import the PowerView module


Get-DomainSPNTicket -SPN uuid-f901b4dc-a2d8-4ca5-ae82-338897db7a97-1 -OutputFormat hashcat -Credential $cred

Last updated