Edit

Database

  • The database is where all the Active Directory Objects are stored.

  • In Windows Active Directory, the database is stored at C:\Windows\NTDS\ntds.dit in the domain controller.

Classes

  • Schema that defines ObjectClasses like:

    • User Class

    • Group Class

    • Computer Class

  • All classes in Active Directory is a subclass of the Top Class, that has properties like ObjectClass and ObjectGUID.

    • ObjectClass: Lists the classes of an object. Current & Parent

    • ObjectGUID: Object Global Unique Identifier.

classes can be attached to auxiliary classes. These are not visible in the ObjectClass Eg: User & Group class are attached to the Security-Principal auxiliary class which defines properties like SamAccountName and SID

Properties

  • Each class have several properties such as:

    • SID

    • Name

    • UserAccountControl

  • These properties are readable by everyone except few like:

    • Password

    • Confidential Properties.

  • The password property can only be written, not read.

  • Confidential properties are read by only authorized users. These are marked by setting the 128 flag in searchFlags of the property definition.

  • Some properties needs to be validated before being written to the object. This is achieved using Validated Writes.

SID

  • This property is used to identify principals.

  1. DomainSID: This is used to identify a domain

PS C:\Users\Administrator> Get-ADDomain | select domainSID

domainSID
---------
S-1-5-21-2968811138-1285828788-388312258

  1. PrincipalSID Used to Identify principals. Usually [DomainSID]-[RID].

PS C:\Users\Administrator> Get-ADUser -Filter * -Properties * | select SamAccountName,SID

SamAccountName SID
-------------- ---
Administrator  S-1-5-21-2968811138-1285828788-388312258-500
Guest          S-1-5-21-2968811138-1285828788-388312258-501
krbtgt         S-1-5-21-2968811138-1285828788-388312258-502
user2          S-1-5-21-2968811138-1285828788-388312258-1103
user1          S-1-5-21-2968811138-1285828788-388312258-1107

  • Common SIDs for buildin objects:

    • Administrator : S-1-5-21-domainSID-500

    • Domain Admins : S-1-5-21-domainSID-512

    • Domain Users : S-1-5-21-domainSID-513

    • Enterprise Admins : S-1-5-21-domainSID-519

  • There are some SID for special situations:

    • Authenticated Users : S-1-5-11

    • Principal Self : S-1-5-10

Distinguished Names

  • Used to identify objects in AD, using paths/hierarchy of the object

CN=Administrator,CN=Users,DC=doctor,DC=local
CN=Administrator,OU=Users,DC=doctor,DC=local

  1. Domain Components (DC) : Identifies the domain. DC for it.doctor.local would be DC=it,DC=doctor,DC=local.

  2. Organizational Unit (OU) : Identifies organisational units used to store objects.

  3. Common Name (CN) : Identifies objects or containers.

Partitions

Active Directory database has the following partition

  • Domain : Stores domain objects such as users, groups, computer, GPOs.

  • Configuration : Stores configuration data for the domain, such as well known objects SIDs.

  • Schema : Stores definition of the classes and objects.

  • DomainDnsZones : Stores DNS records.

  • ForestDnsZones : Stores DNS records for the forests.

PS AD:\> ls

Name                 ObjectClass          DistinguishedName
----                 -----------          -----------------
doctor               domainDNS            DC=doctor,DC=local
Configuration        configuration        CN=Configuration,DC=doctor,DC=local
Schema               dMD                  CN=Schema,CN=Configuration,DC=doctor,DC=local
DomainDnsZones       domainDNS            DC=DomainDnsZones,DC=doctor,DC=local
ForestDnsZones       domainDNS            DC=ForestDnsZones,DC=doctor,DC=local

Querying Database

LDAP

  • Lightweight Directory Access Protocol

  • Can retried each and every Active Directory object.

  • Access all the domain data using ports:

    • TCP: 380 - LDAP

    • TCP/SSL: 636 - LDAPS

  • LDAP can be queried using ldapsearch utility

ldapsearch -H ldap:\\<target> -x -LLL -W -D "username@domain" -b "searchbase" "filter" "attribute"
# -x : Use simple authentication
# -LLL : print the information in LDIF version
# -W : Prompt for authentication
# -D "username@domain" : Bind with the username
# -b "searchbase" : the base DN where the search will start from
# "filter" : The ldap query to process
# "attribute" : the attribute of the object to fetch
# Examples:

ldapsearch -H ldap://192.168.122.50 -x -LLL -W -D "Administrator@doctor.local" -b "dc=doctor,dc=local" "(ObjectClass=Computer)" "SamAccountname"

dn: CN=DOCTOR-DC,OU=Domain Controllers,DC=doctor,DC=local
sAMAccountName: DOCTOR-DC$

dn: CN=DRWS01,CN=Computers,DC=doctor,DC=local
sAMAccountName: DRWS01$

ADWS

  • Active Directory Web Services.

  • Protocol to query and manipulate domain objects using SOAP messages.

  • Compatible with LDAP filterer.

  • Protocol used by Active Directory RSAT module.

Last updated