Domain Service

Overview

AD DS, a directory service stores and publishes information about Active Directory objects such as users, groups, computers, domains, organizational units, and security policies for use by users and administrators in a hierarchical structure.

Active Directory is either deployed as AD DS or as AD LDS.

[MS-ADTS]: OverviewMicrosoftLearn

Active Directory Overview: Active DirectoryMicrosoftLearn

Domain Controller

Domain controllers in a domain participate in replication and contain a complete copy of all directory information for their domain.

The DCs interoperate as peers to ensure that a local change to an object replicates correctly across DCs.

AD DS is implemented as Ntdsa.dll running in the Lsass process on the DC.

RootDSE

The logical root of a directory server, whose distinguished name (DN) is the empty string (nameless entry).

The purpose of the rootDSE is to provide data about the directory server. As a mechnism for clients of an LDAP server to interact with the server itself, rather than with particular objects contained by the server. The rootDSE is not part of any namespace

The rootDSE contains the configuration status of the server, it contains attributes that represent the features, capabilities, and extensions provided by the particular server.

Access to this entry is typically available to unauthenticated clients.

RootDSE (AD Schema) - Win32 appsMicrosoftLearn

Data Store

The Active Directory directory service uses a data store for all directory information. This data store is often referred to as the directory.

The directory is stored on domain controllers and can be accessed by network applications or services.

Directory data store: Active DirectoryMicrosoftLearn

File Ntds.dit

Directory data is stored in the Ntds.dit file on the domain controller.

Partition

Directory partitions are also known as naming contexts.

A directory partition is a contiguous portion of the overall directory that has independent replication scope and scheduling data.

Naming Contexts and Directory Partitions - Win32 appsMicrosoftLearn

Default Partitions

Data is stored on each domain controller in the directory store, which is divided logically into four distinct directory partition types to store and copy different types of data:

• domain

• configuration

• schema

• application data.

Domain

All domain controllers within a particular domain hold a replica of the domain partition for their domain.

Configuration

All domain controllers within a forest hold a replica of the schema and configuration partitions for that forest.

Schema

Application Data

Application directory partitions hold directory data specific to a particular application and can be stored by domain controllers belonging to different domains.

Naming

Active Directory naming: Active DirectoryMicrosoftLearn

Account Database

An account database maintains the security principals and necessary information for authentication and other purposes.

Password Attributes

Also, while section 6.2 of [RFC2829] specifies that an object possessing a userPassword attribute is a prerequisite to being able to perform a simple bind using that object's credentials, Active Directory does not use the userPassword attribute to store the user's password in most cases, and possession of such an attribute is not a prerequisite to performing a simple bind against an object.

Access to the password attribute of an account object is granted only to the account holder, never to anyone else, not even administrators. Only processes with Trusted Computing Base privilege—processes running in the security context of the LSA—are allowed to read or change password information.

The password attribute of an account object is further protected by a second encryption using a system key.

Account Database - Win32 appsMicrosoftLearn

Replication

Changes made to the directory on one domain controller are replicated to other domain controllers in the domain, domain tree, or forest.

Private directory data is stored securely, and public directory data is stored on a shared system volume where it can be replicated to other domain controllers in the domain.

Replication overview: Active DirectoryMicrosoftLearn

[MS-DRSR]: IntroductionMicrosoftLearn

Site

Sites, defined as groups of well-connected computers, determine how directory data is replicated.

Active Directory relies on the concept of sites within where Active Directory replicates directory information more frequently to help keep replication efficient.

The domain controllers in other sites also receive the changes, but less frequently.

Microsoft Learn - Sites overview

Partition

Changes to each directory partition are replicated to all other domain controllers that hold a copy of that partition.

Management

Ntdsutil

Microsoft Learn - Ntdsutil LOLBAS - Ntdsutil.exe

Security

Security is integrated with Active Directory through

• logon authentication

• access control to objects in the directory.

Access Control

Every object in Active Directory has an nTSecurityDescriptor attribute whose value is the security descriptor that contains access control information for the object. A DC performs an access check to determine whether the security context, and thus the requester, is authorized for the type of access that has been requested before allowing any further processing to continue.

• Security Context

• Security Descriptor

[MS-ADTS]: BackgroundMicrosoftLearn

Security Descriptor

An object or its attributes may not be visible to a requester if the requester is not granted the necessary rights.

Two types of ACEs used here:

• Simple A simple ACE applies to an entire object.

• Object-specific An object-specific ACE, on the other hand, can apply to any individual attribute of an object or to a set of attributes.

Reference

Microsoft Learn - Active Directory Domain Services Overview Microsoft Learn - Understanding Active Directory