Active Directory - AD

Written by: Iron Hulk Published: Jan 10, 2025 Reading time: Iron Hulk
Back to Blogs

What is Active Directory (AD):

Active Directory is Microsoft’s directory service, a centralized, hierarchical database that records objects on a network and the relationships among them. Think of it as the corporate phonebook, GPS, and security gate rolled into one. It stores identities (users, computers, printers and other resources), tracks where they live in the network, and enforces who can do what. When you log on to a Windows domain, open a shared folder, or launch an app that checks your credentials, AD is the silent authority confirming your identity and granting or denying access. At scale it becomes the backbone for authentication (Kerberos), authorization (group membership), and policy enforcement across an enterprise. AD helps administrators manage permissions, enforce security policies, and organize network resources efficiently.


What is Forest:

A forest is the top-level structure in Active Directory. Think of it as an umbrella that covers everything beneath it. A forest consists of one or more domains (we’ll get to those next) that share a common schema, the rules for how data is stored and a global catalog, a searchable index of all objects in the forest. Forests are isolated from one another for security, a user in one forest can’t access resources in another unless administrators explicitly set up trust relationship to trust.
Example: A multinational company might create separate forests for its North American and European divisions so data and policies stay region‑specific.

Why we need trust?

Trusts exist so a security principal authenticated in one domain (or one forest) can be recognized in another without re-creating the account. A user in lab.hulk.corp can open a file share in sales.hulk.corp because the two domains “trust” one another: the file server believes the user’s Kerberos ticket even though it was issued elsewhere.

Automatic Trusts within a Forest

Trust Type Created When Direction Transitivity What it Really Does
Parent → Child AD builds this automatically the moment you create a child domain, Ex: lab.hulk.corp beneath hulk.corp. Two‑way Transitive Lets any user or computer in either domain reach resources in the other without additional configuration.
Tree Root You add the first domain in a new DNS tree within the same forest. Ex: research.lab under hulk.corp. Two‑way Transitive Allows users in separate DNS trees (Ex: research.lab and hulk.corp) to authenticate across the forest.

Authentication Flow

    In this scenario, a user in research.lab wants to access a file share in corp.com.

    The Kerberos ticket first travels from research.labhulk.corp (forest root).

    From there, the root domain forwards trust to corp.com, completing the chain.

    This seamless hop is possible because all automatic trusts are Two‑way and Transitive.


Automatic, Always‑On Trusts

Trust Type Created When Direction Transitivity What it Really Does
Parent‑Child Built automatically when you create a child domain, Ex: lab.hulk.corp beneath hulk.corp Two‑way Transitive Allows any user/computer in either domain to reach resources in the other without extra configuration.
Tree‑Root Created when you add the first domain in a new DNS tree within the same forest, Ex: research.lab under hulk.corp Two‑way Transitive Enables cross‑authentication between users in separate DNS trees (Ex: research.lab & hulk.corp).

Trusts linking separate security boundaries

Trust Type Scope Direction Transitivity Note
Forest Trust Entire forest ↔ Entire forest One‑way / Two‑way Transitive Default: One-way, non-transitive
Example: Forest A trusts Forest B → Users in B can access A’s resources. But: Users in A cannot access B unless you create a second, separate trust.
External Trust Single domain ↔ Single domain One‑way / Two‑way Non‑transitive Legacy, less secure. Connects a domain in Forest A to a standalone domain (or NT 4.0 domain).
Avoid if possible: Uses NTLM auth (weaker than Kerberos), no forest-wide scope.
Realm Trust AD forest ↔ MIT/Unix Kerberos realm One‑way / Two‑way Transitive Enables cross-realm Kerberos authentication between Windows and non-Windows environments.

Direction Explained

  1. One‑way trust: Forest A trusts Forest B → principals from B can access A, not vice‑versa.
  2. Two‑way trust: Mutual access in both directions.

Transitivity Explained

  1. Transitive: Trust automatically extends to every child domain on either side.
  2. Non‑transitive: Trust stops at the domain named—no hop to its children.
Active Directory forest diagram
Illustration — sample forest with transitive two‑way trusts.

Active Directory Building Blocks

Tree

A Tree is a collection of domains within a forest that share a contiguous namespace. In simpler terms, domains in a tree are related hierarchically, like branches growing from a trunk. The first domain created in a tree is called the root domain, and any domains added beneath it become child domains. Example: If your root domain is hulk.corp, a child domain could be us.hulk.corp or eu.hulk.corp. All domains in this tree share the hulk.corp namespace.

Domain

A Domain is a logical grouping of users, computers, and other resources within a forest. Domains act as administrative boundaries where policies and permissions are managed at the domain level. Each domain has its own database of objects (users, groups, computers, etc.) and can be managed independently while still being part of the larger forest.
Example: A corporate might have separate domains for lab lab.hulk.corp and faculty staff.hulk.corp, each with its own policies.

Domain Controller

A Domain Controller is a server that runs Active Directory and manages authentication and authorization for the domain. It’s the "brain" of the domain, handling tasks like user logins, password changes, and policy enforcement. If a DC goes down, users in that domain might not be able to log in or access resources until it’s restored. Key roles of a DC:

  • Authenticating users and computers
  • Enforcing security policies.
  • Replicating changes to other DCs in the domain (for redundancy).

OU

An Organizational Unit (OU) is a container within a domain used to organize users, groups, computers, and other OUs. Imagine it as a folder on your computer, but for AD objects. OUs make it easier to apply policies (like security settings) to specific groups of users or devices. For example, you might have separate OUs for HR, Finance, and IT departments.

Domain User vs Local User

A domain user is an identity stored in AD that can log on to any computer joined to the domain subject to rights. Unlike a local user account, which lives in the Security Accounts Manager (SAM) which only works on one computer, a domain user can log in to any computer joined to the domain, provided they have the right permissions. Domain users are managed centrally by administrators, making it easier to control access across the network.

Domain Computer vs Local Computer

A domain computer account represents a workstation, laptop, or server that has been joined to AD Domain. The moment a machine joins the domain it gets its own secret password and trusts the domain’s controllers to validate it, just like a user. Once joined, it can be managed centrally by administrators, who can enforce security policies, install software, or configure settings remotely. Domain computers trust the domain controller to authenticate users and devices. A workgroup computer has no AD identity and relies solely on local accounts and local policy, making uniform security and management harder at scale. Note that domain-joined machines still retain their local SAM; manage those credentials explicitly.

(Computer and User)

Groups in Active Directory are used to simplify management by organizing users or computers with similar needs. There are two main types:

  • User Groups: Collections of user accounts. Assigning permissions to a group (instead of individual users) saves time. For example, an "HR_Team" group might have access to sensitive payroll files.
  • Computer Groups: Collections of computers. These are useful for applying policies or software installations to specific machines, like "All_Laptops" or "Server_Farm.".
  • Groups have scopes defining where they work: Entry‑level admins.
    • Global: Members from own domain, usable forest-wide.
    • Universal: Members from any domain, usable forest-wide.
    • Domain Local: Members from any domain, usable forest-wide.


Active Directory Group Policy

What is Policy?

In AD, “policy” usually refers to Group Policy. A Group Policy Object is a bundle of settings like registry edits, security rules, scripts, scheduled tasks, software packages, that you attach to sites, domains, or OUs. When a user logs on or a computer starts up, the client downloads applicable GPOs, merges them (with a well-defined precedence order), and enforces the resulting configuration. Policies are the muscle behind AD’s centralized control: they standardize everything from screen-lock timeouts to enterprise-wide Wi-Fi profiles, reducing drift and manual effort. When you open any Group Policy Object you’ll notice two grandes tabs: Computer Configuration and User Configuration. They contain many of the same sub-nodes (Policies → Administrative Templates, Security Settings, Software Settings, Preferences) but they behave very differently because of who processes them and when they take effect.

Computer‑ vs User‑Based

  • Computer-based policy:
    • Processed by the operating system’s Local System account during boot, before anyone logs on.
    • Scope is the machine object, identified by its computer account and SID.
    • Persistence is machine-wide so once applied, settings live in HKLM, the file system, or service control manager and stay in force for every user who later signs on.
    • If the policy/restriction lives in Computer Configuration, every account on that machine, even local Administrators, inherits it automatically at boot.

  • User-based policy: Collections of computers. These are useful for applying policies or software installations to specific machines, like "All_Laptops" or "Server_Farm.".
    • Processed by the Winlogon process in the security context of the user immediately after successful Kerberos/NTLM logon.
    • Scope is the user object, identified by the user’s SID; multiple users on the same PC can therefore receive entirely different settings.
    • Persistence is per-profile, most settings land in HKCU, per-user portions of the registry, or the profile folder. They disappear when that user logs off and another user signs in.
💡 “Computer-Based" Group Policy always overrides user-based Group Policy. For example, if a computer policy blocks USB mass-storage devices, no flash drive will mount on that machine even if a user policy later tries to allow them.

Active Directory Configuration & Management Course

Below is a shortlist of high-quality courses that consistently win good reviews and map cleanly to the skills you need for real-world AD design, deployment, and day-to-day administration. I’ve split them into tiers so you can pick the depth, format, and vendor that match your learning style and budget.

CompTIA Server+

  • Focus: On‑prem AD deployment, storage, security, DR.
  • Why: Vendor‑neutral foundation for DC management.
  • Best for: Entry‑level admins.
  • Course Details

Microsoft Learn “Deploy & Manage AD DS”

  • Focus: DC promo, replication, GPOs, trusts on Server 2022.
  • Why: Free browser labs & quizzes from Microsoft.
  • Best for: Self‑paced fundamentals.
  • Learning Path

Microsoft AZ‑800

  • Focus: Hybrid AD (on‑prem + Azure AD Connect), GPO, DNS.
  • Why: Official track for Windows Server Hybrid Admin Associate.
  • Best for: Sysadmins managing hybrid infra.
  • Cert Guide

MOC 10969 / 55264

  • Focus: Five‑day ILT on AD DS, CS, FS, LDS, backup/recovery.
  • Why: Deep labs on multi‑site forest design.
  • Best for: Teams wanting classroom immersion.
  • Course Outline

Implementing AD Certificate Services

  • Focus: 20‑hour video series on AD CS & hybrid identity.
  • Why: Whiteboards + labs, great for visual learners.
  • Best for: Experienced admins pursuing CA mastery.
  • Pluralsight Link

Active Directory Penetration-Testing / Red-Team Courses

Shortlisted programs that map directly to real‑world AD design, deployment, and daily ops. Choose a tier and format that fits your budget and learning style.

CompTIA Server+

  • Focus: On‑prem AD deployment, storage, security, DR.
  • Why: Vendor‑neutral foundation for DC management.
  • Best for: Entry‑level admins.
  • Course Details

Microsoft Learn “Deploy & Manage AD DS”

  • Focus: DC promo, replication, GPOs, trusts on Server 2022.
  • Why: Free browser labs & quizzes from Microsoft.
  • Best for: Self‑paced fundamentals.
  • Learning Path

Microsoft AZ‑800

  • Focus: Hybrid AD (on‑prem + Azure AD Connect), GPO, DNS.
  • Why: Official track for Windows Server Hybrid Admin Associate.
  • Best for: Sysadmins managing hybrid infra.
  • Cert Guide

MOC 10969 / 55264

  • Focus: Five‑day ILT on AD DS, CS, FS, LDS, backup/recovery.
  • Why: Deep labs on multi‑site forest design.
  • Best for: Teams wanting classroom immersion.
  • Course Outline

Implementing AD Certificate Services

  • Focus: 20‑hour video series on AD CS & hybrid identity.
  • Why: Whiteboards + labs, great for visual learners.
  • Best for: Experienced admins pursuing CA mastery.
  • Pluralsight Link
💡 Note: You dont have to take all of the, just study what you need.