Source
Sudo
Master AD security from zero to advanced. Explore authentication protocols, attack techniques, and defense strategies through interactive, industry-sourced content.
What is an AD Forest?
Build the hierarchy layer by layer
The Forest
An Active Directory Forest is the top-level container. It defines a single security boundary — all domains within a forest share a common schema, configuration, and Global Catalog.
Think of a forest as a country — the ultimate boundary. Everything inside shares the same constitution (schema). You need a passport (explicit trust) to enter another country.
The forest, NOT the domain, is the true security boundary. Compromise one domain in a forest, and the entire forest may be at risk.
FSMO Roles: Deep Dive
What each role does, why it exists, and what happens when it fails
The 5 Officials Who Keep AD Running
Active Directory uses 5 special roles called Flexible Single Master Operations (FSMO). Unlike normal AD replication where any DC can process changes, these 5 operations require a single authoritative DC to prevent conflicts.
2 roles operate at the forest level (one holder per entire forest) and 3 at the domain level (one holder per domain). In a forest with 3 domains, there would be 2 + (3 × 3) = 11 total FSMO role holders. In a single-domain forest, all 5 typically reside on one DC.
A country needs certain single authorities — one constitution writer, one registrar, one police chief per city — to prevent chaos from conflicting decisions.
Impact varies dramatically by role. Some can be offline for months without notice. One (PDC Emulator) causes immediate problems.
FSMO role holders are high-value targets. Compromising the Schema Master means compromising the entire forest. Always audit who holds these roles and restrict access to the role-holding DCs.
FSMO Roles: The City Government Challenge
5 roles that keep Active Directory running — can you match each incident?
Kerberos Authentication Flow
Step-by-step through the ticket-based authentication protocol
The Players
Meet the 3 entities in Kerberos authentication
Kerberos authentication involves three parties: the Client (a user or service requesting access), the Key Distribution Center (KDC) which runs two services — the Authentication Service (AS) and the Ticket Granting Service (TGS) — and the Application Server (the resource the client wants to access).
The KDC runs on every Domain Controller and holds the keys (password hashes) for every principal in the domain. It acts as a trusted third party — neither the client nor the server ever send passwords directly to each other. Instead, they rely on encrypted tickets issued by the KDC to prove identity.
Think of an amusement park. The Client is a visitor. The KDC is the main ticket booth (AS verifies your ID, TGS issues ride tickets). The Application Server is a specific ride. You never show your ID directly to the ride operator — you show the ticket the booth gave you.
Kerberos Delegation Explained
Unconstrained, constrained, protocol transition & RBCD
What Is Delegation?
Kerberos delegation allows a server to access resources on behalf of a user. For example, when a user authenticates to a web application, that web server may need to query a SQL database as the user to enforce proper access control. Without delegation, the server would need its own credentials or a shared service account, losing user-level auditing.
A receptionist (front-end server) needs to unlock your personal mailbox (back-end resource) using your authority. You give the receptionist permission to act on your behalf so they can retrieve your mail without you walking to the mailroom yourself.
Delegation is powerful but dangerous -- it allows servers to impersonate users to other services. If misconfigured, a single compromised server can become a pivot point for lateral movement across the entire domain.
AD CS: Certificate Attack Surface
How certificate misconfigurations lead to domain compromise
What Is AD CS?
The Microsoft PKI built into Windows Server
Active Directory Certificate Services (AD CS) is the Microsoft PKI (Public Key Infrastructure) built into Windows Server. It issues digital certificates for authentication, encryption, and code signing. Certificates can be used to authenticate to AD just like passwords via PKINIT.
AD CS is like the government office that issues passports. If someone can forge a passport, they can become anyone. A Certificate Authority (CA) signs certificates that prove identity. Certificate Templates define what types of certificates can be requested and by whom. AD CS was largely ignored by attackers until 2021 when SpecterOps published "Certified Pre-Owned," revealing a massive attack surface hiding in plain sight.
AD CS was largely ignored by attackers until 2021 when SpecterOps published "Certified Pre-Owned." Since then, misconfigured certificate templates have become one of the fastest paths to domain compromise.
AD Persistence Techniques
10 ways attackers maintain access after initial compromise
Click a Persistence Point
Select any numbered hotspot on the infrastructure map to learn how attackers maintain persistent access to AD environments.
Tiered Administration Model
Why credential isolation is the foundation of AD security
The Tier Model
Microsoft's tiered administration model segments the AD environment into three trust zones. Each tier has dedicated admin accounts, workstations, and credentials — never shared across tiers.
Without tiered isolation, a single compromised workstation can escalate to full domain compromise through credential reuse and lateral movement.
Security Event Explorer
Which events fire during which attacks?
TGT Request (AS-REQ)
Service Ticket Request (TGS-REQ)
NTLM Authentication
Directory Service Access
Successful Logon
Failed Logon
Directory Object Modified
Directory Object Created
Special Privileges Assigned
New Service Installed
AD Replication Source Removed
SID History Added
DC Hardening Challenge
How secure is your Domain Controller? Check each item you'd implement.
Each item represents a real-world security control recommended for production Domain Controllers. Higher-point items address more critical attack vectors.