ExplainTheHack
← Back to Active Directory Foundations

Active Directory Structure Brief

What It Is

Active Directory Domain Services is a directory service that stores information about every object in a Windows network and makes it available for authentication, authorization, and management. It is organized hierarchically: forests contain domains, domains contain organizational units, and OUs contain objects like users, computers, and groups.

Mental Model

AD is simultaneously the authentication system (Kerberos, NTLM), the authorization system (ACLs on every object), and the configuration management system (Group Policy) for the entire network. It is not just a user directory — anything that can read the directory can learn the structure, and anything that can modify it can change who has access to what.

Key Hierarchy

  • Forest — outermost security boundary; contains all domains; shares schema, global catalog, and trusts
  • Domain — administrative boundary; has its own database, policies, and domain controllers
  • Domain controller — hosts the AD database (NTDS.dit), processes authentication, replicates changes; highest-value target
  • Organizational unit — administrative container for organizing objects and delegating control; not a security boundary
  • LDAP — protocol for querying the directory; any authenticated user can read most of the database by design

Interview Phrasing

Active Directory is the identity, authentication, and configuration backbone for Windows enterprise networks. It is organized hierarchically — forests contain domains, domains contain OUs, OUs contain objects. The forest is the security boundary, and domains within a forest trust each other by default. Any authenticated user can query most of the directory via LDAP, which is why even a low-privilege account enables extensive enumeration.

Common Pitfalls

  • Treating AD as just a user directory — it is the authentication, authorization, and configuration system combined
  • Confusing forests and domains — the forest is the security boundary, not the domain
  • Assuming OUs are security boundaries — they are administrative containers; placing objects in a separate OU does not isolate them
  • Thinking only administrators can see AD data — any authenticated user can query most of the directory by design