Active Directory Basics Explained

⚡ What is Active Directory?

Active Directory (AD) is Microsoft's centralised directory service for managing users, computers, and resources in a Windows domain. Instead of configuring each computer individually, AD lets administrators manage thousands of machines from one place — setting password policies, software deployments, and access controls through Group Policy. AD runs on Windows Server and uses LDAP for directory queries and Kerberos for authentication.

Active Directory vs Workgroup — Why Domains Exist

In a workgroup (peer-to-peer), each computer manages its own local user accounts. If you have 200 computers and need to update a password policy, you update it on 200 machines individually. That's unmanageable at scale.

In a domain, all user accounts, passwords, and policies are stored centrally on a Domain Controller (DC). Users log in with domain credentials that authenticate against the DC. An admin changes a policy once and it applies everywhere. This is the fundamental reason Active Directory exists.

Feature	Workgroup	Active Directory Domain
Scale	Up to ~10–20 computers	Thousands of computers
User accounts	Local — stored on each machine	Centralised — stored on Domain Controller
Password policy	Set per machine	Set once, applies everywhere via GPO
Single sign-on	No — re-authenticate to each resource	Yes — Kerberos tickets grant access to multiple resources
Management overhead	High — each machine individually	Low — centralised via AD tools
Authentication	NTLM (local)	Kerberos (domain) / NTLM fallback

Active Directory Structure — Forests, Trees, Domains, and OUs

Active Directory is hierarchical. Understanding the structure is critical for A+ Core 2 and Network+ — exam questions frequently ask which level a particular object belongs to.

Level	What It Is	Exam Note
Forest	The top-level AD boundary — one or more domain trees that share a common schema and global catalogue	The security boundary — trust relationships and schema are forest-wide. Multiple companies in one forest = full trust.
Tree	A collection of domains sharing a contiguous DNS namespace (e.g. company.com and sales.company.com)	Child domains share parent namespace — sales.company.com is a child domain of company.com
Domain	The core administrative unit — defines a security and replication boundary	Users and computers belong to a domain. Group Policy is applied at domain level or OU level.
OU (Organisational Unit)	A container within a domain used to organise objects — like folders in a filing cabinet	The primary tool for delegation and GPO application. Admins can delegate control of an OU without giving full domain admin access.
Objects	Anything stored in AD — users, computers, groups, printers, OUs	Every object has attributes. User objects have username, password hash, email, group memberships, etc.

⚡ Exam tip — forest vs domain boundary

The forest is the security boundary, not the domain. Two domains in the same forest automatically trust each other. Two domains in different forests do not have an automatic trust — a trust relationship must be manually created. Security+ uses this in scenarios about inter-organisational access.

The domain is the replication and administrative boundary. Group Policy Objects apply at the domain or OU level — not the forest level.

The Domain Controller — AD's Central Server

A Domain Controller (DC) is a Windows Server running Active Directory Domain Services (AD DS). It stores the AD database, authenticates users via Kerberos, and applies Group Policy. Every domain needs at least one DC — enterprises use multiple for redundancy and load distribution.

Key roles that run on Domain Controllers:

Role / Service	What It Does
AD DS	Active Directory Domain Services — the core directory database of users, computers, and objects
KDC	Key Distribution Centre — handles Kerberos authentication for all domain users
DNS Server	AD requires DNS — DCs typically run DNS to resolve AD service records (SRV records)
SYSVOL	A shared folder replicated across all DCs — stores Group Policy templates and logon scripts
Global Catalogue	A searchable index of all objects in the forest — needed for logon and universal group lookups
FSMO Roles	Flexible Single Master Operations — five specialised roles distributed across DCs (PDC Emulator, RID Master, Infrastructure Master, Domain Naming Master, Schema Master)

Users, Groups, and Computers

User Accounts

Domain user accounts are stored in AD and allow users to log in from any domain-joined computer. Each account has a User Principal Name (UPN) in the format username@domain.com and a legacy SAM account name in the format DOMAIN\username.

Group Types

Group Type	Scope	Use Case
Domain Local	Access to resources in the same domain only	Assign permissions to resources — "Sales File Share Access"
Global	Used across the entire forest	Organise users with similar roles — "Sales Department"
Universal	Used across forests with trusts	Grant access across multiple domains — large enterprise use
Security Group	Any scope	Assign permissions to resources (files, printers, applications)
Distribution Group	Any scope	Email lists only — cannot be used for permissions

AGDLP — The Nesting Best Practice

AGDLP is Microsoft's recommended group nesting strategy: Accounts → Global groups → Domain Local groups → Permissions.

Put users into Global groups (by role), put Global groups into Domain Local groups (by resource), assign permissions to Domain Local groups. This keeps management scalable — if a user changes role, you only update their Global group membership.

Group Policy (GPO)

Group Policy Objects (GPOs) are collections of settings applied to users and computers in a domain. They're the primary tool for enforcing security baselines, deploying software, and configuring user desktops at scale. GPOs are the most commonly tested AD concept on the A+ Core 2 exam.

GPO Scope and Application Order

GPOs are applied in order — later policies override earlier ones (unless enforced). The order is: Local → Site → Domain → OU (remembered as LSDOU). OU GPOs are the most granular and applied last, so they win most conflicts.

GPO Setting Category	Examples	Exam Relevance
Password Policy	Minimum length, complexity, expiry, lockout threshold	A+ Core 2 — securing user accounts
Account Lockout	Lock after N failed attempts, lockout duration, reset counter	A+ / Security+ — defence against brute force
Software Deployment	Push MSI packages to computers or users	A+ Core 2 — enterprise software management
Desktop Restrictions	Remove Control Panel, disable USB, restrict Run dialog	A+ Core 2 — standard hardening scenario
Security Settings	Audit policies, user rights assignment, firewall rules	Security+ — security baseline enforcement
Drive Mapping	Map shared drives automatically at logon	A+ Core 2 — common IT support task
AppLocker / SRP	Whitelist or blacklist applications by path, hash, publisher	Security+ — application control

Forcing and Refreshing Group Policy

Group Policy Commands

gpupdate /force       # Force immediate GPO refresh on Windows
gpresult /r           # Show applied GPOs for current user/computer
gpresult /h report.html # Generate HTML GPO report
rsop.msc             # Resultant Set of Policy — GUI GPO diagnostics

Domain Join — How a Computer Joins AD

When a computer joins a domain, it creates a computer account object in Active Directory and establishes a trust relationship with the DC. After joining, users can log in with domain credentials from that machine.

Step	What Happens
1. DNS Required	The computer must be able to resolve the domain name via DNS — typically pointing to the DC's IP as DNS server
2. Join the Domain	System Properties → Change → Domain → enter domain name → provide domain admin credentials
3. Computer Account Created	AD creates a computer object in the Computers container (or the OU specified by the admin)
4. Restart Required	The machine restarts to apply domain settings and receive Group Policy
5. GPO Applied	At logon, Group Policy is applied — desktop restrictions, mapped drives, software deployed

How Active Directory Uses LDAP and Kerberos

Active Directory is built on two open protocols — LDAP for querying the directory and Kerberos for authentication:

Protocol	Port	Role in AD
LDAP	389 (TCP)	Query and modify AD objects — search for users, read group memberships, look up attributes. LDAP is how applications query AD.
LDAPS	636 (TCP)	LDAP over TLS — encrypted directory queries. Required for secure environments; plain LDAP transmits data unencrypted.
Kerberos	88 (TCP/UDP)	User authentication — issues TGTs and service tickets. The primary authentication protocol in AD domains. Requires clock sync within 5 minutes.
DNS	53 (UDP/TCP)	AD depends on DNS for service discovery — DCs register SRV records so clients can find the KDC, LDAP, and other AD services.
SMB	445 (TCP)	File sharing and SYSVOL access — Group Policy templates are delivered via SMB to clients from the DC's SYSVOL share.

Active Directory and Security+ — Attack Surface

Because AD controls authentication and authorisation for the entire domain, it's a prime target for attackers. Security+ tests AD-specific attack scenarios regularly.

Attack	Target	How It Works	Defence
Pass-the-Hash	NTLM credential	Attacker extracts NTLM hash from memory and uses it to authenticate without knowing the plaintext password	Credential Guard, disable NTLM, use Kerberos only
Kerberoasting	Service account tickets	Requests Kerberos service tickets for SPNs and cracks them offline to recover service account passwords	Long, complex service account passwords; use gMSA (group Managed Service Accounts)
Golden Ticket	krbtgt account hash	Forges TGTs for any user if the krbtgt hash is compromised — persistent domain compromise	Reset krbtgt password twice; monitor for anomalous ticket lifetimes
DCSync	Domain replication	Attacker with replication rights pulls password hashes for all users by mimicking a DC sync operation	Restrict replication permissions to actual DCs only
LDAP Enumeration	AD directory	Querying AD via LDAP to enumerate users, groups, computers, and trusts — standard recon step	LDAP signing required; monitor for unusual LDAP queries from non-admin accounts

Exam Scenarios

💬 "A user can log in locally but cannot authenticate to domain resources after a VM was restored from a week-old snapshot. What is the likely cause?" → Secure channel broken between the computer and the DC — the computer account password has changed since the snapshot. Rejoin the domain or use netdom/PowerShell to reset the secure channel.

💬 "An admin wants to apply a desktop background policy to all computers in the Sales department but not the IT department. What should they use?" → Create an OU for Sales computers and apply the GPO to that OU. Use GPO filtering or WMI filters to target specific groups.

💬 "A new workstation has been configured but users report that GPOs are not applying. What is the most likely cause?" → The computer has not been joined to the domain, or DNS is misconfigured so it cannot reach the Domain Controller.

💬 "Which tool forces an immediate Group Policy refresh on a Windows client?" → gpupdate /force

💬 "An attacker compromises the krbtgt account hash. What attack can they now perform?" → Golden Ticket attack — they can forge TGTs for any user in the domain with any group membership and any expiry time.

💬 "What is the security boundary in Active Directory — the domain or the forest?" → The forest is the security boundary. Two domains in the same forest automatically trust each other. Different forests require explicit trust relationships.

💬 "Active Directory uses which two protocols for directory queries and authentication?" → LDAP (port 389) for directory queries and Kerberos (port 88) for authentication.

💬 "In what order are Group Policy Objects applied?" → LSDOU — Local, Site, Domain, OU. The last GPO applied wins unless a higher-level GPO is enforced.

Studying for A+ or Security+?

See the best study guides and practice exams for both certifications.

See Study Resources →