What Is Active Directory? A Defender's Introduction

You already use Active Directory, probably every working day, even if you have never opened a tool that names it. You sit down, type one username and password, and the screen unlocks. Then you open a file share, send to a printer, and load an internal web app, and not one of them asks you to log in again. Something in the background vouched for you to all of them. That something is Active Directory, and learning to defend it starts with seeing it clearly.

The short definition is this. Active Directory is a directory service: the central database of every identity in a Windows network, plus the system that proves those identities and decides what each one is allowed to reach. Microsoft ships it as a role on Windows Server, and the great majority of organizations that run Windows run it. It is the backbone, even when nobody thinks about it.

That definition has three words doing the heavy lifting, so take them one at a time.

A directory, first

A directory is a structured list of things and facts about them, built to be searched. A phone book is a directory. Active Directory is a directory of everything in the network that has an identity: every user, every computer that has joined the domain, every group, every service account, every printer and shared resource. For each one it holds attributes, the facts that describe it, like a user's name, group memberships, password information, and the permissions attached to the account.

Underneath, it is a database built for one job: storing identities and being read constantly. Every time anyone logs in, opens a resource, or looks up a colleague, something queries it.

It is built to answer those reads fast and to be searched, which is why the standard way programs talk to it is a query protocol called LDAP. You will meet LDAP again, because the same queries that let the network function also let an attacker map it.

Everything in the directory is an object, and every object has a type, called its class: user, computer, group, and so on. The directory is the single source of truth for them. That single-source-of-truth quality is what makes the network coherent. It is also why corrupting one record can mislead the entire network at once.

The machines that hold this directory and answer questions about it are the domain controllers. Every domain has at least one, usually several, and they keep copies of the directory in sync with each other so that any of them can answer. When your laptop needs to know whether you are allowed somewhere, it is a domain controller it asks.

Why several controllers? Partly for resilience, so the network keeps working if one fails, and partly for speed, so a controller is near each site. They replicate constantly, each copying the others' changes, which means a change made on one, a new group membership or a reset password, spreads to all of them. Hold that thought: replication is normal and essential, and it is also the exact mechanism one of the most serious attacks in this course abuses.

So far this is just a well-organized list. What makes it the center of the network is the next two words.

A service that proves identity

The second job is authentication: proving that you are who you claim to be. When you log in, your computer does not simply trust the name you typed. It runs an exchange with a domain controller that checks your credentials and, if they are good, issues you proof of identity you can present elsewhere.

On a modern domain that proof is a Kerberos ticket. You authenticate once, you receive tickets, and you hand those tickets to each service you reach. The file server does not ask for your password, because the ticket you present is itself the proof, already signed by the domain controller it trusts. That is why one login at the start of the day quietly opens so many doors.

Walk one login through slowly, because the whole network rests on it. You type your password, and your computer does not send it across the network; it uses the password to ask a domain controller for a ticket, and the controller, which knows your secret, answers only if the request proves you know it too. You now hold a ticket-granting ticket.

When you open the file share, your computer uses that ticket to request a second one specific to the share and presents it, so the share lets you in without ever seeing your password, and the same pattern repeats for every resource you touch.

There is a second, older method called NTLM that some systems still fall back to, and you will meet it later because attackers exploit the fallback. For now hold the simple picture: Active Directory is what turns one set of credentials into trusted access across the whole network, and the domain controllers are the authority that makes that trust real.

An authority that decides what you can reach

The third job is authorization: deciding what an authenticated identity is allowed to do. Being proven to be you is not the same as being allowed everywhere. The directory records which groups you belong to and what permissions those groups carry, and resources across the network check that record before they let you in.

This is why groups matter so much in AD, and why they become a target. Membership in a group like Domain Admins is not a label. It is a live grant of authority that every machine in the domain honors. Add an account to the right group and you have changed what that account can touch everywhere, instantly, because everything trusts the directory's answer.

This is also why so much of defending AD comes down to watching a small set of changes very closely. A new member in a privileged group, a permission granted on a sensitive object, a service account suddenly able to do something it never did before: these are tiny edits to the directory that translate at once into real power across the estate. Most of the attacks in this course end in exactly such an edit, which is what makes those edits worth watching.

The fourth thing AD does is management. Through Group Policy, an administrator sets configuration once and it applies to every joined machine: password rules, security settings, which software runs, what the desktop looks like. One change at the center reshapes thousands of computers. It is enormously powerful for running an estate, and for the same reason it is a prize for anyone who should not have it.

Group Policy is worth pausing on, because it is a quiet superpower. It can decide which scripts run at startup, which programs are permitted, how machines trust one another, and dozens of security settings, all pushed automatically to machines that simply obey.

Used well, it is how a small team holds a large estate to a standard. Turned against you, it is a way to reconfigure or run code on thousands of machines from one place, which is why control of Group Policy is itself a target later in the course.

Why a defender treats AD as the crown jewels

Put the three jobs together and the reason AD is the most valuable thing in most estates becomes obvious. It is the single authority that every computer, every service, and every user trusts to answer two questions: who is this, and what may they do. Control that authority and you control the answers, which means you control the network.

That is the defender's whole reason for caring. Most security controls protect one thing: a server, an app, a laptop. Active Directory is the thing that grants access to all of them at once. An attacker who reaches a single laptop has reached a single laptop. An attacker who reaches Active Directory has, in effect, reached everything that laptop's owner and everyone else could ever touch. The blast radius is the entire organization.

It is worth sitting with how much rides on it. Email, file shares, internal applications, remote access, and the laptops themselves all defer to Active Directory for identity, with rarely a second, independent authority to fall back on.

So when AD is compromised, no part of the Windows estate is obviously still trustworthy. That is why incident response for an AD compromise is so heavy: you cannot simply clean one machine and move on, because the thing that vouches for every machine is the thing in question.

Two facts make this worse, and they run through the whole course. AD is old: the design is more than twenty years old, built for an era when the network inside the building was assumed to be friendly. And AD is permissive by default: it is built to make things work and to keep working, so its defaults favor compatibility over safety, and the safe configuration is something you reach deliberately.

A concrete example of that permissiveness: by default, any authenticated user in the domain can read a great deal of the directory, enough to enumerate accounts, groups, and the relationships between them. That openness is convenient, and it was a reasonable assumption when the network inside the walls was trusted.

Today it means a single foothold can quietly map the entire domain before doing anything noisy, and you will see exactly that in the recon material later. Decades of "just make it work" changes pile up on top of defaults like these, and the pile is the exact set of weaknesses attackers walk through. None of it is exotic; most of it is the directory behaving as designed.

None of that means AD is broken. It means AD is powerful, central, old, and trusted, which is precisely the combination that makes it the first thing a serious intruder goes for and the most important thing you learn to watch.

You now have the plain answer the new analyst asked for. The next sub turns to the other half of the picture, the threats: who attacks Active Directory, why it is such a reliable target, and what they are trying to achieve once inside.