Active Directory Domain Controller: Architecture, hardening and attack vectors
The domain controller is the central authority in Active Directory environments. This article explains architecture, Kerberos, group policies, hardening measures, and attack vectors.
Table of Contents (7 sections)
The Active Directory Domain Controller (DC) is the central authentication and authorization authority in Microsoft Windows domain environments. It manages user accounts, computer accounts, security groups, group policies, and an organization’s entire trust infrastructure. In over 90% of all enterprise environments, the domain controller is the most critical and most frequently targeted system—whoever compromises the DC controls the entire domain.
Active Directory Domain Services (AD DS): Basic Architecture
Core Objects
Active Directory is a hierarchical directory database based on the LDAP protocol (Lightweight Directory Access Protocol). The most important objects:
- Domain: Administrative boundary and replication unit. All objects in a domain share a common security policy and database.
- Organizational Unit (OU): Sub-structure within a domain for organizing objects and applying group policies.
- Forest: Top-level trust and security boundary in AD. A forest can contain multiple domains connected via transitive trusts.
- Global Catalog (GC): Partial replication of all objects from all domains in a forest—enables cross-domain searches.
- FSMO roles: Five Flexible Single Master Operations roles that concentrate specific domain-critical functions on a single DC each (Schema Master, Domain Naming Master, RID Master, PDC Emulator, Infrastructure Master).
Domain Controller Roles
A domain controller performs the following critical services:
- AD DS (Active Directory Domain Services): Core directory service, LDAP interface
- Kerberos Key Distribution Center (KDC): Authentication service for all domain objects
- DNS (Domain Name System): AD is deeply integrated with DNS; most DCs also serve as DNS servers
- SYSVOL share: Replication partition for Group Policy templates and scripts
- NETLOGON service: Authentication for older NTLM protocols, domain discovery
Replication
Changes to AD objects are replicated among all domain controllers in a domain. The Knowledge Consistency Checker (KCC) automatically creates the replication topology. Replication occurs via RPC over IP (for intra-site replication) and can be configured via SMTP for inter-site connections.
Kerberos Authentication
Kerberos is the primary authentication protocol in Active Directory. It is based on the principle of ticket-based authentication: passwords are never transmitted over the network.
Kerberos Authentication Process
- AS-REQ (Authentication Service Request): The client sends a request to the KDC (running on the DC) and authenticates itself with an encrypted timestamp (using the NTLM hash of the user password).
- AS-REP (Authentication Service Reply): The KDC responds with a Ticket Granting Ticket (TGT)—an encrypted ticket signed with the KRBTGT account hash. The client cannot decrypt the TGT but retains it for future requests.
- TGS-REQ (Ticket Granting Service Request): When the client wants to access a service (e.g., a file server), it presents the TGT and requests a Service Ticket (ST).
- TGS-REP (Ticket Granting Service Reply): The KDC issues a Service Ticket encrypted with the service account hash.
- AP-REQ (Application Request): The client presents the Service Ticket to the target service, which decrypts it using its own password hash and verifies the client’s identity.
Security-Related Components
- KRBTGT account: The only account that can sign TGTs. Compromising it allows the creation of Golden Tickets—TGTs valid indefinitely for any account in the domain.
- Privileged Access Workstation (PAW): Dedicated, hardened workstation for the administration of DCs and other Tier-0 systems.
Group Policy Objects (GPOs)
GPOs are the central configuration and enforcement tool in Active Directory. They are applied to OUs and control virtually every aspect of Windows systems and user environments.
GPO Processing Order (LSDOU)
- Local: Local policies of the computer
- Site: GPOs assigned to the AD site
- Domain: GPOs at the domain level
- OU: GPOs on the object’s OU (child OUs override parent OUs)
Later GPOs in the processing order override earlier ones (except for "Enforced" GPOs or "Block Inheritance").
Security-Related GPO Settings
- Password Policy: Minimum length, complexity, expiration interval, history
- Account Lockout Policy: Threshold, lockout duration, grace period
- Audit Policy: Which events are logged in the security log
- User Rights Assignment: Which users and groups have specific system rights (log on locally, log on as a service, debugging rights, etc.)
- Windows Firewall: Centralized firewall rules for all domain computers
- AppLocker / WDAC: Application control policies
Hardening Measures for Domain Controllers
Tier Model (Administrative Tiering)
Microsoft recommends a three-tier administrative tier model:
| Tier | Systems | Admins |
|---|---|---|
| Tier 0 | Domain controllers, PKI, ADFS | Tier 0 admins only |
| Tier 1 | Servers (file, web, database) | Tier 1 admins only |
| Tier 2 | Workstations, endpoints | Tier 2 admins only |
Admins must never log in to lower-tier systems using their privileged accounts—this prevents the extraction of privileged credentials by a compromised Tier 2 computer.
Hardening Checklist for Domain Controllers
Physical and Network Security:
- DCs in physically secure rooms or a dedicated hypervisor environment
- Separate management VLAN for DC administration
- Limit outbound connections from DCs to the bare minimum (no Internet connectivity for DCs)
Operating System Hardening:
- Up-to-date Windows Server OS with all security updates
- Do not install unnecessary roles and features on DCs (prefer Core installation)
- Local Administrator Password Solution (LAPS) for all workstations and servers
- Enable Microsoft Defender Credential Guard (protects LSASS against credential dumping)
- Protected Users security group for all privileged accounts
Active Directory configuration:
- Rotate the KRBTGT password regularly (at least annually; immediately twice following security incidents)
- Never use privileged accounts (Domain Admins) for routine tasks
- Understand and monitor the AdminSDHolder and SDProp mechanisms
- Enforce LDAP signing and channel binding (prevents LDAP relay attacks)
- Enable SMB signing on all systems (prevents SMB relay)
- Restrict or disable NTLM authentication where possible
Monitoring and Auditing:
- Enable full auditing for privileged operations (Event IDs 4720, 4722, 4724, 4728, 4732, 4756)
- SIEM integration for DC event logs
- Honeypot user accounts (never-used, privileged accounts) for early detection
Common Attack Vectors
Pass-the-Hash (PtH)
Attackers extract NTLM password hashes from the LSASS process (e.g., using Mimikatz) and use them directly to authenticate on other systems—without knowing the plaintext password. Protection: Credential Guard, Protected Users Group, restricted NTLM usage.
Kerberoasting
Attackers request service tickets for service accounts (using standard user privileges) and decrypt the ticket offline to crack the service account’s password. Accounts with a set Service Principal Name (SPN) are affected. Protection: Strong, random passwords for service accounts (min. 25 characters); use Managed Service Accounts (MSA/gMSA).
AS-REP Roasting
For user accounts where Kerberos pre-authentication is disabled, an attacker without credentials can request a TGT and crack it offline. Protection: Never disable pre-authentication.
DCSync Attack
An attacker with replication rights (typically Domain Admins or accounts explicitly assigned "Replicate directory changes") can extract all password hashes in the domain via the AD replication protocol. Result: Complete compromise of all accounts. Protection: Strictly control replication rights; use BloodHound for attack path analysis.
Golden Ticket
After extracting the KRBTGT password hash, an attacker can create any valid TGTs for any account—including deleted or nonexistent accounts. Golden tickets can remain valid for years and survive password changes on regular accounts. Protection: Rotate the KRBTGT password twice within a short period (invalidates all issued TGTs).
Domain Trust Exploitation
In multi-domain forests, attackers can exploit SID history and trust relationships to pivot from a compromised child domain to the forest root domain. Protection: Enable SID filtering between domains.
Monitoring Recommendations
The following Windows Event IDs are particularly relevant for DC monitoring:
| Event ID | Description |
|---|---|
| 4624 | Successful logon |
| 4625 | Failed logon |
| 4728/4732/4756 | Member added to privileged group |
| 4720 | User account created |
| 4723/4724 | Password changed |
| 4769 | Kerberos service ticket requested (Kerberoasting detection) |
| 4771 | Kerberos pre-authentication failed |
| 4776 | NTLM authentication (credential validation) |
| 7045 | New service installed |
A SIEM integration with alert rules for suspicious patterns (e.g., numerous failed logins, logins outside business hours, access to SYSVOL) is essential for every production AD environment.
Conclusion
The domain controller is the most critical system in virtually every enterprise environment. A compromise means complete control over all user accounts, all systems, and all data within the organization. Hardening the DC and the entire AD infrastructure according to the Tier model, with consistent monitoring and regular penetration tests, is not optional—it is the foundation of any serious enterprise IT security.
Sources & References
- [1] Microsoft: Best Practices for Securing Active Directory - Microsoft
- [2] BSI: Sicherheitsanforderungen an Active Directory - Bundesamt für Sicherheit in der Informationstechnik
- [3] MITRE ATT&CK: Credential Access in Active Directory - MITRE Corporation
- [4] CIS Benchmark: Microsoft Windows Server 2022 - Center for Internet Security
Questions about this topic?
Our experts advise you free of charge and without obligation.
