Active Directory (AD) is Microsoft's directory service — a centralised database of users, computers, groups, and policies that controls who can log in to which Windows machines and what they can do. AD has been the dominant enterprise identity system since 2000 and runs in roughly 90% of organisations with 500+ employees. It uses LDAP for directory queries, Kerberos for authentication, and DNS for service location. The cloud companion **Microsoft Entra ID** (formerly Azure AD) handles SaaS and hybrid scenarios; most enterprises run both.

AD is hierarchical with five core levels: (1) **Forest** — the top-level security boundary; one or more domains sharing a common schema and configuration, (2) **Tree** — set of domains in a contiguous namespace (rare in modern deployments), (3) **Domain** — administrative boundary; a single replicated database; e.g. `corp.company.com`, (4) **Organizational Unit (OU)** — container for organising users, computers, groups; Group Policy targets OUs, (5) **Objects** — users, computers, groups, printers, OUs themselves. **Domain Controllers (DCs)** host the AD database (NTDS.dit) and replicate changes via multi-master replication. **Sites** group DCs by physical location for replication efficiency.

Six high-impact AD attack techniques: (1) **Kerberoasting** — request service tickets for accounts with SPNs, crack offline; defence: long random passwords for service accounts, gMSA, (2) **Pass-the-Hash (PtH)** — reuse NTLM hash to authenticate without knowing password; defence: disable NTLM, Credential Guard, tier 0/1/2 model, (3) **Pass-the-Ticket (PtT)** — reuse Kerberos TGT/TGS; defence: short ticket lifetime, monitor 4769 events, (4) **DCSync** — replicate AD database via MS-DRSR protocol; requires DRSR Replication Rights; very destructive, (5) **Golden Ticket** — forge TGT using KRBTGT hash; persistent until KRBTGT rotated twice, (6) **AD CS abuse (ESC1-ESC11)** — Active Directory Certificate Services misconfigurations leading to domain compromise; SpecterOps research 2021. Defenders' tools: BloodHound (graph attacks), PingCastle, Purple Knight, Microsoft Defender for Identity.

Ten high-impact controls (Microsoft AD Hardening guide + community best practices): (1) **Tier 0/1/2 model** — separate domain admins, server admins, workstation admins on dedicated PAW (Privileged Access Workstations), (2) **LAPS (Local Administrator Password Solution)** — unique random password per local admin, rotated by AD, (3) **gMSA (Group Managed Service Accounts)** — automatic password rotation for service accounts, (4) **Disable NTLM** where possible; require Kerberos, (5) **Credential Guard + Remote Credential Guard** on Windows 10/11/Server 2016+, (6) **Protected Users group** for high-value accounts, (7) **Aggressive patching** of DCs, (8) **AD audit logging** + ingest to SIEM, monitor 4624/4625/4768/4769/4776, (9) **Microsoft Defender for Identity** — behaviour-based AD attack detection, (10) **Regular BloodHound assessments** — find attack paths before attackers do. Plus: deprecate insecure protocols (SMBv1, NTLMv1), enforce MFA at the perimeter (ZTNA, PAM), prepare for Entra ID hybrid migration.

Different products for different eras: **Active Directory (AD DS)** — on-premises directory service, runs on Windows Server, optimised for Windows-joined computers, uses LDAP/Kerberos/NTLM, designed for office networks. **Microsoft Entra ID** (formerly Azure AD) — cloud-native identity service, designed for SaaS apps and hybrid scenarios, uses OIDC/OAuth/SAML, integrates with M365, supports modern features (conditional access, MFA, passkeys, ITDR). Most enterprises run both: AD on-prem for legacy Windows infrastructure, Entra ID for cloud apps and modern auth. **Entra Connect** synchronises identities between them. **Entra Domain Services** offers managed AD-compatible service in Azure for legacy applications. Long-term direction: Entra ID grows; on-prem AD shrinks but doesn't disappear.

Six core protocols: (1) **LDAP** (Lightweight Directory Access Protocol, port 389/636) — reading/writing directory data, (2) **Kerberos** (port 88) — primary authentication protocol; ticket-granting, mutual auth, (3) **NTLM** — legacy challenge-response authentication; should be disabled where possible, (4) **DNS** (port 53) — service location via SRV records (`_ldap._tcp.dc._msdcs.domain.com`), (5) **SMB** (port 445) — file sharing, GPO download, (6) **MS-DRSR** (Directory Replication Service Remote Protocol) — DC-to-DC replication; abused in DCSync attacks. Plus: **RPC**, **MS-RPRN** (PrintNightmare), **MS-EFSRPC** (PetitPotam), **DCOM** — historically all attack surfaces.

Five-pillar monitoring approach: (1) **Native event logs** — DCs log auth events (4624/4625), Kerberos (4768/4769/4776), object changes (5136); ingest to SIEM, (2) **Sysmon on DCs** — detailed process and network telemetry; high-fidelity threat hunting source, (3) **Microsoft Defender for Identity** — sensor on DCs, behaviour-based detection of Kerberoasting, Pass-the-Hash, lateral movement, reconnaissance, (4) **BloodHound + AzureHound** — periodic graph-based attack path analysis (Tier 0 reachability, attack paths to Domain Admins), (5) **Configuration drift detection** — PingCastle, Purple Knight, Tenable.ad measure security posture changes over time. Mature SOCs hunt continuously for AD-specific TTPs (MITRE ATT&CK Tactics: Credential Access, Lateral Movement, Privilege Escalation, Persistence).