Active Directory 101: AD Components Part 1 ( Domains, Trusts & Forests)
Muhammad Nafiz Imtiaz
بِسْمِ اللهِ الرَّحْمَنِ الرَّحِيْمِ
Hello Every One. We will begin our blog post about the major components within an Active Directory Network. This Article is a Part of the ongoing series I announced last week.
There are different components in a active directory network, But we will not discuss every components of an active directory, but only the major components that will help us understand the workaround within a active directory in order to perform Internal Active Directory Assessments.
Without Further ado, Lets Jump right into it.
1. Domains
Domains are Simply Computers/Users Connected to Active Directory Network, Each Computer represent a Domain in an AD environment. They are controlled by a central database called Domain Controllers.
Each Domain has a DNS Name that can either be nafsec.com or for internal networks: nafsec.local can be used.
we can query the user domain with this environemnt variable
$env:USERDNSDOMAIN
NAFSEC.LOCAL
Finding the Root domain
(Get-ADDomain).DNSRoot
nafsec.local
They can be identified with FQDN(Fully Qualified Domain Name).ex:naf.sec, or by netBIOS name:ex:NAFSEC
Lastly, We can find the Domain name by Its SID (Security Identification Number)
Get-ADDomain | select DNSRoot,NetBIOSName,DomainSID
DNSRoot NetBIOSName DomainSID
------- ----------- ---------
nafsec.local NAFSEC S-1-5-21-123456789-987654321-123456789
Knowing how to query the SID of a domain is a very crucial step in active directory enumeration phase.
2. Forests
Forests are a bunch of “subdomains” Connected to a Parent Domain. Every Domains Inside of its forests can communicate with other domains, They can share resources(if permitted) with the parent domain just like a Parent-Children relation . In each forest, there can be Separate Domain Controller.
Functional Modes: these modes are different ‘versions’ of forests just like there are different versions of Windows, Linux and Other operating systems.
The modes are named based on the minimum Windows Server operative system required to work with them:
Windows2000
Windows2000MixedDomains
Windows2003
Windows2008
Windows2008R2
Windows2012
Windows2012R2
Windows2016
We can query the forests with this command:
Get-ADForest
ApplicationPartitions : {DC=DomainDnsZones,DC=nafsec,DC=local, DC=ForestDnsZones,DC=nafsec,DC=local}
CrossForestReferences : {CN=PARTNER.COM,CN=System,DC=nafsec,DC=local}
DomainNamingMaster : DC1.nafsec.local
Domains : {nafsec.local, corp.nafsec.local, dev.nafsec.local}
ForestMode : Windows2016Forest
GlobalCatalogs : {DC1.nafsec.local, DC2.nafsec.local, GC1.corp.nafsec.local}
Name : nafsec.local
PartitionsContainer : CN=Partitions,CN=Configuration,DC=nafsec,DC=local
RootDomain : nafsec.local
SchemaMaster : DC1.nafsec.local
Sites : {Default-First-Site-Name, Site2, Site3}
SPNSuffixes : {nafsec.local, corp.nafsec.local}
UPNSuffixes : {nafsec.local, nafsec.com, partner.com}
UserPrincipalNameSuffixes : {nafsec.local, nafsec.com, partner.com}
ReplicaDirectoryServers : {DC1.nafsec.local, DC2.nafsec.local, DC3.dev.nafsec.local}
ConfigurationNamingContext : CN=Configuration,DC=nafsec,DC=local
SchemaNamingContext : CN=Schema,CN=Configuration,DC=nafsec,DC=local
IsUpLevel : True
ForestModeLevel : 7
CurrentTime : 7/3/2025 2:15:00 PM
MSDS-Behavior-Version : 7
DistinguishedName : DC=nafsec,DC=local
DNSRoot : nafsec.local
NetBIOSName : NAFSEC
ObjectClass : crossRefContainer
ObjectGUID : 12345678-abcd-ef12-3456-7890abcdef12
LinkedGroupPolicyObjects : {}
DeletedObjectsContainer : CN=Deleted Objects,DC=nafsec,DC=local
ExtendedAttributes : {}
LostAndFoundContainer : CN=LostAndFound,DC=nafsec,DC=local
ManagedBy :
QuotasContainer : CN=NTDS Quotas,DC=nafsec,DC=local
ReadOnlyReplicaDirectoryServers: {}
ServiceAccountInfo : {}
3. Trusts
Domains that stays in a forest need to communicate with other domains of the same forest.
That is called a trust. A trust is a connection between Domains. its not like a physical network connection but more like a authentication/Authorization kind of trust.
You may be able to reach computers on the network that are in others domains, but you cannot log in on those computers with your user of this domain. Thit is what a trust allows you to do.
Trust Direction: A trust can be bidirectional or single directional. means a trust direction allows us to access resources of the other domains & vise-versa. there are two parties involved, Trusting & Trusted.
A simple diagram may help us better understand this.
One-Way (Outbound):
+-----------+ → +-----------+
| Domain A | ------------->| Domain B |
| (Trusting)| | (Trusted) |
+-----------+ +-----------+
One-Way (Inbound):
+-----------+ ← +-----------+
| Domain A | <-------------| Domain B |
| (Trusted) | | (Trusting)|
+-----------+ +-----------+
Two-Way (Bidirectional):
+-----------+ ↔ +------------+
| Domain A | <------------>| Domain B |
| | | |
+-----------+ +------------+
Two connections are primarily happens in Trusts:
Inbound/Incoming Trusts
Outbound/outgoing Trusts
Inbound trusts: My Domain/Users can access resources from other domains
Outbound trusts: Other Domains/Users can access my domains resources.
Note: A bidirectional Trust means A trusts which other Domains can access my Domains resources & my Domains can access that Domains resources.
A visual Example is given below:
nltest /domain_trusts /all_trusts /v
List of domain trusts:
0: NAFSEC.LOCAL
Trusted DC: \\DC1.nafsec.local
Trusted Domain: NAFSEC.LOCAL
Trust Attributes: [QUARANTINED] [FOREST_TRANSITIVE]
Trust Direction: Primary Domain (Inbound/Outbound)
Trust Type: Within Forest
Trust SID: S-1-5-21-123456789-987654321-123456789
1: CORP.NAFSEC.LOCAL
Trusted DC: \\DC2.corp.nafsec.local
Trusted Domain: CORP.NAFSEC.LOCAL
Trust Attributes: [WITHIN_FOREST]
Trust Direction: Outbound
Trust Type: Parent-Child
Trust SID: S-1-5-21-987654321-123456789-987654321
2: PARTNER.COM
Trusted DC: \\DC1.partner.com
Trusted Domain: PARTNER.COM
Trust Attributes: [FOREST_TRANSITIVE]
Trust Direction: Bidirectional
Trust Type: Cross-Forest
Trust SID: S-1-5-21-555555555-666666666-777777777
Here, NAFSEC is the netBIOS name. nafsec.local is the FQDN, nafsec.local is the primary Domain & the Root of our forest. corp.nafsec.local, which resides in the same forest (by WITHIN_FOREST attribute) has both inbound & outbound Trusts, this means the users from corp.nafsec.local & the Primary Domain can share resources/access from each other (Bidirectional).
But partner.com (netBIOS PARTNER) has bidirectional trusts with FOREST_TRANSITIVE attribute. This is a cross-forest trust, this means users from both partner.com and nafsec.local can access resources in each other's domains (Two-way trust).
For legacy.org (netBIOS LEGACY), it shows inbound trust with NON_TRANSITIVE attribute. This means it's a one-way external trust where users from legacy.org can access resources in nafsec.local, but not vice versa (Unidirectional).
What is Transitivity? and why its used everywhere in the above trust - You may ask.
Well, Here is your answer.
Trust Transitivity: A Trust can be transitive or nontransitive, which usually works with Trusted & Trusting parties.
Nontransitive Trust: A nontransitive trust works only with known two Parties. and no other domains can access resources under that trust.
Transitive Trust: A transitive trust can involve more than two parties. where the trusting Domain can add another trusted domain to create a chain-like trust.
Confusing? No worries, Here’s a visual diagram to simplify the concept.
(trusting) trusts (trusted) (trusting) trusts (trusted)
Domain A -------------------> Domain B --------------------> Domain C
access access
<------------------- <--------------------
Here, Domain A (Trusting) trusts Domain B(Trusted),which creates a Trust between them only
But, If Domain B(now Trusting) Trusts Domain C(Trusted) and it goes on & on, then it is a transitive Trust
For example, if the trust between Domain A and Domain B is transitive, then the users of Domain C can access to Domain A by traversing both trusts. If the Domain A --> Domain B trust was nontransitive, the Domain C users couldn't access to Domain A, but Domain B users could.
in the same forest, All Domain users can access other domains because, Parent and child Domains are connected through bidirectional transitive trust.
It might be confusing at first, But trust the porcess and try to consume the concept because we will (ab)use trust relationship to achieve inter-forest/cross-forest lateral movement. So its Important
We can understand the trust relationship in a forest with a visual diagram
nafsec.local
^ v v ^
.----' | | '----.
| .----' '----. |
^ v v ^
corp.nafsec.local dev.nafsec.local
^ v
| |
^ v
apps.corp.nafsec.local
^
|
v
partner.com (Forest Trust)
^
|
v
legacy.org (External Trust)
For Example:
If apps.corp.nafsec.local wants to access dev.nafsec.local's resources:
It must first traverse up to its parent domain (
corp.nafsec.local),Then up to the forest root (
nafsec.local),Finally back down to the target sibling domain (
dev.nafsec.local).
This path requires three hops because:
Child domains (
corp.nafsec.local,dev.nafsec.local) only have direct trust with their parent (`nafsec.local), not with each other.The forest root (
nafsec.local) acts as the "bridge" between sibling domains.
Trust Types:
Parent-Child: The default trusts created between a parent domain and its child.
Forest: A trust to share resources between forests. This way any domain of the forest can access to any domain on the other forest (if the direction and transitivity of the trust allow it). If a forest trust is misconfigured, then we can use this to take control of the other forest.
External: A trust to connect to a specific domain that is in a non trusted forest.
Realm: A special trust to connect Active Directory and a non-Windows domain.
Shortcut: When two domains within the forest communicate often but are not directly connected, you can avoid jumping over many trusts by creating a direct shortcut trust.
Trust Key: A trust key is the method of DC (Domain Controller) to remember the trusts between two domains. it uses a key(either NT hashes or Kerberos Keys). and it creates a Trust Account like a normal user account. The domain controller need to share this key to securely communicate between trust parties. The Trust key is created right after a trust is established.
Trust Accounts ends with a $. The DC handles Trust account just like a user account & handles the key as a secret stored as either NT Hash or Kerberos Keys (More on users & authentication Protocols later)
Thats it for today. Hope you enjoyed this blog. And as always, feel free to give feedback and point out incorrect information if I messed up (I usually mess up a lot)
You can always reach out to me on my socials:
Linkedln: t.ly/9lUaB
X (Formerly Twitter): t.ly/oiecb
Thanks,
Appendices:
For Intermideate Readers interested in how trust attacks works: (Little bit of kerberos knowledge will help)
Subscribe to my newsletter
Read articles from Muhammad Nafiz Imtiaz directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by