# Logical Structure in AD

### Domain

***

A domain is a collection of objects such as users, computers, groups and other devices. All objects in a domain share common directory database, security boundary and a unique DNS name (e.g., fox.com).&#x20;

<figure><img src="/files/vTLaVNmp1CQbdOraHx7q" alt=""><figcaption></figcaption></figure>

* Every object in AD belongs to a domain.
* Each domain has its own security boundaries, meaning policies and permission, the user cannot simply access other domain's resources.
* Any user can log in to any computer in that specific domain.
* Domain admins can manage everything within their domain.

That is why if domain compromised then the attacker would have all the access to all the objects and shared objects.

### Domain Tree

***

Domain tree is a collection of one or more domains that share common DNS name and are connected by trust relationships.

If fox.com has a subdomain like, "red.fox.com", then:

```
fox.com -> becomes "Parent Domain" 
red.fox.com -> becomes "Child Domain"
blue.fox.com -> another "Child Domain"
fire.fox.com -> another "Child Domain"
```

<figure><img src="/files/f5SVH5LEd49Durb6nqDX" alt=""><figcaption></figcaption></figure>

So, if you see any subdomain of any domain, its called Child Domain. Every child domain has its own database and security boundaries. They are connected in parent-child relationship, hence called the Domain Tree.&#x20;

### Forest & Forest Root Domain

***

Forest is highest level structure or logical container in active directory. It is a collection of Domain Trees that share  a common schema, configuration, global catalog, and trust relationships. Even if a domain tree has different name "**Frost",** then the domain name would be frost.com, it will be included in the forest. All domains in that same forest trust each other by default, also called two-way trust relationship. It represents the ultimate security boundary in AD.&#x20;

The first domain created in a forest is called **Forest Root Domain** e.g, **fox.com**

* It controls forest wide settings.
* Holds important roles such as Schema master, domain naming master.
* Forest root domain manages forest level operation such as enterprise admin, schema admins, hence also called top-level domain in entire forest.

<figure><img src="/files/9MIV8h0emBG5g3UaIDsn" alt=""><figcaption></figcaption></figure>

{% hint style="info" %}

#### Quick Notes to understand the structure:

* Forest is like an entire company named Fox, and if you create first domain "fox.com" it becomes forest root domain. Forest root domain is like the headquarter of Fox company.
* Domain Tree is like a major division of that company that includes all the departments and branches.
* Domain are like departments and child domains are like specific team in that department.
  {% endhint %}

### Trust Relationship

***

Since Child domain, Domain, Forest and Forest root domain has their own databases, own security boundaries, own policies, own administrative boundaries. So a question arise can a user access the resources in other domains? Only selected user can access resources from other domain through trust relationship.

Trusts are connections established between different domains (or forest), enabling them to communicate securely and share resources. or simply

A trust relationship is a secure connection between two domains that allows users to access resources from one domain to another domain without needing separate credentials.&#x20;

With the help of these trust relationships, users are allowed in one domain to access resources from another domain without compromising security or requiring repetitive authentication. It act as an authentication bridge between domains or forests.

Trusts eliminate the need for duplicate user accounts and streamline access management. They are established through protocols like [Kerberos](/notes/protocols/kerberos-port-88.md) and rely on proper [DNS](/notes/protocols/dns-port-53.md) resolution, network connectivity and time synchronization between domain controllers.

There are two categories of Trust relationships:

* Directional Trust - Basically describes who trusts whom.
* Transitivity-based Trust - It describe how far can you trust beyond 2 domains.

#### Directional Trust

There are two types under directional trust category:

* One-Way Trust : It is a unidirectional authentication path created between two domains. If established, Users in Domain A can access resources in Domain B but users in Domain B cannot access the resources in Domain A.

<figure><img src="/files/CWXOt5YBDfCMtVPwZXRh" alt=""><figcaption></figcaption></figure>

* Two-Way Trust : In two ways trust, Domain A trusts Domain B and Domain B trusts Domain A. Means the authentication requests can be passed between the two domains in both directions.

<figure><img src="/files/lOzFFDuf5utp4NbmHx0K" alt=""><figcaption></figcaption></figure>

{% hint style="info" %}
Note: Some Two-Way Trust Relationship can be non-transitive or transitive depending on the type of trust being created.
{% endhint %}

#### Transitivity-based Trust

There are also two types under transitivity based category:

* Transitive Trust : The trust relationship automatically extends to other domains means if Domain A trusts Domain B and Domain B trusts Domain C, then Domain A automatically trusts Domain C.
* Non-Transitive Trust : The trust relationship limited only to two domain involved. Means if Domain A trusts Domain B and Domain B trusts Domain C, then Domain A doesn't trust Domain C.

<figure><img src="/files/W1Qr5DzJNiY6tzdTpOnO" alt=""><figcaption></figcaption></figure>

#### Specific Trust Types

There are specific trust types that comes under either directional or transitivity-based trust categories:

* Parent-Child Trust : The trust relationship between parent and child is a two-way & transitive trust. Meaning whenever you add a new child domain(subdomain) to the parent domain(main domain), It creates two way trust relationship between them and it establishes automatically.&#x20;
* Tree-root Trust : It is similar to parent-child trust, when a new domain tree is created within same forest, a tree-root trust automatically created between new domain tree and all existing domain trees.
* External Trust : If the trust relationship is between two specific domains of different forests, it called external trust. It is a non-transitive trust and can be one-way or two way trust. For example, Forest A has fox.com and Forest B has frost.com, if there is trust relationship between them then it will be external trust. External trust is manually created between different forests.
* Forest Trust : The trust relationship between two different forest is called Forest Trust. It is transitive (within forest) and it typically two ways. You have to create it manually.
* Shortcut Trust : Shortcut trusts are usually one-way transitive trusts. These trusts are also create manually. It created to speed up the authentication, means if two domains do not directly trust each other, this trust make the authentication process between two domains.
* Realm Trust : It is a trust relationship between AD domain and a non-Windows Kerberos realm. It can be directional or transitive-based trust.

### Schema

***

Schema is the set of rules that defines the structure of objects and their attributes in the directory. Basically it specifies what type of objects can exists like users, computers, printers, etc or what attributes they can have like name, email, employee ID, etc.&#x20;

<figure><img src="/files/Y0kUg7tNrfnK6eqaToz0" alt=""><figcaption></figcaption></figure>

To simply define, Schema defines the structure of data that is stored in NTDS.dit file which is active directory database. It is shared across the entire forest and highly protected.

### Global Catalog (GC)

***

It is a data repository server that stores the full copy of all objects from its own domain and partial copy of objects from all other domains in the forest.&#x20;

It is used to help users find objects quickly like users, groups, computers, etc. It helps log in efficiently across domains.&#x20;

Each domain has lots of objects, but the GC stores only important attributes like name, email, username. Not every detail to save space and improve speed, that is why it store the partial copy of other domains. It is also called Partial Attribute Set (PAS).

Without GC, AD would need to query multiple domains to search. With GC, one server would need to use 1 query to quickly from the entire forest.

<figure><img src="/files/MJs7WMA0ngvBQqTiJJ9z" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://kaizoku.gitbook.io/notes/active-directory/logical-structure-in-ad.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.