# Physical Structure in AD ### Domain Controller (DC) *** A Domain Controller is a server that stores directory database (NTDS.dit) and handles authentication & authorization. Technically DC responds to user authentication requests that allows the host to access various resources within the network. * Authenticate & authorize users using [Kerberos](/notes/protocols/kerberos-port-88.md). * Enforce security policies. * Handle login requests * Replicate data with other DCs * Supports directory queries (means answering [LDAP](/notes/protocols/ldap-soon.md) searches) * Integrates with DNS for service location. Some DC also perform special roles, for example a DC can be a Global Catalog (GC) server to speed up forest-wide searches. Each domain has its own DC so a forest can have multiple DCs. Microsoft recommend atleast 2 DCs for a small organization so that if one DC goes offline for failure or maintenance, the second one can still service authentication and directory requests. However, an organization can also have single DC. As i mentioned earlier each domain has its own DC, so owning DC means owning that specific domain. ### Read-Only Domain Controller (RODC) *** RODC is a type of domain controller that provides a directory services for branch offices where a full domain controller cannot be placed. It allow users in the branch offices to log on and access resources even without a network connection to the main site. RODC is basically a read-only copy of Active Directory Domain service (AD DS). * You cannot make direct changes to AD database. * It used in remote location or less secure locations. * Only cache selected user passwords (No admin creds are stored) * If compromised, the exposure and control is limited. {% hint style="info" %} RODC despite being a copy, it serve more feature like it authenticate & authorize users using kerberos, It cache the credentials. User can query DNS resolution and more. RODC are sometimes misconfigured to cache admin credentials. {% endhint %} ### Replication *** Replication is just a process of copying and synchronizing the data between Domain Controllers (DC). For replication to occur between DCs, connection object are used. Connection objects is an AD object that represent replication connection from source to a destination domain controller. The Knowledge Consistency Checker (KCC) is a built-in process that runs on all domain controller and generate replication topology for the AD forest. The KCC is responsible for creating connections objects automatically, but they can also be created manually. Common objects created by KCC appear in the AD Sites and services snap-in as \ The KCC creates separate replication topologies which depends on where is it occuring, it can be within a site (intrasite) or between sites (intersite). In Intrasite: * It supports urgent replication. * Assumes a fast and reliable link. * Uses uncompressed traffic. In Intersite: * Assumes limited bandwidth * Does not occur through change notification * Compresses replication traffic {% hint style="info" %} Note: DCSync abuses replication. In short it mimics a DC requesting credential sync from another DC. {% endhint %} ### Site *** Site in AD is a group of assigned IP subnet that are connected by fast, reliable network links. Means it is connected to LAN with low latency and high speed, not WAN which is slow, costly and high latency. Typically, sites represent the physical or geographic topology of the corporate network. For example, let say a company has branches in all over the India, Delhi office, Mumbai office, Bangaluru office. Now each location has its own network and own DCs. \ How would employee or users use sites?\ When a user tries to login their computer, it check its IP address then AD matches that IP to a subnet which maps to a site then the request goes to that DC in that same site. If user in Delhi tries to login then first attempt will go to Delhi office's DC for authentication. Not just computer but any machine in AD environment can contact any DC anywhere, if user from Delhi try to login, yes the auth request can go to Mumbai office's DC but that would be slow, there would be heavy WAN usage means too much traffic, this happens when you dont have the sites. With sites, local machine send requests to local DC (LAN, Same site) Subnet inside a site is not just one network, it can include multiple IP ranges. for example: ``` Delhi Site: 192.168.1.0/24 192.168.2.0/24 10.10.0.0/16 ``` All these network belongs to same location (Delhi). Flow to understand the request: ``` User IP → Matches Subnet → Subnet belongs to Site → Site has DCs → Client authenticates to nearest DC ``` If you have subnet mapping after compromising a machine, you can know what DC they will hit first. ### Site Link *** Site links connects two or more AD sites and represents a physical link topology. Active Directory creates a default site link named DEFAULTIPSITELINK. If you do not create new site links manually or modify the default configuration for site link, replication occurs using the default site link values. But why?\ When you try to connect to different site, network become slower as switches to WAN, where AD need control over replication frequency, bandwidth usage and preferred paths that what exactly site links control by connecting two or more AD sites. {% hint style="info" %} Note: Site, subnet and site links are used to configure an efficient replication topology in Active Directory. {% endhint %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://kaizoku.gitbook.io/notes/active-directory/physical-structure-in-ad.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.