Active Directory Architecture and Kerberos Protocol

byGyan Mainali -

Active Directory Architecture and Kerberos Protocol


In the modern enterprise, security is not just about a single password; it is about a complex web of trust, identity, and verification. At the heart of this web in the Windows ecosystem is Active Directory (AD) and the Kerberos authentication protocol. To understand how a user goes from a login screen to accessing a secure file on a server, we must look at the physical and logical architecture of the directory and the "ticket-based" system that keeps it secure.


Part 1: Blueprint of Identity — Active Directory Architecture

Active Directory is more than just a list of users; it is a distributed database stored in a single file called NTDS.dit. This database is logically separated into four distinct partitions to ensure that the right information gets to the right servers at the right time.

The Four Logical Partitions

  • Schema Partition: There is only one per forest. It contains the definitions of all objects and the rules for their creation (e.g., what attributes an "Employee" object must have). It is replicated to every Domain Controller (DC) in the forest.
  • Configuration Partition: Also one per forest, this contains the physical topology of the network, including sites, services, and the list of all DCs. Like the Schema, it is forest-wide.
  • Domain Partition: This is domain-specific. It contains the actual data people use—users, groups, computers, and Organizational Units (OUs). It only replicates to DCs within that specific domain.
  • Application Partition: Used by specific applications to store their data. A common example is AD-integrated DNS zone information.

💡 10-Year-Old Version: Giant School Library

Imagine Active Directory is a massive school library.

  • Schema is the "Rule Book" that says every book must have a title and a barcode.
  • Configuration is the "Building Map" showing where the shelves and bathrooms are.
  • Domain Partition is the actual "Bookshelf" for your specific grade level.
  • Application Partition is a special shelf just for the "Chess Club" magazines.


FSMO Roles: Decision Makers

While most AD tasks can be done by any DC, certain "Flexible Single Master Operation" (FSMO) roles are unique to prevent conflicts.

  • Schema Master: Manages the "Rule Book" (Schema).
  • Domain Naming Master: Ensures no two domains have the same name.
  • RID Master: Hands out "ID Numbers" (SIDs) to DCs so new users don't get the same ID.
  • PDC Emulator: The boss DC. It handles password changes, Group Policy, and tells everyone what time it is.
  • Infrastructure Master: Translates IDs and names between different domains.



Part 2: Ticket to Access — Kerberos Authentication


Once the architecture is in place, we need a way to prove who we are. Windows uses Kerberos, a protocol that uses "tickets" so you never have to send your actual password over the network. This is managed by the Key Distribution Center (KDC).

KDC Components

  1. Authentication Server (AS): Verifies who you are and gives you a "Master Ticket" (TGT).
  2. Ticket Granting Server (TGS): Takes your Master Ticket and swaps it for a "Service Ticket" to let you into a specific app or file.

Old School Way: 6 Steps to Success

  1. KRB_AS_REQ: Your computer sends a request to the AS for a Ticket Granting Ticket (TGT). This includes your username, a timestamp, and a hash of your password.
  2. KRB_AS_REP: The AS checks your password hash. If it's right, it sends back the TGT and a session key. Note: The timestamp must be within 5 minutes to prevent hackers from re-using old requests.
  3. KRB_TGS_REQ: Now that you have the "Master Ticket" (TGT), you send it to the TGS along with a request for a Service Ticket for a specific app.
  4. KRB_TGS_REP: The TGS verifies your TGT is real and sends back the Service Ticket and a service session key.
  5. KRB_AP_REQ: You take that Service Ticket and send it to the Application or Server you want to use.
  6. KRB_AP_REP: The application checks the ticket, and if it's valid, it says "Welcome!" and lets you in.


🎟️ 10-Year-Old Version: Theme Park Wristband

Kerberos is exactly like going to a huge Theme Park:

  1. Ticket Booth (AS): You go to the front gate, show your ID, and pay. They give you a Wristband (TGT).
  2. The Ride Lines (TGS): You want to ride the "Space Rollercoaster." You show the ride worker your Wristband.
  3. Ride Pass (Service Ticket): The worker sees your wristband and gives you a Gold Coin just for that one ride.
  4. Ride (Application): You give the Gold Coin to the person at the front of the line, and they let you on the rollercoaster!


Local Security and The "LSA"

On the individual computer, the Local Security Authority (LSA) is the brain of security. It uses the Credential Provider (which replaced the old GINA) to take your password and pass it to the LSA for verification. As seen in the architecture diagram, the LSA coordinates between the Security Accounts Manager (SAM) for local users and Active Directory/Kerberos for domain users.

Now that we've covered how identities are verified through Kerberos and stored in Active Directory partitions, would you like to explore how Group Policy Objects (GPOs) use this architecture to push settings out to thousands of computers at once?


Architecture of Active Directory


Active Directory (AD) is the definitive source of truth. While many see it as just a list of users, the internal architecture is a high-performance, distributed machine designed for extreme security and massive scale.


Internal Engine: Partitions and the Jet Database

At its deepest level, Active Directory lives in a single file called NTDS.dit. This database is powered by the Extensible Storage Engine (ESE), often called the Jet Database (Esent.dll), which allows the system to handle millions of objects with lightning speed.

To ensure efficiency, this database is logically carved into four Partitions:

  • Schema Partition: The "DNA" of the forest. It defines all object types (like users or printers) and their attributes. There is only one per forest.
  • Configuration Partition: The "Map" of the forest. It contains the physical topology, including sites, services, and every Domain Controller (DC) in the forest.
  • Domain Partition: The "Vault" for your specific domain. This holds the actual users, groups, and computers for a given domain.
  • Application Partition: A specialized space for data like AD-integrated DNS zones, which only replicates to specific servers.


Service Architecture: Inside the LSA

The diagram provided reveals the Local Security Authority (LSA), which is the heart of Windows identity verification. Here is how each service within that "Vault" operates:

1. Gatekeepers (User and Kernel Mode)

  • Winlogon (Winlogon.exe): The primary interactive login service. It traditionally used the GINA (msgina.dll) to capture your username and password before passing them to the LSA for verification.
  • Secur32.dll: A helper library used by applications to talk to security providers without needing to know the technical details of the protocol being used.

2. LSA Server Service (Lsasrv.dll)

This is the central nervous system of the LSA. It receives login requests and uses a Negotiate package to decide which security protocol to use (usually picking Kerberos first and falling back to NTLM if needed).

3. Protocol Providers

  • Kerberos (Kerberos.dll): The modern standard. It uses the KDC (Kdcsvc.dll) to issue time-sensitive tickets so your password never has to travel across the wire.
  • NTLM (Msv1_0.dll): The legacy protocol used for older systems or when a Kerberos connection cannot be established.
  • Schannel (Schannel.dll): Handles the TLS/SSL encryption used for secure web traffic and LDAPS connections.
  • Wdigest (Wdigest.dll): An older authentication method used primarily for certain web-based applications.

4. Data Access Layer

  • Netlogon (Netlogon.dll): The "Courier." It maintains the secure channel between your computer and the Domain Controller, ensuring that login requests are sent safely.
  • Security Accounts Manager (SAM) (Samsrv.dll): For non-domain controllers, this is where local usernames and passwords live.
  • Directory Services (Ntdsa.dll): The translator. It takes requests from the security protocols and looks up the information inside the Jet Database (Esent.dll).


👦 10-Year-Old's Guide to the AD Vault

Imagine Active Directory is a Super-Secure High School.

  • Jet Database: This is a massive, fireproof filing cabinet in the basement that holds every student's file.
  • Schema: This is the rulebook that says every student file must have a name, a photo, and a grade.
  • Winlogon: This is the security guard at the front door who asks for your ID card.
  • LSA: This is the Security Office. It takes the ID card the guard gave them and checks if it's real.
  • Kerberos: This is like a special "Day Pass" wristband. Once the Security Office knows who you are, they give you a wristband so you can walk into any classroom without being asked for your ID again.
  • FSMO Roles: These are the "Lead Teachers." One is in charge of the maps, one is in charge of the clock, and one is in charge of assigning student ID numbers so no two kids have the same one.

Tags:
Previous Post Next Post
Share to other apps
Copy Post Link

Contact Form