What is Active Directory?

A bit of history

Active Directory shipped with Windows 2000 Server and replaced the older Windows NT domain model. The model is conceptually simple: you have a domain (acme.local), one or more domain controllers that hold the AD database, and computers join the domain to pick up centralized authentication and policy. Twenty-five years later AD is still the identity layer underneath the overwhelming majority of corporate Windows environments, even ones that have moved most workloads to the cloud.

Why pentesters care about AD

In a Windows-shop intrusion, the attacker's goal is almost always to compromise AD. A domain admin account can read any file on any domain-joined machine, run code remotely, dump credentials, impersonate any user. That is why every internal network pentest worth paying for spends significant time on AD-specific attacks — Kerberoasting, AS-REP roasting, unconstrained delegation abuse, DCSync, golden tickets, BloodHound path enumeration.

The defense story is hard because AD was designed for usability and compatibility, not adversary resistance. Decades of backward compatibility have left footholds attackers still exploit productively. That is why mature programs treat AD hardening as a continuous project and run regular targeted tests against it.

Core AD concepts in plain English

Forests, domains, and trees: a forest is the top-level container of one or more domains that share a schema and a global catalog. Group Policy (GPO) pushes configuration to every machine that joins the domain — what software is installed, what password policy applies, what firewall rules are enforced. Service Principal Names (SPNs) tie service accounts to specific service instances and are heavily targeted by Kerberoasting. Object attributes — userAccountControl flags, ACLs, group memberships — carry the privileges that pentesters chain to escalate.

AD vs Entra ID vs Okta

Active Directory is the on-prem directory running on Windows Server. Entra ID (formerly Azure Active Directory) is Microsoft's cloud identity service, providing SSO and conditional access for SaaS and cloud workloads. The two are different products with different threat models, even though many organizations sync accounts between them with Entra Connect. Okta is a competing cloud identity provider — same job as Entra ID with a different product approach.

At QUANT LAB

Our Active Directory pentest engagements are scoped specifically for the AD attack surface — we assume a foothold on an unprivileged domain-joined workstation and try to escalate to domain admin while documenting every step. Findings map to MITRE ATT&CK techniques and feed directly into hardening plans. We often run these alongside a network pentest, since the two share an attack path.

BloodHound — why every attacker loves it

BloodHound is an open-source tool that ingests AD data and graphs the relationships between users, groups, computers, and rights. Once mapped, it can answer one question better than anything else: "given this foothold, what is the shortest path to domain admin?" The query usually returns a chain of three or four steps the attacker can walk. Defense teams now use the same tool to find and break those paths before adversaries do. Any environment that has not been BloodHound-analyzed has a paths-to-domain-admin problem nobody has measured.