A complete reference for AD architecture, objects, authentication, Group Policy, replication, security hardening, and PowerShell administration.
The AD Schema defines every object class and attribute in the forest. It is forest-wide and stored in the Schema naming context. Once an attribute is added it cannot be deleted — only deactivated.
Only DC allowed to write changes to the AD schema. Required online only during schema extensions (Exchange, SCCM installs).
Controls adding/removing domains and application partitions in the forest. Must be a GC server.
Allocates pools of Relative IDs (RIDs) to DCs. Every object SID = domain SID + RID. DCs request new RID pools when running low (default pool = 500 RIDs).
Most critical FSMO role for day-to-day operations.
Maintains cross-domain object references (phantom records) — updates references when objects in other domains are renamed or moved.
AD depends entirely on DNS. Every AD function — DC location, Kerberos, replication, logon — is resolved via DNS SRV records. Use AD-integrated zones for secure dynamic updates and replication via AD instead of zone transfers.
| Event ID | Source | Description | Action |
|---|---|---|---|
| 4624 | Security | Successful logon — Type 3 (network) is most common for lateral movement | Baseline and alert on anomalies |
| 4625 | Security | Failed logon — monitor for brute force (many failures from same source) | Alert on threshold (10+ in 5 min) |
| 4740 | Security | Account locked out — appears on PDC Emulator | Alert immediately |
| 4672 | Security | Special privileges assigned to new logon (admin logon) | Alert on non-admin accounts |
| 4728 | Security | Member added to a global security group | Alert on Domain Admins changes |
| 4732 | Security | Member added to a local security group | Alert on privileged groups |
| 4756 | Security | Member added to universal security group | Alert |
| 4769 | Security | Kerberos service ticket requested — RC4 encryption = Kerberoasting indicator | Alert on RC4 for SPN accounts |
| 4771 | Security | Kerberos pre-authentication failed — failed logon for domain accounts | Monitor volume |
| 4776 | Security | NTLM credential validation on DC — monitor for unusual sources | Alert on unexpected NTLM |
| 4662 | Security | Operation performed on AD object — watch for DS-Replication-Get-Changes-All (DCSync) | Alert immediately |
| 7045 | System | New service installed — common malware persistence technique | Alert on unexpected services |
| Port | Proto | Service | Notes |
|---|---|---|---|
| 53 | TCP/UDP | DNS | Critical — DC location, Kerberos, everything |
| 88 | TCP/UDP | Kerberos | Authentication tickets |
| 135 | TCP | RPC Endpoint Mapper | Required for AD replication & RPC |
| 137-139 | UDP | NetBIOS | Legacy — disable where possible |
| 389 | TCP/UDP | LDAP | Directory queries. Use 636 for LDAPS |
| 445 | TCP | SMB / SYSVOL | GPO/SYSVOL replication, Netlogon |
| 464 | TCP/UDP | Kerberos kpasswd | Password change via Kerberos |
| 636 | TCP | LDAPS | Encrypted LDAP — require for all AD queries |
| 3268 | TCP | GC LDAP | Global Catalog queries |
| 3269 | TCP | GC LDAPS | Encrypted GC queries |
| 49152–65535 | TCP | RPC Dynamic | AD replication, DCOM — restrict via GPO |
| 5722 | TCP | DFS-R | SYSVOL replication (Windows 2008+) |
| 9389 | TCP | AD Web Services | PowerShell AD module, ADAC |