How Active Directory replication is encrypted

Okay, I wanted to share this with you since I’m currently writing a paper for my university, I had to look into some security settings regarding Active Directory in a default installation. One of those things was how the AD replication is secured.

It basically all relies on kerberos, as the encryption is based on the kerberos-session or, more precisely, on the SessionKey that both Domain Controllers share.

If you know a little about Kerberos, I’m sure you can handle those two pictures:

The first one as the initial authentication of the client with TGT-release and the second as the ticket gaining process followed by the contact between client and service (it’s a file server here).

So basically, when the client connects to the file server, they share a secret key called the “session key” which is included in the ticket, the clients presents to the file server.

For domain controller replication when used via RPC (this is always the case except for inter-site-replication between different domains – for that you can configure SMTP was well), the domain controllers perform an authentication with all that ticket stuff via kerberos and share a session key during communication. This session key is used to encrypt the traffic shared between the two. As a decryption method, they use RC4. RC4 is a symmetric way of encrypting data which means that both parties have a shared secret to encrypt and decrypt the message.

So you can consider replication traffic between domain controllers secure.

2 Comments so far

  1. DoFoT9 on October 12th, 2010

    A very well written article, and gives great insight into AD replication – however your diagrams focus more on authentication between client and server. Are you aware of the handshake process between 2 AD servers during replication? Is it an identical process?

  2. florian on October 19th, 2010

    Thanks.
    In general, this pretty much works the same between DCs. The RPC traffic (or whatever traffic crosses the lines) is encrypted through the same mechanism.

    Cheers,
    Florian