Configuration Naming Context Replication
The Configuration Naming Context (NC) serves as the repository for forest-wide configuration data in Active Directory, necessitating its replication across the entire AD forest. The Distinguished Name (DN) for this context is CN=Configuration,DC=domain,DC=com
, wherein DC=domain,DC=com
denotes the DN of the forest root domain.
The Configuration NC is the primary repository for configuration information for a forest and is replicated to every domain controller in the forest. Additionally, every writable domain controller in the forest holds a writable copy of the Configuration NC.
To access the NC, follow these steps:
Open the Active Directory Services Interfaces (ADSI) Edit tool
adsiedit.msc
Click on
Action
in the menu barSelect
Connect to...
from the dropdown menuIn the
Connection Settings
window, underSelect a well-known Naming Context
, chooseConfiguration
Click
OK
to connectOnce connected, you will have access to the
Configuration Naming Context
, where you can view and manage configuration settings for Active Directory

Any modifications made to an object within Configuration at the forest root level will be replicated downwards
to all domains within the forest and vice-versa: if an object within Configuration undergoes a change in a child domain, that alteration will propagate upwards
to the forest root.
NC Replication Abuse
Configuration Naming Context (NC) replication abuse refers to a offensive tactic wherein attackers exploit the replication
mechanism of the Configuration Naming Context
in Active Directory to propagate unauthorized changes or configurations across the domain infrastructure.
To retrieve the Access Control List (ACL)
rights associated with the DN for the NC we can use the Get-Acl
cmdlet from a high-integrity shell.
$dn = "CN=Configuration,DC=DOMAIN,DC=COM"
$acl = Get-Acl -Path "AD:\$dn"
$acl.Access | Where-Object {$_.ActiveDirectoryRights -match "GenericAll|Write" }
Let's take a look at some dummy output
ActiveDirectoryRights : GenericAll
InheritanceType : None
ObjectType : 00000000-0000-0000-0000-000000000000
InheritedObjectType : 00000000-0000-0000-0000-000000000000
ObjectFlags : None
AccessControlType : Allow
IdentityReference : NT AUTHORITY\SYSTEM
IsInherited : False
InheritanceFlags : None
PropagationFlags : None
ActiveDirectoryRights : CreateChild, Self, WriteProperty, ExtendedRight, Delete, GenericRead, WriteDacl, WriteOwner
InheritanceType : Descendents
ObjectType : 00000000-0000-0000-0000-000000000000
InheritedObjectType : 00000000-0000-0000-0000-000000000000
ObjectFlags : None
AccessControlType : Allow
IdentityReference : DOMAIN\Domain Admins
IsInherited : False
InheritanceFlags : ContainerInherit
PropagationFlags : InheritOnly
ActiveDirectoryRights : GenericAll
InheritanceType : All
ObjectType : 00000000-0000-0000-0000-000000000000
InheritedObjectType : 00000000-0000-0000-0000-000000000000
ObjectFlags : None
AccessControlType : Allow
IdentityReference : DOMAIN\Enterprise Admins
IsInherited : False
InheritanceFlags : ContainerInherit
PropagationFlags : None
User
Rights on Configuration Naming Context (NC)
NT AUTHORITY\SYSTEM
Full Control
INLANEFREIGHT\Domain Admins
Read all, List all, Write all, All Extended rights
INLANEFREIGHT\Enterprise Admins
Full Control
We can see that NT AUTHORITY\SYSTEM
has GenericAll
over the NC.
To abuse these privileges we can:
Last updated