# Configuration Naming Context Replication

The Configuration Naming Context (NC) serves as the repository for forest-wide configuration data in Active Directory, necessitating its replication across the entire AD forest. The Distinguished Name (DN) for this context is `CN=Configuration,DC=domain,DC=com`, wherein `DC=domain,DC=com` denotes the DN of the forest root domain.

> The Configuration NC is the primary repository for configuration information for a forest and is replicated to every domain controller in the forest. Additionally, every writable domain controller in the forest holds a writable copy of the Configuration NC.

To access the NC, follow these steps:

1. Open the Active Directory Services Interfaces (ADSI) Edit tool `adsiedit.msc`
2. Click on `Action` in the menu bar
3. Select `Connect to...` from the dropdown menu
4. In the `Connection Settings` window, under `Select a well-known Naming Context`, choose `Configuration`
5. Click `OK` to connect
6. Once connected, you will have access to the `Configuration Naming Context`, where you can view and manage configuration settings for Active Directory&#x20;

<figure><img src="https://2250041043-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FwvcHfYovs3au5hl3NprD%2Fuploads%2FpBGjXeLgu4BOqv7y9b5g%2Fimage.png?alt=media&#x26;token=71388394-e967-4395-815a-023d02d3aaae" alt=""><figcaption></figcaption></figure>

Any modifications made to an object within Configuration at the forest root level will be `replicated downwards` to all domains within the forest and vice-versa: if an object within Configuration undergoes a change in a child domain, that alteration will propagate `upwards` to the forest root.

#### NC Replication Abuse

Configuration Naming Context (NC) replication abuse refers to a offensive tactic wherein attackers exploit the `replication` mechanism of the `Configuration Naming Context` in Active Directory to propagate unauthorized changes or configurations across the domain infrastructure.

To retrieve the `Access Control List (ACL)` rights associated with the DN for the NC we can use the `Get-Acl` cmdlet from a high-integrity shell.

```powershell
$dn = "CN=Configuration,DC=DOMAIN,DC=COM"
$acl = Get-Acl -Path "AD:\$dn"
$acl.Access | Where-Object {$_.ActiveDirectoryRights -match "GenericAll|Write" }
```

Let's take a look at some dummy output

```
ActiveDirectoryRights : GenericAll
InheritanceType       : None
ObjectType            : 00000000-0000-0000-0000-000000000000
InheritedObjectType   : 00000000-0000-0000-0000-000000000000
ObjectFlags           : None
AccessControlType     : Allow
IdentityReference     : NT AUTHORITY\SYSTEM
IsInherited           : False
InheritanceFlags      : None
PropagationFlags      : None

ActiveDirectoryRights : CreateChild, Self, WriteProperty, ExtendedRight, Delete, GenericRead, WriteDacl, WriteOwner
InheritanceType       : Descendents
ObjectType            : 00000000-0000-0000-0000-000000000000
InheritedObjectType   : 00000000-0000-0000-0000-000000000000
ObjectFlags           : None
AccessControlType     : Allow
IdentityReference     : DOMAIN\Domain Admins
IsInherited           : False
InheritanceFlags      : ContainerInherit
PropagationFlags      : InheritOnly

ActiveDirectoryRights : GenericAll
InheritanceType       : All
ObjectType            : 00000000-0000-0000-0000-000000000000
InheritedObjectType   : 00000000-0000-0000-0000-000000000000
ObjectFlags           : None
AccessControlType     : Allow
IdentityReference     : DOMAIN\Enterprise Admins
IsInherited           : False
InheritanceFlags      : ContainerInherit
PropagationFlags      : None  
```

| **User**                          | **Rights on Configuration Naming Context (NC)**    |
| --------------------------------- | -------------------------------------------------- |
| `NT AUTHORITY\SYSTEM`             | Full Control                                       |
| `INLANEFREIGHT\Domain Admins`     | Read all, List all, Write all, All Extended rights |
| `INLANEFREIGHT\Enterprise Admins` | Full Control                                       |

We can see that `NT AUTHORITY\SYSTEM` has `GenericAll` over the NC.

{% hint style="info" %}
On a child domain's DC, a `SYSTEM` account has the authority to make modifications to the Configuration Naming Context within the forest by querying its local replica; any alterations initiated in this context will propagate back to the parent domain.
{% endhint %}

To abuse these privileges we can:

* [carry out ADCS attacks](https://otter.gitbook.io/red-teaming/notes/forest-trust-abuse/intra-forest-attacks/adcs-nc-replication-attack)
* [manipulate GPOs](https://otter.gitbook.io/red-teaming/notes/forest-trust-abuse/intra-forest-attacks/gpo-on-site-attack)
* [change DNS entries](https://otter.gitbook.io/red-teaming/notes/forest-trust-abuse/intra-forest-attacks/dns-trust-attack)
* [execute GoldenGMSA attacks](https://otter.gitbook.io/red-teaming/notes/forest-trust-abuse/intra-forest-attacks/goldengmsa-attack)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://otter.gitbook.io/red-teaming/notes/forest-trust-abuse/intra-forest-attacks/configuration-naming-context-replication.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.