# Domains The `Domains` page provides a list of enumerated Domains in entire Active Directory. The list contains the `Risk Score` , `Exposure Point` and `Issue Counts` of each domain object.

Domains

## Domain Details Details page contains the `Risk Score` of the domain,`Exposure Point`, `Details` tab, `GPOs` tab, `Visualize` button, `Issues` and `Trusts` panes. {% hint style="info" %} You can analyze objects in the `Graph module` by clicking the `Visualize` button on the upper left side. {% endhint %}

Domain Details

## Details Details tab contains attributes below about domain. | Attribute | Description | | ----------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | **Distinguished Name** | Active Directory distinguished name of the object. (**Ldap Display Name** | | **Domain Mode** | The operating mode of the domain. ([Field reference](https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.activedirectory.domainmode?view=windowsdesktop-7.0)) | | **PDC Role Owner** | Domain controller that holds the primary domain controller (PDC) for this domain. | | **Object Sid** | Active Directory security identifier of object. (**Ldap Display Name**: objectSid) | | **Created Time** | The date when this object was created. (**Ldap Display Name**: whenCreated) | | **Last Changed Time** | The date when this object was last changed. (**Ldap Display Name**: whenChanged) | | **ms-DS-MachineAccountQuota** | The number of computer accounts that a user is allowed to create in a domain. (**Ldap Display Name**: ms-DS-MachineAccountQuota) | | **FSMO Role Owner** | Flexible Single-Master Operation: The distinguished name of the DC where the schema can be modified. (**Ldap Display Name**: fSMORoleOwner) | | **Netbios Name** | The name of the object to be used over NetBIOS. (**Ldap Display Name**: nETBIOSName) | | **Domain Mode Level** | The operating mode level of the domain. ([Field Reference](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/6dd88965-8feb-4369-ae7e-075985da8071)) | | **RID Role Owner** | Domain controller that holds the relative identifier (RID) master role for this domain. | | **Minimum Password Length** | The minimum number of characters that a password must contain. (**Ldap Display Name**: minPwdLength) | | **Password History Length** | The number of old passwords to save. (**Ldap Display Name**: pwdHistoryLength) | | **Password Properties** | A bitfield to indicate complexity and storage restrictions. (**Ldap Display Name**: pwdProperties) ([Field Reference](https://learn.microsoft.com/en-us/windows/win32/adschema/a-pwdproperties)) | | **Lockout Threshold** | The number of invalid logon attempts that are permitted before the account is locked out. (**Ldap Display Name**: lockoutThreshold) | | **Infrastructure Role Owner** | Domain controller that holds the infrastructure owner role. | ## GPOs GPOs tab contains a list of `Group Policy` objects which linked to the domain object. This list also contains `Enforcement Status` and `Link Order` of the group policy objects. You can go to the details page of the group policy object by clicking the name.

GPOs

## Issues Issues pane contains identified issues on the domain object. ![Issues](/files/siqP5uoOaydQF3s3YOvv) ## Trusts Trusts pane contains trust relationships of the domain object and attributes about the trust. ![Trusts](/files/PLZaA1Mmhx16grDTR8hS) **Target Domain**: The name of the domain with which a trust exists. **Direction**: Indicates in which direction the trust flows. ([Field Reference](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/5026a939-44ba-47b2-99cf-386a9e674b04)) **Active**: Indicates whether the trust is actively used or not. The activity threshold is 40 days. (**Ldap Display Name**: whenChanged) **Transitive**: Indicates whether the trust is transitive or not. Transitive trust refers to a trust relationship between two domains that allows authentication and authorization to be passed through multiple domains in a chain. **Selective Authentication**: Authentication type of a trust. True if the authentication of the trust is selective; false if the authentication is domain or forest wide. Selective authentication allows control over which objects in a trusted domain can access resources in the trusting domain. **SID Filtering**: SID filtering status of a trust. True if SID filtering is enabled; otherwise, false. SID (Security Identifier) filtering is a security mechanism used in Microsoft Active Directory to prevent security principal (user or group) impersonation with SIDHistory. **TGT Delegation**: Indicates whether the TGT delegation across trusts is active or not. TGT delegation allows a domain controller to forward authentication requests to another domain controller without the need to re-authenticate. This is also known as cross-domain authentication or cross-forest authentication. **Type**: Indicates the type of trust. ([Field Reference](https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.activedirectory.trusttype?view=windowsdesktop-7.0)) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.forestall.io/fsprotect/ad-identities/domains.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.