# Child to parent domain ## How it works Once you gain Domain Admin privileges within the child domain its possible to get Enterprise Admin in the parent domain by generating a golden ticket in the child domain with the SID of the Enterprise Admin group. The attack can be performed in two ways, abusing the trust key or the krbtgt hash. {% content-ref url="/pages/zEbDTprdT83SwTtoQgxw" %} [Krbtgt hash](/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/hopping-domains-and-forests/child-to-parent-domain/page-3.md) {% endcontent-ref %} {% content-ref url="/pages/WQil1xzFpxFkRVg2k1di" %} [Trust key](/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/hopping-domains-and-forests/child-to-parent-domain/page-3-1.md) {% endcontent-ref %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://ad-lab.gitbook.io/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/hopping-domains-and-forests/child-to-parent-domain.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.