-
Resources
- Forums
-
What is a domain controller, and why is it necessary?
What is a domain controller?
A domain controller (DC) is a special server that provides critical services like authentication and authorization for an Active Directory domain. More specifically, a domain controller is a computer that runs the Windows Server operating system and that has Active Directory Domain Services (AD DS) installed on it. Desktops, laptops and other machines running a regular version of Windows cannot be DCs.
Every AD domain must have at least one domain controller. Each DC stores a copy of the directory file, and any changes it makes to that file are replicated to all the other DCs in the domain. All domain controllers provide core services like authentication and authorization, and some DCs are assigned special roles that enable them to perform additional functions.
What is an Active Directory domain?
What does a domain controller do?
What is the difference between a server and a domain controller?
A server is a computer or application that provides services to other devices or applications (its clients). An Active Directory domain controller is a particular type of server — one that runs the Windows Server operating system and has AD DS installed on it. Its key functions include providing authentication and authorization services to workstations, mobile devices and applications that need to access IT resources in the AD domain. However, there are many other types of servers, such as the following:
- File server — Stores and manages data files that other computers can access
- Application server — Runs software applications for client computers
- Email server — Delivers email messages between mail clients
- Print server — Connects printers and client computers
- DNS server — Translates user-friendly website names (such as company.com) into their hard-to-remember IP addresses
What are the different types of domain controller?
An Active Directory domain controllers can be assigned one or more specialized roles, such as the Global Catalog Server role and FSMO roles.
Global Catalog Server role
To enable efficient searches, Active Directory creates and maintains a global catalog that is hosted on domain controllers with the Global Catalog Server role. That way, when clients need to search Active Directory, they are not referred from one DC to another, looking for one that stores the requested object. Instead, these searches are simply directed to global catalog servers by default.
Specifically, like all DCs, each global catalog server stores complete, writable information about the objects in its own domain. However, it also stores partial, read-only data about objects in every other domain in the forest. The attributes included are those most likely to be used to search for objects, as defined in the schema by the partial attribute set (PAS). The first DC in a forest is automatically assigned the Global Catalog Server role. Other DCs can be assigned the role as needed.
FSMO roles (also known as Operation Master roles)
There are also five FSMO roles that must be assigned to Active Directory domain controllers: Schema Master, Domain Naming Master, Relative Identifier (RID) Master, Primary Domain Controller (PDC) Emulator and Infrastructure Master. These roles eliminate the potential for conflicting entries in the Active Directory database. For more information, see the FSMO roles page.
Do domain controllers use LDAP?
Yes, DCs support LDAP (Lightweight Directory Access Protocol). LDAP is a protocol for accessing server resources over an internet or intranet. That is, it provides a language that applications can use to communicate with servers that provide directory services — such as AD domain controllers.
However, LDAP is an open, cross-platform protocol, and Active Directory is by no means the only directory service that supports it. Others include Apache Directory Server, OpenDJ, OpenLDAP, Oracle Internet Directory and Red Hat Directory Service.
Do we still need domain controllers?
Organizations around the world are continuing to adopt cloud technologies at a rapid page. Indeed, shifting core communications and collaboration functions to applications like Microsoft Teams, SharePoint Online and OneDrive for Business is vital for supporting the modern workforce and enabling users to work from anywhere, at any time.
However, most organizations still maintain an on-premises Active Directory environment. There are many good reasons for doing so, from ongoing reliance on legacy applications that have no cloud equivalent to regulatory requirements for strict control over sensitive data.
As a result, many organizations have adopted a hybrid Active Directory approach, in which the identity data stored in their on-premises AD is synced to the cloud by a free Microsoft application called Azure AD Connect. This synchronization enables seamless single sign-on for users as they use both on-prem IT resources and cloud workloads like Microsoft 365.
While a hybrid environment does have some cloud-only identities and attributes, the on-premises Active Directory remains the primary identity store — so the DCs that run Active Directory remain an essential part of the IT infrastructure.
How many domain controllers does an organization need?
An organization must have at least one domain controller in each Active Directory domain. However, organizations almost always choose to have multiple DCs in each domain. Even if a single DC can handle the normal load, having at least two provides quick scalability.
Even more important, having at least two DCs in each domain provides redundancy: If one DC fails, the other one can step in, ensuring that there is no interruption in core Active Directory services like autenthication and authorization. (If the failed DC holds one of the FSMO roles, the associated administrative tasks will not be possible until the role is seized and reassigned.)
If your network is divided into sites, consider having at least one DC in each site for better performance. A user’s client must contact a domain controller as part of the logon process, and if the DC is located in a different site, the process can take a long time.
In addition, consider giving the DC at each site the Global Catalog Server role, so it can fulfill queries about objects anywhere in the forest. However, keep in mind that assigning this role to a large number of DCs can increase replication traffic in your network.
Do I need to worry about domain controller security?
Absolutely! Because of the vital data they store and the key services they provide, DCs are a top target for cyberattacks. Accordingly, it’s essential to do everything you can to secure domain controllers. In particular, be sure to:
- Strictly limit the accounts that have local administrative rights on each DC.
- Minimize the accounts that can log in interactively to DCs. Remember that security groups like Server Operators grant this right.
- Install only applications and services that are essential for the DC’s functionality and security.
- Minimize network access to all your DCs and never permit a DC to access the internet.
- Audit activity on all DCs and make sure you get alerted to any suspicious behavior.
- Back up your DCs, lest you end up like one company that had to painstakingly shuttle its last living DC from another continent to serve as a backup for restoring its other DCs, which were all corrupted in a cyberattack.
What are the benefits of domain controllers?
As we have seen, every Active Directory domain must have at least one DC. In addition to providing vital authentication and authorization services and serving in the roles described above, DCs can provide additional value.
In particular, since DCs run Active Directory, they host a critical component of AD: Group Policy. The core purpose of Group Policy is to enable IT administrators to centrally manage users and computers across an AD domain. Using Group Policy objects (GPOs), admins can establish password policies, prevent the use of removable media drives, deploy other software to machines block users from installing new software on their systems, and enforce literally hundreds of other controls that are vital for security, compliance, productivity and business continuity.
Organizations can — and often do — install other software tools on their DCs. One common example is Azure AD Connect, which is used to synchronize AD objects like user accounts from the on-premises AD environment to Azure AD. However, best practices recommend not installing any unnecessary software on domain controllers to avoid security and compliance issues; competition for computing, memory, networking and disk resources; and DC downtime if the other software tools require a reboot because they encounter serious errors or need to be upgraded.
What are the limitations of domain controllers?
DCs are a vital component of every Active Directory environment. Like any server, they require regular maintenance and software patches and upgrades, and their hardware will periodically need to be serviced or replaced.
Because DCs provide vital authentication and authorization services for the domain, they are a top target for cyberattacks and vulnerable to mistakes by poorly trained or hurried admins. And if your DCs are down, your business is down as well. The costs can be staggering: 40% of enterprises say that a single hour of downtime costs $1 million to over $5 million. In a worst-case scenario, losses can reach millions of dollars per minute. To minimize your risk, it’s essential to secure your DCs as detailed earlier.
In addition, to maximize your cyber resilience, it’s critical to have a comprehensive Active Directory disaster recovery strategy that includes a variety of options for backing up and restoring DCs, and that can effectively coordinate the configuration effort across those DCs to ensure that Active Directory functions properly after the recovery. It’s also wise to choose a solution with automated malware detection that minimizes the risk of reintroducing infected files to recovered DCs.