Domain Controllers Overview

Authentication is an essential function for a computer network, helping ensure that only authorized users have access to the system. As a managed services provider (MSP), authentication is a key element of helping ensure your customers’ data is secure and only accessible to the correct users.

For this reason, MSPs should invest time in understanding domain controllers, which play an important role in modern authentication. What are domain controllers? In this article, we’ll explain their function and examine the various types of domain controllers, including Active Directory.

What is the difference between a domain and a domain controller?

Every computer workstation has its own user accounts, called local accounts, that are used to log in to that particular machine. However, these accounts are not designed to log in to a network for two reasons. First, network accounts need to be portable—a user should be able to access the network from any workstation. Second, account configuration needs to be controlled from a central location. Otherwise, whenever account privileges change, system administrators would need to separately configure accounts on each local device.

This is where a domain comes in. A network domain centralizes user accounts so they can be more easily administered and enables users to log in to the network from any given machine. Within a domain, a domain controller is used to regulate user account access to the network.

What is the main function of a domain controller?

Domain controllers are part of the Microsoft network environment. A Windows domain controller handles user authentication requests. When a user seeks to access the network, the domain controller responds to that request. The domain controller verifies that the user should be let in, runs the login process, and regulates permissions (controlling which parts of the network the user can see). This is a critical security function. Domain controllers ensure that only authorized users are permitted to access the network, helping to keep out hacker threats.

Validation is usually performed with a username and password combination, though biometric techniques and multifactor authentication (MFA) can be incorporated for greater security. Once a user is validated, the domain controller determines whether they are a normal user or a system administrator with extra privileges.

Domain controllers were first introduced in Windows NT. They remain a key tool in contemporary networking, though these days they are sometimes being supplanted as organizations move to cloud networks.

What is the difference between a domain controller and Active Directory?

Active Directory is Microsoft’s directory service for Windows domain networks. When it was introduced in Windows 2000 Server, Active Directory was solely used to handle centralized domain management. However, with the advent of Windows Server 2008, Active Directory was transformed into a suite of directory services, of which the domain controller is just one. Other Active Directory functions include Lightweight Directory Services, Certificate Services (for public-key encryption infrastructure), Federation Services (for single sign-on), and Rights Management Services (for information rights management, which controls access to particular data).

In this schema, the server running Active Directory is known as the domain controller. An instance of Active Directory includes both a database and executable code (called the Directory System Agent) for running the database and servicing user requests. The database is structured using objects, which are organized into three levels—forests, trees, and domains.

Active Directory domain controllers use trusts to grant users in one domain access to others. Trusts exist in the database’s forest, which is automatically created whenever a domain is created. The types of trust include a one-way trust (in which users of one domain have access to another domain, but not vice versa), a two-way trust (where two domains are permitted access to each other), a transitive trust (which can extend beyond two domains), an explicit trust (created by a system administrator), a forest trust (which applies to an entire forest), and an external trust (enabling connection to non-Active Directory domains).

An Active Directory domain controller enables sysadmins to set policies to help ensure adequate password complexity. For security, an Active Directory password cannot contain the username or the user’s full name. Moreover, Microsoft allows you to require that a password include characters from certain categories such as uppercase letters, lowercase letters, numbers, symbols (e.g., !@#$%), and Unicode.

Active Directory also lets you set a minimum password length—the longer a password is, the harder it is to crack using brute-force techniques. By default, Windows 10 Active Directory requires a password to have characters from at least three of the previously mentioned categories and to be no less than eight characters long. These specifications yield 218,340,105,584,896 different total possibilities that hackers would need to try with brute-force methods. The more sensitive the information you’re trying to protect, the more robust your password requirements should be.

How many domain controllers do you need?

In their original Windows implementation, domain controllers were divided into two categories: primary domain controller and backup domain controller (DC). A primary DC is the first-line domain controller that handles user-authentication requests. Only one primary DC can be designated. According to security and reliability best practices, the server housing the primary DC should be solely dedicated to domain services. Because of its central importance to the network, the primary DC server must not run file, application, or print services, which could slow it down or risk crashing it.

A backup domain controller exists as a fail-safe in case the primary domain controller goes down. There can be multiple backup domain controllers for redundancy. Having a dedicated backup DC is a wise precaution. If the primary DC fails and there’s no backup, users will not be able to gain access to the network. When a user attempts to log in, the software contacts the primary DC. If the primary DC is unavailable, it then contacts the backup DC. The backup can be promoted to the primary role in the event that the primary is permanently out of service. Note that domain updates (such as additional users, new passwords, or changes to user groups) can only be made to the primary DC. They are then propagated into the backup DC databases. This is a form of the master-slave replication structure, with the primary DC being the master and secondary DCs being the slaves.

Nowadays, however, the primary and backup domain controller architecture has been deprecated. When Active Directory was introduced in Windows 2000, it was designed with a multimaster replication structure. This means that user account privileges are stored redundantly among a group of domain controllers, and each member of the group can update all the others. When a new user is added to one domain controller, for example, multimaster replication pushes the change out to the other controllers. In contrast to the master-slave architecture, multimaster replication yields greater reliability (the failure of a single master is not catastrophic), increased flexibility, and faster performance.

In sum, whether in its original primary/backup implementation or in today’s Active Directory framework, the domain controller remains a critical part of a contemporary network. The higher the number of domain controllers you have, the easier it is to ensure uptime for users seeking access to the network.

For more information on domain controllers and Active Directory, read through our related blog articles.