What is the difference between a domain controller and Active Directory?
Active Directory is Microsoft’s directory service for Windows domain networks. When it was introduced in Windows 2000 Server, Active Directory was solely used to handle centralized domain management. However, with the advent of Windows Server 2008, Active Directory was transformed into a suite of directory services, of which the domain controller is just one. Other Active Directory functions include Lightweight Directory Services, Certificate Services (for public-key encryption infrastructure), Federation Services (for single sign-on), and Rights Management Services (for information rights management, which controls access to particular data).
In this schema, the server running Active Directory is known as the domain controller. An instance of Active Directory includes both a database and executable code (called the Directory System Agent) for running the database and servicing user requests. The database is structured using objects, which are organized into three levels—forests, trees, and domains.
Active Directory domain controllers use trusts to grant users in one domain access to others. Trusts exist in the database’s forest, which is automatically created whenever a domain is created. The types of trust include a one-way trust (in which users of one domain have access to another domain, but not vice versa), a two-way trust (where two domains are permitted access to each other), a transitive trust (which can extend beyond two domains), an explicit trust (created by a system administrator), a forest trust (which applies to an entire forest), and an external trust (enabling connection to non-Active Directory domains).
An Active Directory domain controller enables sysadmins to set policies to help ensure adequate password complexity. For security, an Active Directory password cannot contain the username or the user’s full name. Moreover, Microsoft allows you to require that a password include characters from certain categories such as uppercase letters, lowercase letters, numbers, symbols (e.g., [email protected]#$%), and Unicode.
Active Directory also lets you set a minimum password length—the longer a password is, the harder it is to crack using brute-force techniques. By default, Windows 10 Active Directory requires a password to have characters from at least three of the previously mentioned categories and to be no less than eight characters long. These specifications yield 218,340,105,584,896 different total possibilities that hackers would need to try with brute-force methods. The more sensitive the information you’re trying to protect, the more robust your password requirements should be.
How many domain controllers do you need?
In their original Windows implementation, domain controllers were divided into two categories: primary domain controller and backup domain controller (DC). A primary DC is the first-line domain controller that handles user-authentication requests. Only one primary DC can be designated. According to security and reliability best practices, the server housing the primary DC should be solely dedicated to domain services. Because of its central importance to the network, the primary DC server must not run file, application, or print services, which could slow it down or risk crashing it.
A backup domain controller exists as a fail-safe in case the primary domain controller goes down. There can be multiple backup domain controllers for redundancy. Having a dedicated backup DC is a wise precaution. If the primary DC fails and there’s no backup, users will not be able to gain access to the network. When a user attempts to log in, the software contacts the primary DC. If the primary DC is unavailable, it then contacts the backup DC. The backup can be promoted to the primary role in the event that the primary is permanently out of service. Note that domain updates (such as additional users, new passwords, or changes to user groups) can only be made to the primary DC. They are then propagated into the backup DC databases. This is a form of the master-slave replication structure, with the primary DC being the master and secondary DCs being the slaves.
Nowadays, however, the primary and backup domain controller architecture has been deprecated. When Active Directory was introduced in Windows 2000, it was designed with a multimaster replication structure. This means that user account privileges are stored redundantly among a group of domain controllers, and each member of the group can update all the others. When a new user is added to one domain controller, for example, multimaster replication pushes the change out to the other controllers. In contrast to the master-slave architecture, multimaster replication yields greater reliability (the failure of a single master is not catastrophic), increased flexibility, and faster performance.
In sum, whether in its original primary/backup implementation or in today’s Active Directory framework, the domain controller remains a critical part of a contemporary network. The higher the number of domain controllers you have, the easier it is to ensure uptime for users seeking access to the network.
For more information on domain controllers and Active Directory, read through our related blog articles.