If you are getting into Enterprise networking, or if you want to learn more and is setting up a lab environment at home, you might have heard the phrase domain controller before. This is a fundamental part of enterprise networks and if you are even thinking about working with networking, knowing what a domain controller is, is essential.
A domain controller is a server that is making sure all other servers and clients can talk to each other (in a simplified way). In this article, you'll learn more about domain controllers, Active Directory and some common roles that a domain controller can have. Come along for the ride!
During the research for this article, I often came across the question: “What is a domain controller in Active Directory?”. It’s a fun question because the question should be “What is Active Directory on a domain controller?”. The reason for this is that the domain controller is the server where Active Directory is installed. So, without a domain controller (DC for short), there is no Active Directory (AD for short).
A domain controller is a role that you can assign to a Windows server. You do this when you are installing the service AD DS, which stands for Active Directory Domain Services. Depending on the version of Windows Server, you can choose a domain controller to be primary or not, more on that later.
Since Active Directory is mentioned a lot, and I will keep mentioning it, it’s time to explain what it is. Essentially, it’s the central database that stores everything about a company. I don’t mean that it stores files and images, but it stores the users, clients, and servers.
Let’s put this in a story for easier understanding. Take, Sara. She starts a new job at Company A. If Sara is ever going to be able to login to the computers, she needs to have an active account in Active Directory. This is because when Sara tries to log in to a computer, the computer will check with Active Directory to see if Sara exist as a user and if she is permitted to log in to the computer.
When Sara has logged in, she needs to print out some documents. Because she is part of Active Directory, as well as the computer she is on, she can easily reach a shared network drive where the document is. Because Active Directory also has sent out some default settings for her, she already has the office printer installed and set as default printer, making it easier for Sara to print out the document.
Active Directory holds all the users, computers and servers. But it’s important to note that what holds everything together is a domain, not Active Directory. The AD should be seen as a database that holds information while a domain is what makes everything talk to each other.
I know that when I first got this told for me, I had a hard time separating a domain controller, Active Directory and a domain. Isn’t it all the same thing but with different names? After reading the above, I think you might think as I did once.
As I briefly mentioned above, the domain is what keeps everything together. Sara has a domain account; her computer is part of the domain and the shared network drive is on a server that is part of the domain. You can think that the domain is like a house. Everything is under the same roof and can talk to each other.
A domain is something that a company is using if they are using Windows Servers, which most companies do. To be a part of a domain, there needs to be an account in Active Directory.
Active Directory, AD, is a database that holds all the users in the company. It also holds clients (computers) and servers for the company. All these things have an account in Active Directory and this account will decide how much permissions the user or computer has. There are also things like group policies, security settings and connection to other services.
Something that many IT admins like to have is AD groups. These groups can be set on file shares or basically any other resource. A user that wants permission to that resource, be it a file, an application, a website, or a server, can be a member of this group. Since the group already has permission, the user will also get access when placed into that group.
Active Directory can also be used to connect to other services. You might have heard about something called Single Sign-On (SSO) or seen it on many log-in screens for services that you are using. When using this option, the service that you are logging into, will contact Active Directory and see if you exist and permitted to log in to this service. This is good both for the user and IT. The user doesn’t have to remember a new password since it’s the same password that is always being used. IT can also manage it with groups and when the user ends, permissions for the service will be removed automatically so that the user doesn’t have access.
I believe that we have already covered the domain controller in the beginning so keeping this bit shorter. But a domain controller is the server that Active Directory runs on. The service is called Active Directory Domain Services and can be installed on a machine running Windows Server.
To summarize everything, you can think of it like this:
A best practice for all companies that use Active Directory, is to have at least two domain controllers. This is for redundancy so that if one goes down, the company can keep working while IT freaks out. Preferably, the domain controllers should be at different places physically.
Another benefit of having multiple DCs could be that you have them in different locations. Say if the company has an office in Country A and another in Country B. Instead of having users in Country B to connect to A, the authentication process can be sped up if there is a DC in the office for Country B. So, having a DC in each country can be a good idea.
Over to primary domain controllers. A Primary Domain Controller was a DC that was number one, so to speak. There were always one primary DC and the other one(s) were backup DCs. In 2008, Microsoft changed this so if you have a domain controller from 2008 or later, the concept of primary and backup domain controllers has disappeared.
All domain controllers are now being treated equally. Active Directory is synced to all of these machines and anyone can be used for anything since they are working the same way. However, you might keep hearing about PDC (Primary Domain Controller) and BDC (Backup Domain Controller) because many IT guys are used to it.
A Domain controller can also be Read-Only, called RODC (there is a lot of shorts in networking). An RODC is a domain controller that can’t write to Active Directory. It is still being synced from other domain controllers to get the latest information, but it can’t update itself. This is often useful if you need an application to read from Active Directory for example.
If the application would go bad, or if someone is trying to find a weakness in the application, they get to a domain controller that can only be read. It’s bad but they can’t make it worse by entering the wrong information to the database, which is good (of course).
It can also be used on other offices where just authentication is needed. When a user login to a computer, the computer doesn’t need to write anything to the domain controller, just check that it’s OK for the user to login = read.