Domain Controller
- A Domain Controller is a server that runs Active Directory Domain Services (AD DS).
- It is a server computer that acts like a brain for windows server domain.
- It authenticates and authorizes users and computers in a Windows domain network.
- It is the central authority for managing security, users, and policies.
Features of Domain controller
- Verifies user credentials and controls access to network resources.
- Manages all users, groups, computers, and permissions from one place.
- Hosts and manages the Active Directory Domain Services (AD DS).
- Applies system-wide settings and restrictions using Group Policy Objects (GPOs).
- Syncs directory information with other DCs for redundancy and consistency.
- (Optional) Allows fast searching of directory data across multiple domains.
- Enforces password policies, access control, and login rules.
- Multiple DCs can share the load and provide backup in case one fails.
- Keeps logs of logins, resource access, and administrative changes.
Allows administrative access to manage user accounts and network resources
Info
This means:
A Domain Controller gives admins (IT people) the ability to:
- Create, edit, or delete user accounts
- Reset passwords
- Assign who can access what (like files, folders, printers)
- Set rules and policies (e.g., who can install software, when users can log in)
- Control access to network resources like shared drives, applications, or internet access
Main Functions of a Domain Controller
| Function | Description |
|---|---|
| Authentication | Verifies user credentials (e.g., username and password). |
| Authorization | Grants or denies access to network resources. |
| Directory Services | Stores and organizes data like user accounts, groups, computers, etc. |
| Policy Enforcement | Applies Group Policies to users and machines. |
| Replication | Syncs data with other domain controllers to ensure consistency. |
Components Handled by a Domain Controller
- Users and Groups
- Computers and Devices
- Organizational Units (OUs)
- Group Policy Objects (GPOs)
- Security Policies
- Login Scripts
Types of Domain Controllers
-
Primary DC
- Older concept (pre-Windows 2000). Today all DCs are peers in modern AD.
-
Read-Only DC
- A DC that cannot make changes (used in branch offices or insecure sites).
-
Global Catalog Server
- Stores full data of its domain + partial data of other domains for searches.
Importance
- It ensures secure access to resources.
- Enables centralized management of a network.
- Supports Single Sign-On (SSO) – users log in once to access everything they’re allowed to.
Note
If a Domain Controller Fails:
- Users might not be able to log in or access resources.
- That’s why networks usually have multiple DCs for redundancy and load balancing.
Users
- A User is one of the most common things stored in Active Directory.
- Users can log in (authenticate) to the domain using a username and password.
- They can be given access (permissions) to use things like:
- Files and folders
- Printers
- Applications
Note
Users are called "security principals", which just means:
- They can be identified, authenticated, and given permission to do things in the network
Users can be used to represent two types of entities:
1. People:
- These are real people who use the computer or network.
- Example:
- Employees:
john.doe,alice.smith - Students logging into a school network
- Employees:
- They log in with a username and password, and use:
- Shared files
- Printers
- Applications
2. Services (Service Accounts)
-
These are not real people — they are special accounts used by software or background processes to run.
-
Example:
- A backup service that runs every night using a user account like
backup_service - SQL Server running as
sql_service_account
- A backup service that runs every night using a user account like
-
These accounts:
- Run apps or services in the background
- Don’t usually need to log in like a human
- Still need permissions to access files or systems
-
Example :
- In linux ->> users like
www,MySQLin "/etc/passwrd". .These users are responsible for their services and they are the respective owners as well.
- In linux ->> users like
Machine Object
- Another type of object within Active directory
- for every computer that joins the Active Directory domain, a machine object will be created.
- It is created to:
- *Identify the machine
- Allow it to be managed
- Enable it to authenticate and communicate with domain resources.
Example
Let’s say you have a computer named HR-PC01.
When you join it to the domain company.com, a machine object HR-PC01 is created in AD.
This allows:
- The domain to recognize the computer
- Admins to apply rules and updates to it
- The machine to access domain resources like file servers or printers
Important
Machine Account passwords are automatically rotated out and they have 120 random characters, so one can not brute force machine account's password, it is very difficult.
Naming a machine account:
- Identifying machine accounts is relatively easy.
- They follow a specific naming scheme.
- The machine account name is the computer's name followed by a dollar sign.
- Ex- a machine named DC01 will have a machine account called DC02$