NIST's guidance for a Zero Trust Architecture

Active Directory Fundamentals

What are Domain Controllers?

 What are Domain Controllers (DC)? 

The computer machines that function as servers in the domain can either be a member server or a DC. A member server belongs to a particular domain, but it does not authenticate the users of that domain. There is no data about the entire AD network installed in it. DCs on the other hand, are servers responsible for allowing access to domain resources. It contains information on all user accounts, authenticates users, and enforces security policies for a domain. The purpose of DC is to limit user access by ensuring that only authorized users are permitted to access the network.

A DC has three directory partitions within itself. They are as follows:

  • Domain partition: This partition contains users, computers, groups, and other objects for a local domain. Each DC will have a full replica of the domain partition.
  • Schema partition: The type of objects and attributes that can be created in a domain is completely controlled by the schema. Nevertheless, the schema is extensible. It supports the creation of new types of objects and attributes.
  • Configuration partition: The configuration partition contains the replication topology and other configuration information that needs to be replicated across the forest. Every DC will have the same replica of schema and configuration partition.

The primary function of Domain Controllers:

A Windows Domain Controller is in charge of validating user access and handling user authentication requests. When users log into a domain, the DC validates their credentials to ensure that only authorized users have access to the network, reducing cyber risks. A DC contains data such as user account information and group policies. It validates network access by using a username and password combination, biometric measures, or multi-factor authentication. Furthermore, after a user has been validated, a DC handles permissions, limiting the user’s access to certain resources of the network based on their needs as dictated by access control lists When a DC fails, users lose access to critical domain resources. As a result, multiple domain controllers can be deployed to reduce downtime and ensure the smooth functioning of the domain.

Domain Controller vs Active Directory: 

Active Directory and Domain Controller are not the same. AD is a directory service for Windows domain networks, and a DC is a critical component in Active Directory Domain Services. The primary function of an Active Directory is to organize and plan the storage of information about all users and resources. While a DC provides user permission and authentication for them to access resources.

How to logon to a DC locally?

  • On the Windows login screen, click Switch User.

Note: Login from a server promoted to a DC

  • Select Other User and the system will display the standard login page, prompting you for your user name and password.
  • Now, in the User name field, input the name of your computer, a backslash, and the user name for the local account that you wish to log on to (computer name\user name). In the User name field, you can also add \Administrator.

Note: Click on the link “How to log on to another domain” if you don’t recall your computer name.

Enter your password and login into the DC. 

Best practices for installing a Domain Controller:

Before installing and configuring a DC, it is important to follow the best practices outlined below:

  • Standardize the hardware and software configuration of all DCs to improve the process of maintenance, reuse, and updating of your DCs.
  • Restrict physical and remote access to your DCs.
  • Run the Server Core installation option for Windows Server to minimize the attack surface by achieving an almost GUI-less footprint.
  • Set up a separate server for your domain controller.
  • Keep the DC committed to the Active Directory Domain Services role and avoid running any other software on it.

Setting up of a Domain Controller:  

Setting up of a Domain Controller:  

  1. Set up a DC using Server Manager.
  • Go to Server Manager.
  • To launch the Add Roles and Features Wizard, select Manage and then Add Roles and Features.
  • Click Role-based or feature-based installation and then Next on the Select installation type screen.
  • On the Select destination server screen, choose Select a server from the server pool, then click the name of the server where you want to install Active Directory Domain Services, and then click Next.

Note: To choose remote servers, you must create a server pool and then add remote servers to it.

  • Select Active Directory Domain Services on the Select server roles screen, then click Add Features on the Add Roles and Features Wizard dialog box, and then click Next.
  • Select any extra features you want to install on the Select features screen and then click Next.
  • Evaluate the information on the Active Directory Domain Services page before clicking Next.
  • Click Install on the Confirm installation selections page.

Note: It is advisable to choose the “Restart the destination server automatically if necessary” option.

  • Confirm that the installation was successful on the Results page, and then click Promote this server to a DC to launch the Active Directory Domain Services Configuration Wizard.
  • Choose “Add a new forest” and input the Root domain name (which will also be the forest name), and then click Next.
  • On the DC Options screen, enter and confirm a Directory Services Restore Mode (DSRM) password that will be used to retrieve Active Directory data, and click Next to continue.
  • Ignore the warning message on the DNS Options screen, and click Next.
  • Enter a NetBIOS name for your domain on the Additional Options screen, preferably matching the NetBIOS name with the root domain name, and then click Next to accept the assigned NetBIOS name.
  • On the Paths screen, select the location for your database, log files, and SYSVOL. It is advised that you use the default location.
  • Click Next after you’ve gone across the options in the Review Options screen. The wizard will perform some preliminary checks to confirm whether Active Directory can be installed.
  • To configure AD on the server, click Install. To complete the setup, the server will be rebooted automatically.
  • After the reboot, you must log in with the domain administrator account to control your domain.
  1. Set up a DC using PowerShell:
  • Run Windows PowerShell console as an administrator.
  • To install Active Directory Domain Services, run the following command:
    Add-WindowsFeature AD-Domain-Services
  • The next step after installing the AD DS role is to promote the DC. Enter and run the following command to create a new forest and domain
    Install-ADDSForest -DomainName example.com -InstallDNS

Note: Replace example.com with the correct forest and domain name.

  • In Windows PowerShell, the password for Directory Services Restore Mode (DSRM) is known as the SafeModeAdministratorPassword. Set the DSRM password and confirm it by typing it twice and pressing enter to store the password.
  • Type “A” and hit the Enter key to configure the target server as a domain controller and restart it after the configuration is complete.

Note: After the installation is complete, check the status message to see if the promotion to DC was successful. Following the completion of a DC promotion, the server will reboot to finish the set up. 

Functions of a Domain Controller: 

Below are a few reasons why you should use a DC for your network.

  • You can manage all of your user accounts from a single location. You can quickly deactivate or activate users, manage their passwords and usernames, and restrict access to specific files and programs.
  • By checking for access to file servers and other network resources, domain controllers make it easier to interface with directory services.
  • All computers can be set to lock their screens after a certain amount of time and require a password to unlock them. This makes it difficult for anyone to see what’s on your screen or gain access to your computer while you’re away. Instead of manually installing software on individual machines, you can use a domain controller to distribute software to user groups at the same time.
  • Ability to promptly disable accounts for existing employees.

Microsoft first introduced the concept of a DC about Windows NT networks to help IT administrators in controlling access to resources (users and IT resources) inside a domain. Previously, a physical computer was dedicated to managing user IDs and authenticating access requests, and this was later incorporated as a key component of Active Directory services. Many organizations and administrators would not design their IT architecture without a DC. With the increase in cloud migration, we can see cloud directory service acting as a DC for the cloud, with the ability to authenticate user identities and approve access to resources.

Related posts
Active Directory Fundamentals

How to seize FSMO roles

Active Directory Fundamentals

How to transfer FSMO roles

Active Directory Fundamentals

Securing administrator accounts in Active Directory

Active Directory Fundamentals

How to install the PowerShell Active Directory module

×

There are over 8,500 people who are getting towards perfection in Active Directory, IT Management & Cyber security through our insights from IAMRoundup.

Wanna be a part of our bimonthly curation of IAM knowledge?

  • -Select-
  • By clicking 'Become an insider', you agree to processing of personal data according to the Privacy Policy.