MICROSOFT SERVER

CRASH COURSE: WHAT IS A DOMAIN CONTROLLER?

The biggest hurdle I have faced studying for N10-008 is the terminology.

Sometimes learning networking definitions feels like I’m learning a foreign language, and it confuses me so much.

One of the words that confused me the most – even when I took the N10-007 test – was the word Domain Controller (DC). At the time I took the test, the extent of my knowledge of a DC did not extend beyond a few labs in school. As a result, every time I saw the word DC, I was shook and shooketh (or shook beyond my own understanding).

If this word sets your nerves on fire, like it did mine, here is a crash course on what a DC is, and why it’s important.

WHAT IS ACTIVE DIRECTORY?

Knowing what a DC is starts with knowing what Active Directory (AD) is.

Paul Hill of Server Academy says that Active Directory (AD) is a Windows database that stores user accounts and their passwords, computers, printers, file shares, and their respective security groups and permissions.

So for example, let’s say you’re a help desk analyst at a business that has 250 computer users. Tom in Marketing needs a password reset. How in the world are you going to reset his password if you don’t know which computer he is using? How do you know Tom even works for your business without some type of authentication? And would you give Tom permission to look at the business’ quarterly reports, especially if Tom doesn’t need to look at them?

This is why AD is powerful and necessary.

ACTIVE DIRECTORY AND AAA

One thing every networking professional needs to know is AAA – Authentication, Authorization, and Accounting. AAA is the framework of controlling network access, enforcing policies, and accounting for billable hours.

AD helps with a lot of things, but it is especially useful for the Authentication portion of AAA. This means that AD only allows authorized users to logon to a network.

For example, do you want Tom from marketing logging in to Shaquille’s computer in the Finance Department? Nope, you wouldn’t. Especially if Tom does not need to know the Finance Department’s business.

AD will make sure that both Tom and Shaquille are staying in their respective lanes, and minding the business that pays them.

What’s also convenient and powerful about AD is that it will store all user names, passwords, and permissions in one signalized database, instead of on each individual computer.

WHAT IS A DOMAIN CONTROLLER (DC)?

A DC is any server that has the Microsoft Active Directory Domain Services (AD DS) role installed.

READ MORE: WHAT IS A SERVER? HERE’S A CRASH COURSE

Before we get into the AD DS role, I want to clarify a few things:

  • The DC is a physical server
  • The DC hosts the AD program (the product name)
  • AD DS is a role that stores user and password information, permissions, group policies, etc.
  • AD has other services besides AD DS, including LDAP (Lightweight Directory Access Protocol), SSO (Single Sign-On), security certificates, and rights management.
  • Authentication is the process of verifying user and/or their device. A common example of authentication is a username and a password. This lets the domain verify the user’s identity. As we all know, a wrong username and/or password can result in denied access (and headaches if you have to reset them).

AD DS is responsible for authenticating users, and managing their security permissions. So let’s say Tom from Marketing got a promotion, and is now working in Finance. You may not want him accessing the same folders he had permission to use while he was in Marketing. In order to change his permissions you would have to log in as an admin in AD DS (from the DC) to change his folder permissions.

CAN YOU HAVE MULTIPLE DOMAIN CONTROLLERS?

Yes! It’s a server’s job to be:

  • Scalable
  • Highly available
  • Redundant

While you may have multiple DC’s, there can only be one main DC. Just like there can only be one Beyonce, one Kelly, and one Michelle. Of course Kelly and Michelle can (and have) killed it when entertaining a crowd, but there’s only one Queen Bey.

That’s the same idea as a domain controller – you can have multiple DC’s, but there’s only one primary DC.

The purpose of replicating a main DC is for fault tolerance. User and group policy information is replicated across DC’s, so if one goes down, then there is another DC that steps in line to take its place.

If you would like to know more about DC’s, take a look at Paul Hill’s explanation of a DC in the video below.