A domain controller is a server that responds to authentication requests and verifies users on computer networks. Domains are a hierarchical way of organizing users and computers that work together on the same network. The domain controller keeps all of that data organized and secured.
The domain controller (DC) is the box that holds the keys to the kingdom- Active Directory (AD). While attackers have all sorts of tricks to gain elevated access on networks, including attacking the DC itself, you can not only protect your DCs from attackers but actually use DCs to detect cyberattacks in progress.
Get the Free Pen Testing Active Directory Environments EBook
What is The Main Function of a Domain Controller?
The primary responsibility of the DC is to authenticate and validate user access on the network. When users log into their domain, the DC checks their username, password, and other credentials to either allow or deny access for that user.
Microsoft Active Directory or Microsoft AzureAD are the most common examples, while Samba is the Linux based equivalent DC.
Why is a Domain Controller Important?
Domain controllers contain the data that determines and validates access to your network, including any group policies and all computer names. Everything an attacker could possibly need to cause massive damage to your data and network is on the DC, which makes a DC a primary target during a cyberattack.
Domain Controller vs. Active Directory
ACTIVE DIRECTORY : DOMAIN CONTROLLER :: car : engine
Active Directory is a type of domain, and a domain controller is an important server on that domain. Kind of like how there are many types of cars, and every car needs an engine to operate. Every domain has a domain controller, but not every domain is Active Directory.
Do I Need a Domain Controller?
In general, yes. Any business – no matter the size – that saves customer data on their network needs a domain controller to improve security of their network. There could be exceptions: some businesses, for instance, only use cloud based CRM and payment solutions. In those cases, the cloud service secures and protects customer data.
The key question you need to ask is “where does my customer data live and who can access it?”
The answer determines if you need a domain – and DC – to secure your data.
Benefits of Domain Controller
- Centralized user management
- Enables resource sharing for files and printers
- Federated configuration for redundancy (FSMO)
- Can be distributed and replicated across large networks
- Encryption of user data
- Can be hardened and locked-down for improved security
Limitations of Domain Controller
- Target for cyberattack
- Potential to be hacked
- Users and OS must be maintained to be stable, secure and up-to-date
- Network is dependent on DC uptime
- Hardware/software requirements
How to Set Up a Domain Controller + Best Practices
- Configure a stand-alone server for your domain controller.
- If you are using Azure AD as your domain controller you can ignore this step.
- If not, your DC should act exclusively as a DC.
- Limit both physical and remote access to your DC as much as possible.
- Consider local disk encryption (BitLocker)
- Use GPOs to provide access to the SysAdmins in charge of administering Active Directory, and allow no other users to log in, either on the console or via Terminal Services.
- Standardize your DC configuration for reuse
Setting up a secure and stable DC doesn’t not mean you are secure forever. Attackers will still try to hack into your DC to escalate privileges or enable lateral movement throughout your network. Varonis monitors AD for out-of-policy GPO changes, Kerberos attacks, privilege escalations, and more.
Want to see how it works? Get a personalized 1:1 demo to how Varonis protects DCs and Active Directory from cyberattacks.
Michael Buckbee Michael has worked as a sysadmin and software developer for Silicon Valley startups, the US Navy, and everything in between.
FAQs
A domain controller is a server that responds to authentication requests and verifies users on computer networks. Domains are a hierarchical way of organizing users and computers that work together on the same network. The domain controller keeps all of that data organized and secured.
What is a domain controller and why is it needed? ›
A domain controller is the server responsible for managing network and identity security requests. It acts as a gatekeeper and authenticates whether the user is authorized to access the IT resources in the domain.
Do I need a domain controller? ›
An organization must have at least one domain controller in each Active Directory domain. However, organizations almost always choose to have multiple DCs in each domain. Even if a single DC can handle the normal load, having at least two provides quick scalability.
What are the requirements for a domain controller? ›
At a minimum, you need a 1.4 GHz, 64-bit CPU that supports Second Level Address Translation, 512 MB of RAM -- or 2 GB of RAM when using Desktop Experience -- and 32 GB of disk space. For better performance, especially with larger domains, consider a faster CPU and 4 GB of RAM.
What is the role you need to install to setup a server as a domain controller? ›
The basic requirement to promote this server into a domain controller is Active Directory Domain Services. The features for this role are ready to be installed. The basic features required for this service are selected by default.
What is the difference between Active Directory and domain controller? ›
Active Directory is a database that stores and organizes enterprise resources as objects. You can think of Active Directory as a database that stores users and device configurations in AD DS. A domain controller, in contrast, is simply a server running Active Directory that authenticates users and devices.
Why do we need a domain server? ›
Control all the user accounts from one central location
The main benefit of a domain controller is controlling all your user accounts from one location. You can offboard or onboard users quickly, manage their passwords and usernames, and control access to specific files and programs.
Can you have a domain without a domain controller? ›
You can create sites with no DCs, just right click Sites, then New Site... Give it a name, choose the DEFAULTIPSITELINK and done. You'll be remembered by a dialog to add subnets and a DC or move an existing one.
Is domain controller same as DNS? ›
A DC functions as a gatekeeper for host access to domain resources and provides authentication into a domain using Kerberos and/or NTLM. It's where policies are enforced and AD is hosted. The Domain Network System (DNS) protocol translates IPs into URLs that help users navigate the web.
How do I know if my computer is a domain controller? ›
Use the nltest /dsgetdc:domainname command to verify that a domain controller can be located for a specific domain. Use the NSLookup tool to verify that DNS entries are correctly registered in DNS. Verify that the server host records and GUID SRV records can be resolved.
Members of the Administrators group have complete and unrestricted access to the computer. If the computer is promoted to a domain controller, members of the Administrators group have unrestricted access to the domain.
How many domains can a domain controller have? ›
Each domain needs its own Domain Controller, you cannot create multiple domains using the same domain controller. Each domain in Active Directory is identified by a (DNS) Domain Name System domain name and requires one or more domain controllers.
How do I setup a domain controller at home? ›
How to setup a domain controller?
- Log into your Active Directory Server with administrative credentials.
- Open Server Manager → Roles Summary → Add roles and features.
- The "Before you begin" screen, which pops up next, is purely for an informational purpose. ...
- Select the installation type.
A domain controller is a server that responds to authentication requests and verifies users on computer networks. Domains are a hierarchical way of organizing users and computers that work together on the same network. The domain controller keeps all of that data organized and secured.
What is an example of a domain controller? ›
Domain controllers apply security policies to requests for access to domain resources. For example, in a Windows AD domain, the domain controller draws authentication information for user accounts from AD. Domain services, such as those that domain controllers provide, are just one part of Microsoft Active Directory.
Do I need a domain controller at each site? ›
To directly answer the question posed in the posts title: It depends, but generally every site does not require multiple domain controllers, and in a lot of cases a single DC may not even be required.
What are the three roles in domain controller? ›
These are further classified into forest-level and domain-level roles. Each domain within the forest has its own RID master, Infrastructure master, and PDC emulator. The domain controller is assigned these three roles whenever there's any change in the domain function in an AD.
What happens if a domain controller is down? ›
When a client selects the DC while in shutdown, NTLM or Kerberos requests will fail again. At this point, the client will go into a negative cache mode, and will fail later authentication requests. In the case of NTLM, the client is the application server, so it can't accept new clients until a working DC is selected.
What is the difference between a server and a domain controller? ›
A domain controller is a server that responds to authentication requests and verifies users on computer networks. Domains are a hierarchical way of organizing users and computers that work together on the same network. The domain controller keeps all of that data organized and secured.
Is DNS server the same as domain controller? ›
A DC functions as a gatekeeper for host access to domain resources and provides authentication into a domain using Kerberos and/or NTLM. It's where policies are enforced and AD is hosted. The Domain Network System (DNS) protocol translates IPs into URLs that help users navigate the web.
