Domain controller (Windows)

Last updated

On Microsoft Servers, a domain controller (DC) is a server computer [1] [2] that responds to security authentication requests (logging in, etc.) within a Windows domain. [3] [4] A domain is a concept introduced in Windows NT whereby a user may be granted access to a number of computer resources with the use of a single username and password combination.

Contents

History

With Windows NT 4 Server, one domain controller per domain was configured as the primary domain controller (PDC); all other domain controllers were backup domain controllers (BDC).

Because of the critical nature of the PDC, best practices dictated that the PDC should be dedicated solely to domain services, and not used for file, print or application services that could slow down or crash the system. Some network administrators took the additional step of having a dedicated BDC online for the express purpose of being available for promotion if the PDC failed.

A BDC could authenticate the users in a domain, but all updates to the domain (new users, changed passwords, group membership, etc.) could only be made via the PDC, which would then propagate these changes to all BDCs in the domain. If the PDC was unavailable (or unable to communicate with the user requesting the change), the update would fail. If the PDC was permanently unavailable (e.g. if the machine failed), an existing BDC could be promoted to be a PDC.

Windows 2000 and later versions introduced Active Directory ("AD"), which largely eliminated the concept of PDC and BDC in favor of multi-master replication. However, there are still several roles that only one domain controller can perform, called the Flexible single master operation roles. Some of these roles must be filled by one DC per domain, while others only require one DC per AD forest. If the server performing one of these roles is lost, the domain can still function, and if the server will not be available again, an administrator can designate an alternate DC to assume the role in a process known as "seizing" the role.

Primary domain controller

In Windows NT 4, one DC serves as the primary domain controller (PDC). Others, if they exist, are usually a backup domain controller (BDC). The PDC is typically designated as the "first". [5] The "User Manager for Domains" is a utility for maintaining user/group information. It uses the domain security database on the primary controller. The PDC has the master copy of the user accounts database which it can access and modify. The BDC computers have a copy of this database, but these copies are read-only. The PDC will replicate its account database to the BDCs on a regular basis. [6] The BDCs exist in order to provide a backup to the PDC, and can also be used to authenticate users logging on to the network. If a PDC should fail, one of the BDCs can then be promoted to take its place. The PDC will usually be the first domain controller that was created unless it was replaced by a promoted BDC.

PDC emulation (Primary Domain Controller)

In modern releases of Windows, domains have been supplemented by the use of Active Directory services. In Active Directory domains, the concept of primary and secondary domain controller relationships no longer applies. PDC emulators hold the accounts databases and administrative tools. As a result, a heavy workload can slow the system down. The DNS service may be installed on a secondary emulator machine to relieve the workload on the PDC emulator. The same rules apply; only one PDC may exist on a domain, but multiple replication servers may still be used. [7]

Samba

Primary Domain Controllers (PDC) have been faithfully recreated on the Samba emulation of Microsoft's SMB client/server system. Samba has the capability to emulate an NT 4.0 domain, as well as modern Active Directory Domain Services [9] on a Linux machine. [10]

Backup domain controller

In Windows NT 4 domains, the backup domain controller (BDC) is a computer that has a copy of the user accounts database. Unlike the accounts database on the PDC, the BDC database is a read-only copy. When changes are made to the master accounts database on the PDC, the PDC pushes the updates down to the BDCs. These additional domain controllers exist to provide fault tolerance. If the PDC fails, then it can be replaced by a BDC. In such circumstances, an administrator promotes a BDC to be the new PDC. BDCs can also authenticate user logon requests and take some of the authentication load from the PDC.

When Windows 2000 was released, the NT domain as found in NT 4 and prior versions was replaced by Active Directory. In Active Directory domains running in native mode, the concept of the PDC and BDC do not exist. In these domains, all domain controllers are considered equals. A side effect of this change is the loss of ability to create a "read-only" domain controller. Windows Server 2008 reintroduced this capability.

Nomenclature

Windows Server can be one of three kinds: Active Directory "domain controllers" (ones that provide identity and authentication), Active Directory "member servers" (ones that provide complementary services such as file repositories and schema) and Windows Workgroup "stand-alone servers". [11] The term "Active Directory Server" is sometimes used by Microsoft as synonymous to "Domain Controller" [12] [13] [14] [15] [16] but the term is discouraged. [17]

Related Research Articles

Active Directory (AD) is a directory service developed by Microsoft for Windows domain networks. Windows Server operating systems include it as a set of processes and services. Originally, only centralized domain management used Active Directory. However, it ultimately became an umbrella title for various directory-based identity-related services.

Samba is a free software re-implementation of the SMB networking protocol, and was originally developed by Andrew Tridgell. Samba provides file and print services for various Microsoft Windows clients and can integrate with a Microsoft Windows Server domain, either as a Domain Controller (DC) or as a domain member. As of version 4, it supports Active Directory and Microsoft Windows NT domains.

In computing, a directory service or name service maps the names of network resources to their respective network addresses. It is a shared information infrastructure for locating, managing, administering and organizing everyday items and network resources, which can include volumes, folders, files, printers, users, groups, devices, telephone numbers and other objects. A directory service is a critical component of a network operating system. A directory server or name server is a server which provides such a service. Each resource on the network is considered an object by the directory server. Information about a particular resource is stored as a collection of attributes associated with that resource or object.

<span class="mw-page-title-main">Server Message Block</span> Network communication protocol for providing shared access to resources

Server Message Block (SMB) is a communication protocol mainly used by Microsoft Windows equipped computers normally used to share files, printers, serial ports, and miscellaneous communications between nodes on a network. SMB implementation consists of two vaguely named Windows services: "Server" and "Workstation". It uses NTLM or Kerberos protocols for user authentication. It also provides an authenticated inter-process communication (IPC) mechanism.

The Security Account Manager (SAM) is a database file in Windows XP, Windows Vista, Windows 7, 8.1, 10 and 11 that stores users' passwords. It can be used to authenticate local and remote users. Beginning with Windows 2000 SP4, Active Directory authenticates remote users. SAM uses cryptographic measures to prevent unauthenticated users accessing the system.

Integrated Windows Authentication (IWA) is a term associated with Microsoft products that refers to the SPNEGO, Kerberos, and NTLMSSP authentication protocols with respect to SSPI functionality introduced with Microsoft Windows 2000 and included with later Windows NT-based operating systems. The term is used more commonly for the automatically authenticated connections between Microsoft Internet Information Services, Internet Explorer, and other Active Directory aware applications.

A Windows domain is a form of a computer network in which all user accounts, computers, printers and other security principals, are registered with a central database located on one or more clusters of central computers known as domain controllers. Authentication takes place on domain controllers. Each person who uses computers within a domain receives a unique user account that can then be assigned access to resources within the domain. Starting with Windows Server 2000, Active Directory is the Windows component in charge of maintaining that central database. The concept of Windows domain is in contrast with that of a workgroup in which each computer maintains its own database of security principals.

Flexible Single Master Operations, or just single master operation or operations master, is a feature of Microsoft's Active Directory (AD). As of 2005, the term FSMO has been deprecated in favour of operations masters.

LAN Manager is a discontinued network operating system (NOS) available from multiple vendors and developed by Microsoft in cooperation with 3Com Corporation. It was designed to succeed 3Com's 3+Share network server software which ran atop a heavily modified version of MS-DOS.

<span class="mw-page-title-main">Group Policy</span> Feature of the Microsoft Windows NT family of operating systems

Group Policy is a feature of the Microsoft Windows NT family of operating systems that controls the working environment of user accounts and computer accounts. Group Policy provides centralized management and configuration of operating systems, applications, and users' settings in an Active Directory environment. A set of Group Policy configurations is called a Group Policy Object (GPO). A version of Group Policy called Local Group Policy allows Group Policy Object management without Active Directory on standalone computers.

Distributed File System (DFS) is a set of client and server services that allow an organization using Microsoft Windows servers to organize many distributed SMB file shares into a distributed file system. DFS has two components to its service: Location transparency and Redundancy. Together, these components enable data availability in the case of failure or heavy load by allowing shares in multiple different locations to be logically grouped under one folder, the "DFS root".

The booting process of Windows NT is the process run to start Windows NT. The process has been changed between releases, with the biggest changes being made with Windows Vista. In versions before Vista, the booting process begins when the BIOS loads the Windows NT bootloader, NTLDR. Starting with Vista, the booting process begins with either the BIOS or UEFI load the Windows Boot Manager, which replaces NTLDR as the bootloader. Next, the bootloader starts the kernel, which starts the session manager, which begins the login process. Once the user is logged in, File Explorer, the graphical user interface used by Windows NT, is started.

Apple Open Directory is the LDAP directory service model implementation from Apple Inc. A directory service is software which stores and organizes information about a computer network's users and network resources and which allows network administrators to manage users' access to the resources.

In a Windows network, NT LAN Manager (NTLM) is a suite of Microsoft security protocols intended to provide authentication, integrity, and confidentiality to users. NTLM is the successor to the authentication protocol in Microsoft LAN Manager (LANMAN), an older Microsoft product. The NTLM protocol suite is implemented in a Security Support Provider, which combines the LAN Manager authentication protocol, NTLMv1, NTLMv2 and NTLM2 Session protocols in a single package. Whether these protocols are used or can be used on a system which is governed by Group Policy settings, for which different versions of Windows have different default settings.

Data Protection Application Programming Interface (DPAPI) is a simple cryptographic application programming interface available as a built-in component in Windows 2000 and later versions of Microsoft Windows operating systems. In theory, the Data Protection API can enable symmetric encryption of any kind of data; in practice, its primary use in the Windows operating system is to perform symmetric encryption of asymmetric private keys, using a user or system secret as a significant contribution of entropy. A detailed analysis of DPAPI inner-workings was published in 2011 by Bursztein et al.

AGDLP briefly summarizes Microsoft's recommendations for implementing role-based access controls (RBAC) using nested groups in a native-mode Active Directory (AD) domain: User and computer accounts are members of global groups that represent business roles, which are members of domain local groups that describe resource permissions or user rights assignments. AGUDLP and AGLP summarize similar RBAC implementation schemes in Active Directory forests and in Windows NT domains, respectively.

Inter-domain routing is data flow control and interaction between Primary Domain Controller (PDC) computers. This type of computer uses various computer protocols and services to operate. It is most commonly used to multicast between internet domains.

Browser service or Computer Browser Service is a feature of Microsoft Windows to let users easily browse and locate shared resources in neighboring computers. This is done by aggregating the information in a single computer "Browse Master". All other computers contact this computer for information and display in the Network Neighborhood window.

In computer security, pass the hash is a hacking technique that allows an attacker to authenticate to a remote server or service by using the underlying NTLM or LanMan hash of a user's password, instead of requiring the associated plaintext password as is normally the case. It replaces the need for stealing the plaintext password to gain access with stealing the hash.

A domain controller (DC) is a server that responds to security authentication requests within a computer network domain. It is a network server that is responsible for allowing host access to domain resources. It authenticates users, stores user account information and enforces security policy for a domain. It is most commonly implemented in Microsoft Windows environments, where it is the centerpiece of the Windows Active Directory service. However, non-Windows domain controllers can be established via identity management software such as Samba and Red Hat FreeIPA.

References

  1. "Domain Controller Roles". Microsoft TechNet or A domain controller (DC) is a server that responds to security authentication requests within a Windows Server domain. It is a server on a Microsoft Windows or Windows NT network that is responsible for allowing host access to Windows domain resources. A domain controller is the centerpiece of the Windows Active Directory service. It authenticates users, stores user account information and enforces security policy for a Windows domain. Retrieved Dec 4, 2009.
  2. "Domain Controller Roles". Windows Server 2003 Technical Reference. Microsoft TechNet. 2010-06-03. Retrieved 2012-11-21. A domain controller is a server that is running a version of the Windows Server® operating system and has Active Directory® Domain Services installed.
  3. "What is a Domain Controller? - Definition from Techopedia". Techopedia.com. Retrieved 2016-11-16.
  4. "Answering: What Is a Domain Controller & What Does it Do?". scientificera.com. Retrieved 2016-11-16.
  5. "Domain Controller Roles". Microsoft Tech net 3 June 2010. Retrieved 13 February 2011.
  6. "Peer-to-Peer Transactional Replication". Microsoft Technet - date undisclosed. Retrieved 13 February 2011.
  7. "Reducing the Workload on the PDC Emulator Master". Microsoft Technet 9 January 2009. Retrieved 13 February 2011.
  8. "Configure the Time Source for the Forest". Microsoft Technet 9 January 2009. Retrieved 13 February 2011.
  9. "Setting up Samba as an Active Directory Domain Controller - SambaWiki". wiki.samba.org. Retrieved 2018-04-20.
  10. "Server Manager Shows PDC and BDC as Workstations with Samba Linux Server in Network". Microsoft Technet 1 November 2006. Retrieved 13 February 2011.
  11. "Planning for domain controllers and member servers". Windows Server 2003 Product Help. Microsoft TechNet. 2005-01-21. Retrieved 2012-11-21. [...] servers in a domain can have one of two roles: domain controllers, which contain matching copies of the user accounts and other Active Directory data in a given domain, and member servers, which belong to a domain but do not contain a copy of the Active Directory data. (A server that belongs to a workgroup, not a domain, is called a stand-alone server.)
  12. "Capacity Planning for Active Directory Domain Services". Microsoft TechNet. 2012-10-12. Archived from the original on 2012-11-29. Retrieved 2012-11-21. Evaluating Active Directory Server RAM [...] Evaluating the amount of RAM that a domain controller (DC) needs is actually quite a complex exercise.
  13. "Q324753: How To Create an Active Directory Server in Windows Server 2003". Microsoft Support. 2011-09-11. Retrieved 2012-11-21. How To Create an Active Directory Server in Windows Server 2003 [...] To convert a Windows Server 2003 computer into the first domain controller in the forest, follow these steps [...]
  14. "Q302914: How Outlook 2000 accesses Active Directory". Microsoft Support. 2007-02-27. Retrieved 2012-11-21. [...] you must restart Outlook if that particular Active Directory server stops responding.
  15. "Q253841: XADM: Troubleshooting Active Directory Connector Replication Issues". Microsoft Support. 2007-02-27. Retrieved 2012-11-21. Is a Connection Agreement configured for the Exchange Server computer to the Active Directory server?
  16. "Q825916: Exchange 2000 Active Directory Connector Does Not Successfully Replicate Changes to Group Membership in Windows Server 2003 Active Directory in Forest Functional Levels 1 or 2". Microsoft Support. 2006-10-27. Retrieved 2012-11-21. [...] changes do not replicate between a Windows Server 2003 Active Directory server (in forest functional level 1 or in forest functional level 2) and a Microsoft Exchange Server 5.5 computer [...]
  17. Comment officially marked as "answer" by Microsoft-employed forum moderator "Arthur_Li". Jorge Mederos (2010-10-11). "AD server vs. Domain Controller vs. Member Server, et al". Microsoft TechNet Forums. Archived from the original on 2013-01-03. Retrieved 2012-11-21. [...] the term "AD Servers" is not a phrase you will find in any of the technical books and I myself have not heard that term used in the industry.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.