What is a Domain Controller?

Server room

Domain controllers (DCs) are at the heart of Active Directory Domain Services (AD DS), the directory service that provides authentication, authorization, and password management for Microsoft Windows networks. Find out here why they’re so important and what they do.

Active Directory

What does a domain controller do?

A domain controller (DC) is a server on your network that manages access for users, computers, servers, etc. centrally. It uses Active Directory to house this database information.

Domain controllers respond to security authentication requests from network endpoints, like servers and user workstations. Domain controllers are responsible for securely authenticating network resources on a local or wide area network. Domain controllers authenticate users, they store user account information, like names and addresses, and they enforce security policies for Active Directory domains.

Domain controllers
What is a Domain Controller? (Image Credit – Microsoft)

Why domain controllers are an important part of Active Directory

Domain controllers provide the physical storage for the AD DS database. In addition, they also provide services that allow enterprises and IT pros to manage their servers, computers, laptops, users, printers, and other applications. They are vitally important to your network and need to be secured. A malicious user, if they can take control of a DC, could wreak havoc on your Friday afternoon (or early Sunday morning!) by wiping out your AD database.

Domain controllers vs Active Directory – are they the same thing?

Well, these two, as you probably have guessed already, are not the same. A domain controller essentially houses the guts of Active Directory. Active Directory is the software that centrally houses your network in database form. The domain controller(s) physically house the information stored in your Active Directory.

Active Directory Domain Services
Active Directory Domain Services

Do I need a domain controller?

Yes. Of course, you do. Now, technically, you don’t. Confused yet?

If you have 5 or less users in your organization, and a semi-dedicated IT pro available, you could do without an Active Directory environment. However, you would have local accounts on each of your users’ computers, you would have to maintain a list of usernames and passwords on each computer…if you wanted to have one user share their files to a file server, you would need to maintain those password lists.

All of what I just described is automatically maintained in a domain controller. So, long story short, you need one…at LEAST one…read on.

The benefits of having one or more domain controllers

Try to imagine you have installed AD DS in your environment and promoted one of your servers to a domain controller. Your users are happy, computing and processing all those Excel spreadsheets with ease.

Now, one of your user’s passwords expires…they go to change it and they get an error that there are no domain controllers available to process the password change (No, the error of course is not that direct and explicit, but you catch my drift). Your single domain controller has blue screened and it has halted. Your Active Directory is essentially dead in the water.

You need redundancy. It is a very simple process to add a second (and third, fourth…) domain controller to your environment. Once you have 2 or more DCs, you are protected from one of them being unavailable for any reason. Through AD replication, a service that automatically runs on each DC, any changes made to your directory on one DC get replicated to all the other DCs in the same domain.

Active Directory FSMO roles

When Active Directory debuted with Windows 2000, the first DC you created was dubbed the Primary Domain Controller, or PDC. This was a ‘role’ that this specific DC took charge of. There are other roles including the schema master role, domain naming master role, RID pool manager, and infrastructure master.

Although the ‘importance’ of these Flexible Single Master Operations (FSMO) roles has diminished over time, for legacy reasons, they are still maintained across your DCs. You can query which DC has each role and even move the FSMO roles amongst your DCs.

You can learn more about transferring and seizing domain controller FSMO roles here:

How to set up a domain controller

There are two main methods to set up a new domain controller – PowerShell and Server Manager. I’ll go through the basics of using Server Manager here.

Installing the Active Directory Domain Services (AD DS) Role in Server Manager
Installing the Active Directory Domain Services (AD DS) Role in Server Manager
  1. In Server Manager, click Manage and click Add Roles and Features to start the Add Roles Wizard.
  2. On the Before you begin page, click Next.
  3. On the Select installation type page, click Role-based or feature-based installation and then click Next.
  4. On the Select destination server page, click Select a server from the server pool, click the name of the server where you want to install AD DS and then click Next.To select remote servers, first create a server pool and add the remote servers to it. For more information about creating server pools, see Add Servers to Server Manager.
  5. On the Select server roles page, click Active Directory Domain Services, then on the Add Roles and Features Wizard dialog box, click Add Features, and then click Next.
  6. On the Select features page, select any additional features you want to install and click Next.
  7. On the Active Directory Domain Services page, review the information and then click Next.
  8. On the Confirm installation selections page, click Install.
  9. On the Results page, verify that the installation succeeded, and click Promote this server to a domain controller to start the Active Directory Domain Services Configuration Wizard.

Depending on your scenario, your environment, and if this is your first DC in a new forest, if you’re adding a second DC to your forest, or if you’re building a new domain in your existing forest with this DC, there are varying steps to installing Active Directory domain controllers.

Best practices for deploying domain controllers

The commonly known best practices for deploying domain controllers has changed a lot over the years. Back in the day (around Windows 2000, when AD debuted), it was best to maintain your AD database on one set of disk spindles, place the log files on another volume/partition, and Windows Server on another! With the advancement of technology, these practices have shifted.

Today, these are the general best practices to installing DCs in your network:

  • Run the Server Core installation option for Windows Server.
    • This provides a near-GUI-less footprint reducing the attack surface substantially.
  • Do not run other software, applications, or services on a DC.
    • Add the AD DS role, configure your new DC, and that’s it. Don’t install anything else on it. It is best to keep it dedicated to the AD DS role and that’s it!
  • If using physical servers, standardize on the hardware (and software) configuration of all your domain controllers.
    • This makes it easy to maintain and update your DCs. If you utilize the same memory DIMMs, SSD drives, you can have spares on hand and not have to worry about if this SSD is compatible with this DC. They will all be interchangeable!

If you want to separate domain controllers from your physical network and get more flexibility and additional protection for your Active Directory infrastructure, it’s also possible to virtualize your DCs. Check our best practices for installing Active Directory domain controllers in a virtual machine for more details 

Related Article: