A domain describes a collection of users, systems, applications, networks, database servers, and any other resources that are administered with a common set of rules. Generally, a domain also encompasses a physical space like an office or multiple offices. If you are within the domain you are in a theoretically safe space and trusted. If outside, you are untrusted, so the domain would effectively be your castle with a moat around it.
A domain controller (DC) is a server that manages network and identity security, effectively acting as the gatekeeper for user authentication and authorization to IT resources within the domain. Domain controllers are particularly relevant in Microsoft directory services terminology, and function as the primary mode for authenticating Windows user identities to Windows-based systems, applications, file servers, and networks. They also host Active Directory services.
The popularity of Windows systems for enterprise solutions established the domain controller as a common term in networking architecture. However, recent trends have antiquated their use — especially for non-Windows systems. Domain controllers as they exist today don’t meet the requirements of small and medium-sized enterprises (SMEs). That has led many organizations to seek alternative cloud identity and access management (IAM) solutions and device management that works on systems beyond Windows. The domainless enterprise accomplishes what domain controllers did for Windows networks through cloud-based infrastructure. It treats identities as the perimeter and devices as a gateway to resources.
However, domain controllers remain a foundational technology for SMEs and can be extended and improved by cloud directories, including JumpCloud’s open directory platform. This article provides an in-depth introduction to domain controllers, how they work, and how to use them.
Intro to Domain Controllers
The concept of the domain controller was first introduced by Microsoft to manage Windows NT-based networks. It provided IT admins a way to control access to resources within a domain — essentially an organization’s users and IT resources. In this environment, all user requests are sent to the domain controller for authentication and authorization. The domain controller then authenticates the user identity, typically by validating a username and password, then authorizes requests for access accordingly. Windows Server has evolved over the years with the inclusion of new features to support modern hosting paradigms and deployment options. Subsequent releases have added additional server roles, and can keep pace with newer hardware, authentication protocols, reporting, administration, and security requirements.
What Does a Domain Controller Do?
Domain controllers continued to enforce permissions and security policies for network resources while ensuring the overall security and reliability of the network. Then, inclusion of Microsoft’s Active Directory (AD) enabled network administrators to manage users accounts and entitlements for Window-based networks from a centralized location. AD sets policies such as password complexity requirements or account lockouts. It’s also possible to replicate data and user information to other domains on the network, whether on-premise or at another location.
AD has since played a critical role for many organizations for over two decades. Domain controllers remain relevant to the modern enterprise, but lock users into Windows networks without the inclusion of cloud services that federate identity and manage all device platforms.
How Is Active Directory Set Up on a Domain Controller?
- Active Directory Domain Services (AD DS). This is the main service within the Active Directory protocol. Besides storing the directory information, it also controls which users can access each enterprise resource and group policies. AD DS uses a tiered structure comprising the domains, trees, and forests to coordinate networked resources.
- Active Directory Lightweight Directory Services (AD LDS). It shares the same codebase and functionality as AD DS. However, unlike AD DS, AD LDS uses the Lightweight Directory Access Protocol (LDAP), allowing it to run on multiple instances on the same server.
- Active Directory Federation Services (AD FS). As the name suggests, AD FS is a federated identity service that provides single sign-on (SSO) capabilities. It uses many popular protocols such as OAuth, OpenID, and Secure Assertion Markup Language (SAML) to pass credentials between different identity providers.
- Active Directory Certificate Services (AD CS). This is a service that creates on-premises public key infrastructure (PKI), allowing organizations to create, validate, and revoke certificates for internal use.
Follow these steps to set up AD:
Install Windows Server: Designate a Windows Server instance to be your primary domain controller. Dedicate a virtualization platform or server that meets the minimum hardware requirements to run Windows Server and leave room for expansion.
- It’s likely that you’ll need additional server instances and roles if you’re building an infrastructure around the DC infrastructure around the DC. Microsoft modified its licensing regime to function on a per core basis (not to mention every other Client Access License (CAL) you need). Keep these added costs in mind, because server core licensing may be more expensive than you realize.
Install Active Directory Domain Services: Install AD DS using the Server Manager or PowerShell. Have a contingency plan for backups and to address what happens if your DC goes down.
Promote the Server to a Domain Controller: Next, you’ll need to promote the server to a domain controller. The Active Directory Domain Services Installation Wizard will assist with specifying the appropriate settings for your network.
Configure Active Directory: Configure Active Directory to suit your network requirements. This involves creating organizational units, users, groups, and other network components. Meeting modern security standards can be a complex process that should only be attempted by experienced administrators who understand the risks involved.
Configure DNS: Active Directory relies heavily on DNS (Domain Name System) for name resolution. Configure DNS properly to ensure that Active Directory functions correctly. Have at least two internal DNS servers and consider using Active Directory integrated zones. It improves reliability, performance, and the DNS server will deny requests from hosts that aren’t authorized.
Configure Group Policy: Finally, configure Group Policy, which allows you to manage and enforce policies across the network. Group Policy settings can be applied at the domain, site, or organizational unit level. The default UIs can be challenging and laborious. GPO Templates make it easier to implement strong security postures for Windows such as CIS benchmarks.
Is a Domain Controller the Same as a DNS Server?
A DC functions as a gatekeeper for host access to domain resources and provides authentication into a domain using Kerberos and/or NTLM. It’s where policies are enforced and AD is hosted. The Domain Network System (DNS) protocol translates IPs into URLs that help users navigate the web. A DNS Server will strictly provide DNS services.
Other Domain Controller Implementation Options
The following deployment options can help admins to save money and meet their requirements.
Global Catalog (GC): The GC is an unofficial Flexible Single Master Operations (FSMO) role and AD feature that provides information about any object across all forest domains. Select attributes are replicated to GC servers, which allows admins to pull necessary information.
Read-Only Domain Controllers (RODC): An RODC is an option to host a read-only copy of Active Directory for branch offices when IT resources are limited. It serves as an economical alternative to establishing secure data center facilities at every branch of an organization. Authentication requests go to the RODC versus a WAN link to improve security. The RODC server holds limited data about the DC and credential caching is defined by policy. Local administrators can make changes that won’t affect the primary DC at headquarters.
Directory Services Restore Mode (DSRM): DSRM is a special boot mode to help admins recover AD databases and restore system state. This is a similar concept to “Safe Mode” in Windows. Hackers sometimes use pen-testing tools such as Mimikatz to activate and capture local DSRM admin credentials. They can obtain remote access using local admin accounts.
Domain Controller Setup and Best Practices
Attackers employ several common methods to elevate privileges and create persistence. The following steps take those into consideration and can help to prevent breaches from happening:
- Disable the default administrator user. This is a primary attack vector.
- Limit the use of domain admin privileges. Don’t run as an admin user and consider time-based privileged elevation. When AD is installed, consider having administrative accounts reside within a separate forest (Red Forest model) from other users by implementing authentication policy silos. This configuration may require external experts, training, and add-on tools to implement. It’s extremely important to plan out the design and configuration and to implement monitoring and logging.
- Implement new Active Directory enhanced features such as protected groups, restricted RDP, time-based group membership, and testing. Consider an intrusion detection system, because AD contains all of your “keys to the kingdom.”
- Use different servers for RDP and MMC access. This writer encountered a DC that hosted the RDP role service directly on it and my team (in a previous role) had to reprovision it for a “clean” baseline.
- Be judicious and trust the supplier when you install third-party applications on DCs.
- Restrict internet access to DCs through network filtering and consider using a defense in-depth approach. Microsoft recommends using Defender for Identity, which requires deploying sensors and obtaining licensing. It’s a standalone subscription that’s also bundled into premium SKUs including Enterprise Mobility + Security 5 suite (EMS E5).
- Admins should establish a program to harden their DCs, patch and remediate, and maintain an appropriate security baseline. For instance, prevent web browsing from a DC. Microsoft recommends these actions to secure DCs from attack.
- Use Local Administrator Password Solution (LAPS) to manage local admin passwords on domain-joined computers. It will randomize local administrators’ passwords.
Why Are Domain Controllers Important?
Domain controllers prevent unauthorized access to resources while ensuring that local domain identities/resources are managed and authorized through directory services. They can also scale to support large and complex networks and customized directory requirements.
What Are the Benefits of a Domain Controller?
Domain controllers centralize user lifecycle management for local domains. They can help to deploy Windows applications to groups of users while establishing the prerequisite security settings for files and programs. Windows DCs are a mature technology that’s widely supported, extensible with third-party solutions, and can be used to federate identities to the cloud.
What Are the Limitations of a Domain Controller?
DCs don’t provide high availability or security best practices out of the box. Organizations may require several domain controllers at different physical locations in order to ensure that there’s no single point of failure. The load on DCs increases as environments grow, which can impact the performance of applications and network services that are dependent on it. This weakness may require additional hardware resources or modifications to your infrastructure to remediate.
This aspect of DCs increases the overheads for maintaining data centers beyond standard configurations and patching. New servers require extending infrastructure and security, and some specialized knowledge and skills are necessary to do it correctly. This increases the costs of training and staffing. DCs will require careful planning, management, and monitoring.
Your domain controllers will always be at risk of zero-day Windows vulnerabilities. Constant vigilance and diligent entitlement management are essential.
Enabling remote work can also be a challenge. IT teams that are AD centric must connect remote users to their LANs through VPNs or alternatives including a software-defined WAN (SD-WAN) and secure access service edge (SASE). Otherwise, purpose-driven cloud services can more easily manage remote endpoints and identities with less infrastructure and overhead. There’s also no potential to extend SSO to web apps, no multi-factor authentication (MFA), and no conditional access rules for privileged users without add-on cloud or software solutions.
Modern Domain Controllers
JumpCloud’s open directory platform is cloud directory service that eliminates the need for an on-prem domain controller by shifting IAM and device management to the cloud. It connects users to whatever IT resources they need, regardless of platform, protocol, provider, and location. All of the secure identity validation still occurs, but you don’t need to manage a server. You can keep Active Directory and use cloud services other than Azure Active Directory and Intune for single sign-on (SSO) and mobile device management (MDM) for your entire fleet.
Cloud-delivery reduces infrastructure costs, simplifies deployment, and maximizes what you already have. Additionally, attribute-based access control and HR system integrations can enable advanced user lifecycle management scenarios to lower overall management overhead. These capabilities are driven by your workflows versus being parceled off as premium features.
Domain Controllers in an Open Directory
JumpCloud is an open directory platform that unifies identity, access, and device management capabilities, regardless of the underlying authentication method or device ecosystem. It can extend both AD and the free tier of AAD to accomplish more, with a lower TCO. JumpCloud authenticates users whether they use biometrics, digital certificates, passwords, or SSH keys. JumpCloud ensures that every resource has a “best method” to connect to it, including LDAP, OIDC, RADIUS, and SAML. Like the original concept of a DC, users can employ a single set of credentials to access systems, applications, networks, file servers, and cloud apps.
Access is secured via environment-wide MFA with optional conditional rules for privileged users. A password manager is also available to support non-SSO applications. It delivers secure, frictionless access, from managed (or trusted) devices running any platform. JumpCloud treats identities as the new perimeter. This is made possible through positioning every device as a gateway to your resources through identities. There are no add-ons for device management or consuming external identities: JumpCloud produces value lock-in versus vendor lock-in.
If you would like to learn more about the future of domain controllers and why the domainless enterprise may be the future approach for your organization, drop us a note. Alternatively, sign up for a trial of JumpCloud and see what a true cloud directory platform could be for you.