What is a Domain Controller? What is Active Directory?
So What is a Domain Controller? What is Active Directory? And… How does it work?
What is a Domain Controller:
A domain controller is a computer network server that responds to authentication requests and verifies users.
Domains are a hierarchical method of organizing users and computers that share a network.
All of that data is structured and safeguarded by the domain controller.
The domain controller (DC) is the hardware that houses Active Directory's keys to the kingdom (AD).
While attackers utilize a variety of methods to get elevated access to networks, including assaulting the DC itself, you may use your DCs to not only defend against cyber-attacks but also to identify them in process.
What is the main use of Domain Controller:
The DC's primary responsibility is to authenticate and confirm network user access.
When users log into their domain, the DC examines their login, password, and other credentials to determine if they should be granted or denied access.
The most common examples are Microsoft Active Directory or Microsoft Azure AD, whereas Samba is the Linux-based counterpart DC.
What is Active Directory?
In definition terms, Active Directory (AD) is a database and set of services that connect users with the network resources they need to get their work done.
In simpler terms, Active Directory is a tool that helps you manage users and computers in a business organization. As long as you have a domain controller, you can then set up all the users and all the computers you have in your network environment.
What is the main use of Active Directory:
This set of services allows you to manage users, create users, delete users, reset passwords to user accounts on your network. You can create security groups that allow you to access different folders and different parts of your network.
This is a tool to help you really manage the network in your organization. Security and productivity can increase with the use of Active Directory and a Domain Controller.
Example to explain the relationship between Active Directory and a Domain Controller:
ACTIVE DIRECTORY compared to DOMAIN CONTROLLER is like a car to an engine
A domain controller is one of the most crucial servers in an Active Directory domain.
Similar to how there are various sorts of cars, each of which requires an engine to function.
A domain controller is present in every domain, although not every domain is Active Directory.
Just to put it another way that might be helpful is to say that Active Directory is a directory service for Windows domain networks and the Domain Controller is what serves that service on your Windows domain network. So, there is a difference between Active Directory and Domain Controller. One is the service, while the other is the component that serves that service.
Overview of Active Directory:
Active Directory Components
The LBL Active Directory Structure consists of:
- A single Forest
- A single root domain
- Multiple Organization Units each containing:
- Computer Accounts
- User Accounts
- Groups
- Group Policy Objects
- Domain controllers (software and hardware)
- 2 Domain Controllers
- 2 remote Domain Controllers
Organizational Units (OUs)
Departments and units are encouraged to join the LBL forest as an Organizational Unit
OUs are containers for directory objects (i.e., user, computer, and policy objects)
The primary purpose of an OU is to make management and delegation easier
Control of an OU in the LBL forest will be delegated to an OU administrator group
The OU Admin group will have the ability to manage users, computers, local security groups, and Group Policy Objects (GPOs) in their OU and sub-OUs
Computer Accounts
[Summary of computer account info ]
Because the LBL forest consists of a single domain, and all computer accounts in the same domain must have a unique name, you will not be able to use a computer name if it has already been assigned to another computer in the LBL domain.
User Accounts
[overview of user account ]
The account name must be unique within the LBL domain. The AD User account name should match the employee's Company’s Identity account name.
Groups
Groups represent a tool for organizing user accounts so that resources may be assigned in an efficient way.
A Microsoft Active Directory group may be one of six types. The type generally used at most companies is the Global Security Group.
The LBL recommended naming standard for Active Directory security and distribution group names is: oun-GroupName, where oun is your OU name, GroupName is a descriptive name that explains the purpose of the group.
GPO section
[ overview of GPO ]
GPOs are a set of common configuration settings use for distributing software or changing the user environment, and managing directory objects such as computers and users.
It is required that OU admins name their GPOs using <top-level OU name-GPO purpose>, such as CIS-DesktopRestrictions, so that GPOs created by one OU admin group are not accidentally linked by another OU admin group.
Examples of Services in Active Directory:
Security services:
- Windows System Security Templates
- Windows System Firewall Configuration
- Windows System Operating System and Microsoft Application Patch Management via Windows Server Update Services (WSUS)
- Windows System Local Administrator Password Solution (LAPS) Deployment and Management
- Windows System Multi-Factor Authentication (MFA) Solution Distribution
- Additional Firewall Configuration for Windows systems whose users deal with "sensitive" information.
Reporting Services:
- Account management info
- Computers in Default Computers Container
- Inactive Users in Active Directory Report
- LBL Print Servers Daily Status Report
- LBL Domain Privileged Group Membership Report.
- Status of security settings (application of security templates, for example)
- Other items in the monthly AD report
Software deployment:
- Central Acquisition of Software (Visio and project for starters)
Provided for Customers by OU Administrators:
- Print Services
- File Services
- Web Services
The Main Functions to use Active Directory for IT Support Troubleshooting:
Desktop Support:
- Request drive mapping via login script when needed from OU manager
- Add user domain account to workstation
- Assist data owners with archiving to alternative storage (cloud/solid state device/Blu-Ray/dvd/cd)
- Provide the following (if possible) to the domain admins, when suspecting a desktop related problem stems from a change to the Active Directory or DC configuration
- event description
- logon name of affected user
- name of affected computer
- time of event
- relevant warnings and errors in event logs
- relevant warnings or errors displayed on screen
Help Desk Support:
- Create new user accounts
- Disable user accounts for xstaff (Remove Password)
- Password reset service
- Creating and routing of tickets related to Active Directory issues
End Users:
Users who experience problems with a particular service should contact the IT Help desk for general questions.
If the issue can’t be resolved, then the Help Desk (or the End user) can contact the OU administrator
Steps to Adding your Windows 10 Computer to the Active Directory:
Be sure you are connected to the LBNL network: LBNL wired network, lbnl-employee WiFi, LBNL VPN
- Right click the Start button and select "System" from the list that pops up.
- You should be on the "About" page of Windows 10 System settings.
- In the upper right-hand corner under "Related settings" click "System info"
- On the page that opens, check the section titled "Computer name, domain, and workgroup settings" in the center of the page.
- Be sure the computer name is in the following format LDAPName-Tnn. If it is currently desktop-nnnnn or laptop-nnnnn it should be changed. Go here Computer Naming Conventions for LBL AD naming convention rules.
- In "Computer name, domain, and workgroup settings" you can also check to see if you are already in the LBL Active Directory. Below the "Full computer name": there is the "Domain": If it says "lbl.gov" then you are in the AD and you are done! If it says "workgroup" (the default) you will be changing it.
- If you need to make changes you should proceed to "Advanced system settings" at the bottom of the shortcut menu on the left side of the page.
- The "System Properties" page will open. You will want to select the "Computer Name" tab on the left.
- On this tab there is a "Computer description:" box (It may be empty). Per our standards we would like you to add a description here in the following format (OrgCode, Bldg-Room, Email address, Phone Number)
- If you need to change the name of the computer because it is not in the required format, start with Step 1 and change it here, otherwise proceed to Step 2.
Step 1
- To rename your computer (Do this BEFORE you add your computer to the domain) you click the "Change" button.
- The "Computer Name/Domain Changes" dialog will open. In the top "Computer name:" section you need to type the computer name you want to use.
- Now you just have to click OK twice to save the change and the computer will ask to be rebooted.
- You should perform the Rename reboot and then come back to this point to add the computer to the domain by following Step 2.
Step 2
- To add your computer to the domain you click the "Change" button.
- The "Computer Name/Domain Changes" dialog will open. In the bottom "Member of" section you need to select the "Domain:" Radio button and then type "lbl.gov" in the box under the "Domain:" word.
- Now you just have to click OK twice to save the change and the computer will ask to be rebooted.
- After your computer is joined to the LBL domain the login screen will change. Be sure you know your login name because you will be required to type it in.
- Also note that the computer will default to "Domain Logons" (It will say Logon to LBL under the logon dialog) If you need to logon with a local account use .\ (dot\) before the username eg .\username to tell the system that you want to use a local account.
Take a look at my Resources Page for a Full List of Tools, Websites, and other recommendations I suggest.
Tech Kaya credits educational content provided by the valuable content creators that influenced this post. This post was created in order to prove that I have an understanding in this technology, and share it with the world.
Recruiters, HR Managers, IT Managers, IT Employers, and Technology Professionals -> May you please InMail or Connect with me on LinkedIn
Follow me on Instagram