N E T W O R K A D M I N I S TAT I O N

O V E RV I E W O F
DOMAIN
CONTROLLERS
Group 6: TRAN TU MAI - VU MAI LOAN
W H AT I S T H E - A domain controller (DC) is a server that responds to security
authentication requests within a Windows Server domain.
DOMAIN - centerpiece of Window Active Dicrectory service.

CONTROLLER?
- Authenticates user, stores user account information and
enforces security for window domain.

=> When users logs into their domain, the DC authenticates and validates their credentials
( IP location, username, password) and then allows or denies access.
 BEST PRACTICE FOR SETTING UP
A DOMAIN CONTROLLER

CONFIGURE A STAND- LIMIT BOTH

STANDARDIZE YOUR
ALONE SERVER FOR PHYSICAL AND
DC CONFIGURATION
YOUR DOMAIN REMOTE ACCESS TO
FOR REUSE
CONTROLLER. YOUR DC AS MUCH
AS POSSIBLE

P i x e la st | D e si gn a n d T ec h
 Types of DC

2 types of DC used widely:

Primary DC (PDC): LIMIT BOTH Backup DC (BCD):

information, images, PHYSICAL AND when old PDC get
database need being REMOTE ACCESS TO error, a new PDC will
secured will stored YOUR DC AS MUCH be promoted to use
carefully AS POSSIBLE

P i x e la st | D e si gn a n d T ec h
 BENEFITS OF DOMAIN
CONTROLLER

• Centralized user management

• Enables resource sharing for files and printers
• Federated configuration for redundancy (FSMO)
• Can be distributed and replicated across large networks
• Encryption of user data
• Can be hardened and locked-down for improved security
P ix e l a st | D e s ig n a n d T e ch
WHAT IS THE
GLOBAL
CATALOG?

P i x e la st | D e si gn a n d T e ch
 GLOBAL
Hosts aCATALOG:
partial attribute set for
other domains in the forest
Supports queries for objects
throughout the forest

Global catalog server

P i x e la st | D e si gn a n d T e ch
 Definition of Global Catalog

• A global catalog is a data storage source containing partial representations of

objects found in a multidomain  Active Directory Domain Services (AD DS) forest.
• The global catalog is stored on domain controllers specifically assigned as global
catalog servers. It can locate objects in any domain without knowing the actual 
domain name. 

P ix e l a st | D e s ig n a n d T e ch
 Function of Global Catalog

• The Global Catalog service is used to determine the location of an object to which a user is granted to

access.

• Global Catalog is the service responsible for the authentication of objects in the Active Directory system.

The domain controller that stores the Global Catalog is called the Global Catalog Server.

• The Global Catalog stores all the objects of the domain that contain the Global catalog and a

part of the objects commonly searched by users of other domains in the forest.

• The Global Catalog improves the efficiency of directory services that are active and required
P ix e l a st | D e s ig n a n d T e ch
for applications such as Exchange.
 Function of Global Catalog

• The Global Catalog service is used to determine the location of an object to which a user is granted to

access.

• Global Catalog is the service responsible for the authentication of objects in the Active Directory system.

The domain controller that stores the Global Catalog is called the Global Catalog Server.

• The Global Catalog stores all the objects of the domain that contain the Global catalog and a

part of the objects commonly searched by users of other domains in the forest.

• The Global Catalog improves the efficiency of directory services that are active and required
P ix e l a st | D e s ig n a n d T e ch
for applications such as Exchange.
 G l o b a l C a t a l o g S e r v e r ’s f u n c t i o n

• Maintains a set of object properties in Active Directory such as searching users and computers.

• Allow users to log on to the network

• Let users define objects anywhere in the forest and manage universal groups

• Determine where the Global Catalog is located, where roles are located, ...

P ix e l a st | D e s ig n a n d T e ch
THE AD DS LOGON
P1.User
RO C E S S :
Account is authenticated to DC1

2.DC1 returns TGT back to client

3.Client uses TGT to apply for access to WKS1

4.DC1 grants access to WKS1

5.Client uses TGT to apply for access to SVR1

6.DC1 returns access to SVR1

THE AD DS LOGON
P RTGTO(Ticket
C EGranting
S S :Ticket) includes 2 things: 
1) Copy of session key that KDC use to
communicate with Dave. This is encrypted
with KDC’s long-term key.

2) Copy of session key that Dave can use to

communicate with KDC. This is encrypted with
Dave’s long-term key so only Dave can decrypt it. 
 
W H AT A R E
O P E R AT I O N S In any multimaster replication
MASTERS? topology,
some operations must be single
master. When first domain controller
TWO FOREST-LEVEL ROLES: in a domain is created, five operations
• SCHEMA MASTER master roles (two forest-level and
• DOMAIN NAMING MASTER three domain-level) are assigned
HREE-DOMAIN LEVEL ROLES: automatically to that domain
controller
• RID master
• Infrastructure master
• PDC Emulator master
P ix e l a st | D e s ig n a n d T e ch
SCHEMA MASTER
• Active Directory schema defines
the kinds of objects, information
about these objects that can be
stored in the active directory.
• The SCHEMA master contains the
master list of all object attributes
and classes. These are used to
create Active Directory objects.
• It allows only the SCHEMA
ADMINS group members to
modify the schema
DOMAIN NAMING MASTER
• Addition or removal of domains from
forest is controlled by the DOMAIN
NAMING MASTER
• A child domain can be created using the
ACTIVE DIRECTORY installation wizard.
• Roles like addition or deletion cannot
be performed if the domain naming
master is not available
 PRIMARY DOMAIN
CONTROLLER (PDC)
• Acts as a Windows NT primary
domain controller to support
backup domain controller
(BDC) running windows NT in a
mixed mode domain
• The changed password is
written to the PDC emulator
directly by ACTIVE DIRECTORY
• The time on all domain
controllers are set to match
the time of the domain. This
synchronization is also
applicable for client computers
who synchronize time with the
domain controllers that
authenticate the user.
RID MASTER
• You would be aware that
when a domain controller
creates a new user or
group or computer object,
it assigns a security (SID)
to the object.
• The SID is the same for
every object created in the
domain and the RID is
unique for each object in
the domain.
• If the RID master is not
available, new objects or
security principals cannot
be created on the domain
controller.
INFRASTRUCTURE
• MASTER
It updates object references in its
domain. Object contains the
globally unique identifier (GUID), the
SID and a distinguished name of the
object.
• Infrastructure master does the task
of updating through replication by
following rules:
• If an object is moved within a
domain, its SID remains the same.
• If an object is moved to another
domain, its distinguished name and
SID changes. The distinguished
name identifies the object’s location
in Active directory.
• The GUID of an object does not
change regardless of location. This
is because it is unique across
domains
THANK
YOU