Tech moves fast! Stay ahead of the curve with Techopedia!
Join nearly 200,000 subscribers who receive actionable tech insights from Techopedia.
A domain controller (DC) is a server that responds to security authentication requests within a Windows Server domain.
It is a server on a Microsoft Windows or Windows NT network that is responsible for allowing host access to Windows domain resources.
A domain controller is the centerpiece of the Windows Active Directory service. It authenticates users, stores user account information and enforces security policy for a Windows domain.
It allows hierarchical organization and protection of users and computers operating on the same network.
In simpler terms, when a user logs into their domain, the DC authenticates and validates their credentials (usually in the form of username, password and/or IP location) and then allows or denies access.
A domain controller gives access to another domain in a trust relationship so that a user logging into a domain can access resources in another domain.
Early versions of Windows such as Windows NT had one domain controller per domain, which was called a primary domain controller.
All other domain controllers were backup domain controllers.
Beginning with Windows 2000, the primary domain controller and backup domain controller roles were replaced by Active Directory.
The domain controllers in these domains are considered to be equal, as all controllers have full access to the accounts database stored on their machines.
When a network is comprised of hundred of computers, managing the authentication of each individual machine may be too complicated.
To simplify this task a single computer (the domain controller) can be dedicated to manage all the authentications for all the others (the clients).
All login credentials of all client computers and devices connected to the network are stored in the DC’s Active Directory. The Active Directory is shared by all computers on the network, and whenever a user tries to login, their credentials are checked against those saved in this master directory database.
To strengthen security, no one except the administrator of the DC has the authority to change security or login information or add new computers to the domain.
A DC is usually a key target during a cyberattack since it represents a primary entry point to the entire infrastructure. To prevent serious data breaches, they are usually protected with robust cybersecurity measures.
To ensure that network resources are always stable and readily available, DCs are often deployed as a cluster.
The network administrator may designate a single primary domain controller (PDC) as well as additional backup domain controllers (BDCs). Periodically, the PDC automatically creates a backup copy of the Active Directory database on all BDCs that is stored in read-only format.
If the server performing the domain controller role is lost, the domain can still function. If the PDC is not available or fails, the administrator can designate an alternate BDC to assume the role.
BDCs are also used to ease the workload when the network is too busy.