It’s common to think that a domain controller vs Active Directory is synonymous with each other. In fact, they are very different. Knowing these differences will help you better understand how both work together.
Discover, report and prevent insecure Active Directory account passwords in your environment with Specops’ completely free Password Auditor Pro. Download it today!
For this article, we’ll center on Windows NT terminology. Many of the concepts and terms are the same or similar in Linux. To tell the domain controllers vs. Active Directory story, I’m going to use a story about a nightclub.
I hope this will relate the equivalent scenarios and differences between Active Directory vs domain controller functionality better than simply regurgitating documentation.
If you’re looking for Active Directory explained, you’ve come to the right place.
Table of Contents
A bouncer named Ox is standing guard at the door of the nightclub dubbed Club BOFH. Ox’s job is to check names against a list before letting someone in line get into the club. Every hopeful club-goer in line wants to get in, but they have to be on the ‘A’ list.
Not on the list? They don’t get in. If they try, they get ejected! The bouncer is providing a critical service to the nightclub owner, who, when not running a club, writes these types of blog posts explaining IT topics.
The domain controller (Ox the bouncer) or DC, is providing security services for the night club. A domain controller hosts a database (the ‘A’ list) that is used for authentication requests (the club-goer giving their name to Ox).
Once Ox authenticates the club goer, they detach the velvet rope and allow the club-goer (a user or computer) to pass. This is the only way to gain access to domain resources (drinks, music, and dancing within the night club).
Ox has a few friends (member servers acting as domain controllers or DCs) help out. Should one of them get overpowered by an angry person that was ejected from the night club, any one of them can step in and continue providing security services.
Ox does well providing redundant security services. But how do Ox and friends get the list of club-goers who are or aren’t allowed to enter Club BOFH?
Club BOFH is unique. There’s only one location. The night club’s owner, Roscoe, has a black book that contains all club-goers who are authorized to enter and have paid their membership fees.
If business continues to pick up, Roscoe plans on opening new locations.
Ox uses this black book while providing security every night. Roscoe updates this book regularly too. Names are always being added or removed, often with notes on what a club-goer can and cannot do while inside Club BOFH.
Ox’s closest friend, Hanz (who helps out daily), has a copy of this black book and occasionally compares their list to what Ox has. Any entry in Ox’s book that is not included in Hanz’s book is added or removed.
Sometimes Ox has left the book at home. This isn’t a problem as Ox can still look at what Hanz has recorded and shared.
The Active Directory (Club BOFH) Domain consists of an Active Directory Server (Roscoe) or ‘AD’ server and an Active Directory Service (little black book). This service stores objects like user and computer account information.
Ox and friends employed by Roscoe (directory domain controllers) all use the same domain service because they are only operating in an Active Directory Domain.
Additional Terms To Know
Here’s some critical information to understand:
- An identity can be a single user or computer. It can also be a group of users or computers. When you look at Active Directory Users and Computers (ADUC), you see user names and security group names. These are identities.
- A security principal is used to authenticate an identity and is what handles what permissions an identity has. It’s used to prove that an identity is genuine.
- A security identifier is just a key that is associated with an identity that determines authority on the domain.
- An account is either a user or computer. A user account stores information related to the user identity and is used to verify access to network resources such as file shares.
A computer account contains information that authenticates the account to the domain. Every computer account includes a unique security identifier (SID).
It’s not just Domain Controller vs Active Directory
Want to quickly check your Active Directory for leaked passwords? Specops has a tool that does so for free and generates a nice report as well.
Remember the example scenarios earlier involving Club BOFH.
Sit down at your computer to log in. Your computer is already a member of the domain. It has an account that’s been authenticated using the SID that was assigned to your computer, allowing this computer access network resources.
This was done through an exchange of security keys between the computer and the domain controller.
You proceed to type in your username, which is your identity tied to your user account. Your account has a SID, and the security principal assigns your rights to logon locally. Your Microsoft Outlook program is already configured using your company’s Exchange server.
Where is all this information stored? It’s assigned to you in Active Directory. The computer account could also have data stored, such as location and who manages it.
The differences between what Active Directory does and what a domain controller does isn’t a difficult subject once you can visualize the process. It’s easiest to remember that domain controllers authenticate your authority, and Active Directory handles your identity and security access.
Additional Learning Resources
Want to learn more? Here are a few resources to read through that covers some deeper technical explanations for Windows & Linux.