Networking Basic 5 : Domain Controller
What is Domain Controller And How you can choose it for Your Network Infrastructure??
In a Previous article we are discuss about role of different computer on the network, surely you know that, for now in today's article we will discuss about What Domain Controller And how to chose them for your network infrastructure
One of the most important concepts of the Windows network is the domain (ie domain or region). A domain is a collection of user accounts and computer accounts grouped for centralized management. And the management job is for the domain controller to make the exploitation of resources easier.
So why is the domain controller so important? On the network, any workstation running Windows XP has a set of pre-made user accounts. Windows XP even lets you create some additional accounts if necessary. If the workstation functions as a standalone system or as part of a peer-to-peer network, the workstation-level user account (called a local user account) cannot control access to network resources. They are used only to regulate local machine access and act as a guarantee that the administrator can perform maintenance work, maintain the workstation, and do not allow end-users to intervene. settings on the workstation.
The reason why a local user account on a given workstation is not allowed to control access to resources outside of the workstation is that it adds to a huge management burden. The local user accounts reside only on separate workstations. If an account is the primary security function on the network, the administrator will have to physically move to the computer that has the account whenever an account authority change is to be made. This problem doesn't have a big impact on a small network but will be extremely heavy on a large network or when a wide change is required for all accounts.
Another reason is that no one wants to have to switch user accounts from one machine to another. For example, if a user's computer is compromised, that person cannot log on to another computer to work with because the account they created is only valid on the old computer. If he wants to do this he will have to create a new account on another machine.
Just one of the many reasons why using a local user account for secure access to network resources is impractical. Even if you want to implement this type of security, Windows won't allow it. The local user accounts can only use local resources on a given workstation.
A domain is responsible for solving the mentioned problems and some other problems. They will centralize the user accounts (or other configurations, security-related objects; we will discuss it in a later article). This makes administration easier and allows users to log in from any computer on the network (unless you restrict user access).
With the provided information you might think, in principle, when a user wants to access resources located on a server, the server level user account will be used to control access control. This idea is correct in some respects, but there is much more to be noted than that.
Back in the early 1990's, when I was working for a large insurance company, I used a network with servers running Novell NetWare. Windows networking was not yet created and Novell NetWare was the only server operating system to choose from. The company has only one network server, which contains all the user accounts and network resources that need access. A few months later, someone decided that users at the company needed to run a new branch of the application. Due to the size of the application and a large amount of data, the application must be located on a dedicated server.
The version of Novell NetWare the company was using at the time ran in a pattern: the resource resided on a server that was protected by the user's account also on that server. But the problem arises: each server has its own unique, complete, and independent set of user accounts. When adding another server to the network, the user can still log in the normal way but must create a new username and password.
At first, everything went well. But about a month later, when I installed some more programs on the new server, things went badly. The servers force users to change their passwords when they don't realize that they have to change it in two different places. That meant the passwords had lost sync and the helpdesk was overwhelmed with calls related to password reset. As the company got bigger and added new servers to the network, the problem got worse and worse.
Eventually, the problem was resolved when Novell released version 4.0 of NetWare. NetWare 4 introduced a technology called Directory Service. The idea is that users no longer have to create separate accounts on each server. Instead, a single account is used to verify user status on the entire network, regardless of how many servers there are on that network.
An interesting thing about domains is that although each domain has a unique, never-repeated value in the Microsoft network (Novell doesn't use domains), they work on the same basic principle. When Windows 2000 was released, Microsoft included one component that is still in use today, Active Directory. The Active Directory is very similar to the Directory Service used by the Novell network in the past.
What is all the work we have to do with the domain? When a Windows server is running Windows 2000 Server, Windows Server 2003, or the forthcoming Longhorn Server, it is the domain controller's job to run the Active Directory service. Active Directory acts as a storage place for directory objects, including user accounts. And one of the domain controller's primary jobs is to provide authentication services.
It should be noted that the domain controller provides an authentication service, not an authorization service. That is, when a user logs on to the network, a domain controller checks the validity of the username and password they entered is correct and matches the data stored on the server. But the domain controller does not tell the user what resources they have access to.
Resources on the Windows network are protected by Access Control Lists (ACLs). An ACL is a list of who is authorized to do what. When a user tries to access a resource, they present their identity to the host that hosts the resource. The server checks to make sure that the user identity has been verified then cross-references the ACL to see what the user has permission to do.
Conclude: As you can see, the domain controller plays a very important role in the Windows network. In the next article in this series, we will continue a little more with domain controllers and Active Directory.