What is a Domain Controller, When is it Needed + Set Up

Domain controllers are common targets of attackers. Learn how to protect and secure your domain controllers to prevent data breaches.
Michael Buckbee
2 min read
Last updated January 19, 2022

A domain controller is a server that responds to authentication requests and verifies users on computer networks. Domains are a hierarchical way of organizing users and computers that work together on the same network. The domain controller keeps all of that data organized and secured.

The domain controller (DC) is the box that holds the keys to the kingdom- Active Directory (AD). While attackers have all sorts of tricks to gain elevated access on networks, including attacking the DC itself, you can not only protect your DCs from attackers but actually use DCs to detect cyberattacks in progress.

Get the Free Pen Testing Active Directory Environments EBook

What is The Main Function of a Domain Controller?

domain controller use

The primary responsibility of the DC is to authenticate and validate user access on the network. When users log into their domain, the DC checks their username, password, and other credentials to either allow or deny access for that user.

Microsoft Active Directory or Microsoft AzureAD are the most common examples, while Samba is the Linux based equivalent DC.

Why is a Domain Controller Important?

Domain controllers contain the data that determines and validates access to your network, including any group policies and all computer names. Everything an attacker could possibly need to cause massive damage to your data and network is on the DC, which makes a DC a primary target during a cyberattack.

Domain Controller vs. Active Directory

ACTIVE DIRECTORY : DOMAIN CONTROLLER :: car : engine

Active Directory is a type of domain, and a domain controller is an important server on that domain. Kind of like how there are many types of cars, and every car needs an engine to operate. Every domain has a domain controller, but not every domain is Active Directory.

Do I Need a Domain Controller?

In general, yes. Any business – no matter the size – that saves customer data on their network needs a domain controller to improve security of their network. There could be exceptions: some businesses, for instance, only use cloud based CRM and payment solutions. In those cases, the cloud service secures and protects customer data.

The key question you need to ask is “where does my customer data live and who can access it?”

The answer determines if you need a domain – and DC – to secure your data.

domain controller benefits and limitations

Benefits of Domain Controller

  • Centralized user management
  • Enables resource sharing for files and printers
  • Federated configuration for redundancy (FSMO)
  • Can be distributed and replicated across large networks
  • Encryption of user data
  • Can be hardened and locked-down for improved security

Limitations of Domain Controller

  • Target for cyberattack
  • Potential to be hacked
  • Users and OS must be maintained to be stable,  secure and up-to-date
  • Network is dependent on DC uptime
  • Hardware/software requirements

How to Set Up a Domain Controller + Best Practices

best practices for setting up a domain controller

  • Configure a stand-alone server for your domain controller.
    • If you are using Azure AD as your domain controller you can ignore this step.
    • If not, your DC should act exclusively as a DC.
  • Limit both physical and remote access to your DC as much as possible.
    • Consider local disk encryption (BitLocker)
    • Use GPOs to provide access to the SysAdmins in charge of administering Active Directory, and allow no other users to log in, either on the console or via Terminal Services.
  • Standardize your DC configuration for reuse

Setting up a secure and stable DC doesn’t not mean you are secure forever. Attackers will still try to hack into your DC to escalate privileges or enable lateral movement throughout your network. Varonis monitors AD for out-of-policy GPO changes, Kerberos attacks, privilege escalations, and more.

Want to see how it works? Get a personalized 1:1 demo to how Varonis protects DCs and Active Directory from cyberattacks.

What should I do now?

Below are three ways you can continue your journey to reduce data risk at your company:

1

Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.

2

See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.

3

Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

active-directory-domain-controller-(ad-dc)-could-not-be-contacted-[solved]
Active Directory Domain Controller (AD DC) Could Not Be Contacted [SOLVED]
Sometimes clients report an error “An Active Directory Domain Controller (AD DC) for the domain could not be contacted.” Read on to learn how to troubleshoot and resolve this issue.
5-fsmo-roles-in-active-directory
5 FSMO Roles in Active Directory
FSMO roles give you confidence that your domain will be able to perform the primary functions of authenticating users and permissions. Learn more today. 
a-queen’s-ransom:-varonis-uncovers-fast-spreading-“savethequeen”-ransomware
A Queen’s Ransom: Varonis Uncovers Fast-Spreading “SaveTheQueen” Ransomware
A new strain of ransomware encrypts files and appends them with the extension, “.SaveTheQueen,” and propagates using the SYSVOL share on Active Directory Domain Controllers. Our customers encountered this malware...
exchange-vulnerability:-how-to-detect-domain-admin-privilege-escalation
Exchange Vulnerability: How to Detect Domain Admin Privilege Escalation
Researchers recently uncovered a vulnerability in Exchange that allows any domain user to obtain Domain admin privileges that allow them to compromise AD and connected hosts. Here’s how the attack...