Are you confused about the differences between Active Directory (AD) and Domain Controller (DC)? You’re not alone, but in this article, I will take you through a comparison of Active Directory vs Domain Controller.
Overview
Active Directory is a centralized database that stores information about network objects. Some examples of objects stored by AD are users, computers, and printers.
By having these objects in AD, administrators can centrally manage and control access to them. For instance, Active Directory allows admins to manage file shares, printers, and other resources.
Compared to Active Directory, a Domain Controller is a server in an AD domain that manages access to network resources.
A DC runs a Microsoft Server Operating System and provides authentication to users and authorization of objects.
Specifically, DCs manage user accounts and security groups. Additionally, they set security policies and restrictions that apply to all users and computers within the domain.
Active Directory is a virtual concept, while Domain Controller is a physical concept.
How Active Directory vs Domain Controller Works
In my introduction, I mentioned that AD is a centralized database that stores information about objects. I also said that DC is a physical server that manages access to resources.
But how does Active Directory work in comparison to how Domain Controllers work?
While AD provides the overall structure of the directory network, Domain Controllers manage access to resources within the domain.
Active Directory can manage multiple domains, with each domain having its own set of Domain Controllers. For example, I can have an AD Domain called ITG.com.
ITG.com AD Domain can have multiple Domain Controllers (DCs) that manage user authentications and logins as well as authorization to resources.
Essentially, a DC is a physical server that is part of an AD.
Features Of AD vs DC Compared
This section discusses the features of Active Directory and Domain Controllers to compare both technologies further.
Provide Authentication and Authorization
Active Directory and Domain Controller both provide authentication and authorization services for users and computers on a network.
As I already hinted several times, Active Directory is responsible for managing user accounts, passwords, and access to resources.
On the other hand, Domain Controller verifies user credentials and grants access to resources in the domain.
Centralized Management
Active Directory provides a centralized location for SysAdmins to manage network resources, including users, computers, printers, and applications.
One common tool SysAdmins use to manage these AD objects is Active Directory Users and Computers. Other common tools for managing AD objects are ADSI, Active Directory Administrative Center, and PowerShell.
Domain Controller is responsible for managing access to resources within a specific domain, including setting security policies and restrictions.
Group Policy Management
Both Active Directory and Domain Controller provide group policy management capabilities. Group Policies allow System Administrators to configure settings for multiple computers and users in the domain from a central location.
These policies can control everything from the desktop’s appearance to the software installed on the computer.
SysAdmins use Group Policy Management Console to create, edit and deploy Group Policy Objects (GPOs). To read more about some Group Policy concepts, visit Group Policy, Group Policy Object and RSoP, and GPUpdate command, and GPResult Command.
Active Directory and Domain Controllers Provide Scalability
Microsoft designed Active Directory to be scalable, supporting multiple domains and thousands of users and devices.
Domain Controller can manage access to resources within a specific domain, allowing you to segment your network and control access to resources based on user roles and responsibilities.
Security is at the Heart of AD and DC
Security is at the core of AD and DC. I have mentioned several times that AD stores objects and make it easy for Admins to manage those resources.
You have also read in this article that Domain Controllers manage users’ login access to the domain. I have referred to this as “authentication” in this guide.
Additionally, DCs manage users’ access to objects in the directory. This process is called “authorization.”
Active Directory and Domain Controllers within the directory provide security to the objects in the directory.
AD Schemas, Global Catalog, Replication, and Indexing
Active Directory has other features that differentiate it from a Domain Controller. Here are some of those features:
- Active Directory has a set of rules that defines objects that can be created and their classes. This set of rules is known as the Active Directory schema.
The AD schema is stored in a Domain Controller and replicated across all Domain Controllers across the AD Forest. - AD has a global catalog that contains information about all objects in the directory. The global catalog is stored in a Global Catalog server (which is a Domain Controller – more on this in the next subsection).
Storing objects in the global catalog allows admins and users to find information about objects, despite the domain the object is located in the Directory. - Additionally, Active Directory has a query and object indexing system. Indexing allows object properties to be published and searched for across the directory.
- Active Directory replication service allows data distribution across multiple Domain Controllers. Active Directory is a multi-master directory (more on this in the next subsection).
This means that all Domain Controllers in the domain have a complete copy of all directory information. To keep all DCs in sync, AD uses its replication technology.
DCs Hold the Global Catalog Server and/or Operations Masters Roles
Like Active Directory, Domain Controllers have some features unique to them. Here are some features unique to DCs:
- Domain Controllers hold the Global Catalog (GC) Server role. In the last subsection, I mentioned that AD holds information about all directory objects in a global catalog.
Physically, this information is saved in a Domain Controller that holds the Catalog Server role. When you deploy the first DC in the domain, it is assigned the GC role.
However, if you add a second DC to the domain, you can enable the GC role on the new server. You’ll need to wait for the new server to receive all the GC content before you can disable the GC service from the previous GC server. - DCs also hold Operations Masters roles. In the last section, I hinted that AD is a multi-master operations directory.
However, there are some operations that a specific Domain Controller must perform – then replicate to other Domain Controllers. These roles that one DC performs are known as single-master roles.
Specific Domain Controllers hold these single-master roles in the AD forest. A DC that holds a single-master operations role is called the “Operations Masters” for that role.
There are 5 Operations Masters roles in Active Directory – Schema master, Domain naming master, and Primary Domain Controller (PDC) emulator.
The other two are the Infrastructure master and Relative ID (RID) master. Read my article Active Directory FSMO Roles Explained to learn more about these AD roles.
Frequently Asked Questions
Domain Controllers control logon to Active Directory (authentication). Additionally, DCs control access to AD resources (authorization).
Beyond authentication and authorization, Dcs also holds some AD roles like Global Catalog and Operations Masters.
Definitely! Domain Controllers are like the physical building blocks that manage Active Directory.
Without DCs, AD can’t function.
You can install a Domain Controller as either a Read-Only or Read-Write.
A Read-Only DC holds a read-only copy of the AD database. This means that this type of DC does not participate in AD replication.
On the contrary, a Read-Write DC contains a writable copy of the AD database and can participate in AD replication.
Infrastructure master, RID master, Schema master, PDC emulator, and Domain naming master.
Yes, you can and should have at least 2 domain controllers in a domain. In a production environment, Microsoft recommends that you have at least two DCs.
This will ensure that if one DC fails, your users will continue to log in to AD and access resources.
Conclusion
You cannot mention Active Directory without Domain Controllers. While the two concepts are related, they have some similar and dissimilar features and functions.
Active Directory is a logical concept, while Domain Controller is a physical concept. So, AD stores information about objects in Domain Controllers (DCs) while DCs manage permission for these objects.
Another important difference between AD and DC is that AD defines a set of rules about objects and their classes that Admins can create. This is known as schemas.
On the contrary, DC holds the schema role. Similarly, while AD contains information about objects in a Global Catalog (GC), AD holds the GC role.
I hope you found this article helpful. If you did, click on “Yes” beside the “Was this page helpful” question below.
You may also express your thoughts and opinions by using the “Leave a Reply” form at the bottom of this page.
You may also read similar articles by visiting our Windows Server Explained and Active Directory Guides pages.
