Difference between domain, domain controller and active directory?

active-directory domain domain-controller
10,662

Domains

Microsoft first introduced (Windows) Domains with Windows NT Server as part of their bid to compete with Novell Netware for control of the business server market.

If you didn't have something like a Windows Domain or Novell Netware, then every time you wanted to access a resource on another computer that was protected by a password, you had to enter or re-enter the password. And each different server might ask you for a totally different password. Windows Domains and Netware Domains are designed to make it so you can log on one time to the computer that you are sitting at, and then be granted or denied access to resources on many other servers in the background without you having to submit credentials every time you access a different resource.

One simplified way to look at a Windows Domain is that it is two lists. One list is usernames and passwords. These are the user credentials that a human being will know, that they enter when they log on to the computer they are sitting at. The verification of these user credentials is then made available to all the other computers that have resources the user wants to access. But we don't want just any computer to be able to check a user's credentials.

That's why the second "list" is a list of computer names and passwords. That might sound strange at first, but it makes sense. We want to control what computers a Domain user can access, and we want to control which computers are even allowed to query the Domain for information about users. So computers also have their own credentials, and whenever a computer boots up, it logs on to the domain with it's computer name and password. There is a process to create the computer account on the domain and establish the credentials, which is called "joining the computer to the domain".

A lot has changed about Windows Domains in the almost 20 years since the heyday of NT 4.0, but those two "lists" of credentials, one for users and one for computers, remains as a central and critical element of a Windows Domain.

Domain Controllers

Just to recap, a Domain Controller is essentially a Microsoft Windows Server that both stores a copy of the domain information (those two lists mentioned above as well as a lot of other data) and provides access and mechanisms to protect and use that data.

Recalling the importance of the lists of user and computer credentials that are the core information for a Windows Domain, it shouldn't surprise you to know that one of the most important functions of a Domain Controller is authentication. To streamline the user experience (our original goal from up in the second paragraph), servers that host resources need to be able to query the list of user credentials to see if the users in question are who they say they are and have access granted to the resources being served. Domain Controllers are the servers that a resource server can query to validate the identity and access for a user.

There's a lot to dive into when it comes to Windows Domain authentication, but two big concepts you could research further are Kerberos authentication, which is the mechanism for authentication used in Windows 2000 and later domains, and pass-through authentication, which is what makes the seamless user experience possible.

The other highly important service Domain Controllers provide is to store and replicate all of the Domain information. Starting in Windows 2000, the amount of information that makes up a domain increased dramatically over the two lists of credentials and few other odds and ends that Windows NT stored. By replicating all or part of this data to other Domain Controllers, the Windows Domain mechanism makes it more highly available and more fault tolerant.

Active Directory

Released with Windows 2000, Active Directory is a complete redesign and rebranding of the entire Windows Domain system. The term "Active Directory" can refer to either the entire system of managing Windows 2000 and later domains, or the database that comprises the Windows Domain information (the two lists and a bunch more) or both.

All of the information that makes up an Active Directory is stored in an X.500 compatible database. X.500 is a set of network directory standards, a Windows Domain is a kind of network directory, hence the name Active Directory for its replacement. As mentioned above, this X.500 database is replicated between domain controllers to make it accessible and fault tolerant.

Relevant to the question of "what is a domain?", Active Directory introduced one important new type of object and concept, Forests. An Active Directory Forest is kind of a list of lists, meaning, it is a collection of Domains that are all related to each other for both security and management purposes.

There are a lot more things involved in Active Directory Domains and Forests and a lot more services that are (or can be) provided by Domain Controllers. Hopefully this is enough to add to your existing information and give you some research direction going forward. Obviously, you can search by and/or favorite the tag on this very site, and maybe sort by votes, to see more about AD.

Share:
10,662

Related videos on Youtube

XxS0ul678
Author by

XxS0ul678

Updated on September 18, 2022

Comments

  • XxS0ul678
    XxS0ul678 almost 2 years

    I am very confused about this three terms. I know that :

    Active Directory is a set of service used to store information about a computer network

    Domain Controller is a server computer used to run the active directory.

    But what does domain mean???

  • Todd Wilcox
    Todd Wilcox over 6 years
    I think one component of what an "Active Directory" is that deserves mention is the X.500 database of objects. And it might help to highlight one of the most important services that Active Directory provides, which is user authentication.
  • kilrainebc
    kilrainebc over 6 years
    Not an AD admin so I wouldn't do it justice. I gave him a high level overview of the topic because he seems confused and this will act as a primer he (hopefully) can relate to with examples like dc1.company.org. Though I think it might be worth it if you want to dive into a longer answer detailing x.500, certs, kerberos, ldap/dap, federation, etc. with strong explanations of everything.
  • kilrainebc
    kilrainebc over 6 years
    Excellent and very informative write up Todd!
  • Am_I_Helpful
    Am_I_Helpful over 6 years
    Already upvoted, but I feel you should better add more technical points in the domain definition! Currently, IMO, the first para consists of only what is a part of domain.
  • Todd Wilcox
    Todd Wilcox over 6 years
    @Am_I_Helpful Good point. I considered both the amount of time I have for typing up answers as well as the apparent likely level of understanding of the asker. I feel if there is one aspect of a Windows Domain that must be clear to understand why we use them, it's the accounts database and authentication aspect. And in the case of Windows NT, that's pretty much all a domain was! I would say the other metadata (e.g., Exchange attributes and DNS zones) that we think of as part of a domain today is really part of an Active Directory, hence my last paragraph.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Cannot connect Windows 7 machine to windows 2003 domain
Cannot rename a computer on a domain
Windows Clients connecting to DC in wrong site?
All options greyed out when trying to configure Active Directory Domain Services Windows Server 2012 R2
Logon as a Service overwritten by Default Domain Policy
Same domain names internal and external issue
How to force a domain PC to use a specific DC?
GPO Printer Deployment Ordering greyed out
Why can't I replicate DNS zones to non-DC DNS servers?
Authenticate client against specific Domain Controller