What is a Domain Controller?
A Domain Controller (DC) is the server that authenticates users and enforces policy in an Active Directory domain. Learn what DCs do, FSMO roles, and how to secure them.
What is a Domain Controller?
Definition
A Domain Controller (DC) is a server running Active Directory Domain Services (AD DS) that authenticates users, applies Group Policy, and enforces security policy for an Active Directory domain.
Every domain has at least one DC. Most production environments run multiple DCs per domain for high availability and replicate the directory between them.
In simple terms:
A Domain Controller is the server that says "yes, you are who you say you are" — and that controls what you're allowed to do.
Why DCs Matter
DCs hold the NTDS.dit database, which contains:
- Every user, computer, and group in the domain
- Password hashes (including KRBTGT — the master Kerberos secret)
- Group memberships, ACLs, and trust relationships
- GPOs and organizational structure
If an attacker controls a DC, they control:
- Every account in the domain
- Every GPO that applies to every endpoint
- Authentication for every service that trusts AD
- In hybrid environments, often the cloud tenant via Entra Connect
DCs are the highest-value targets in most enterprises and must be treated as Tier 0 assets.
What DCs Do
- Authenticate users via Kerberos (primary) and NTLM (fallback).
- Issue Kerberos tickets (TGTs and service tickets).
- Enforce password policy and account lockout.
- Apply Group Policy to clients and servers.
- Replicate directory data with other DCs.
- Resolve DNS (commonly co-located with AD-integrated DNS).
- Host LDAP for directory queries.
- Manage trust relationships with other domains/forests.
FSMO Roles
Five Flexible Single Master Operations (FSMO) roles are unique within a forest or domain:
Forest-wide
- Schema Master — schema modifications.
- Domain Naming Master — adding/removing domains.
Domain-wide
- PDC Emulator — time source, password changes, GPO authoritative reference.
- RID Master — pool of unique RIDs to DCs.
- Infrastructure Master — cross-domain object references.
FSMO holders are critical; their failure can disrupt the directory.
Replication
DCs replicate using multimaster replication (every DC can accept changes for most objects). Replication uses sites and site links to optimize bandwidth.
- Intra-site replication: fast, frequent.
- Inter-site replication: scheduled, compressed.
The Knowledge Consistency Checker (KCC) builds the replication topology automatically.
Read-Only Domain Controllers (RODC)
- Designed for branch offices or DMZs.
- Hold a filtered set of credentials (no Domain Admin hashes by default).
- Cannot accept directory changes.
- Reduce risk in physically less-secure locations.
Common DC Attack Vectors
- DCSync — abuse replication rights to extract password hashes (including KRBTGT).
- DCShadow — register a rogue DC to inject malicious changes.
- Golden Ticket — forge TGTs using the KRBTGT hash.
- NTDS.dit theft — copy the database from a backup or volume snapshot.
- Kerberoasting / AS-REP roasting — performed against DCs.
- Print Spooler / RPC abuses (PrintNightmare, PetitPotam) to coerce DC authentication.
- Misconfigured ACLs allowing modification of DC objects.
Real-World Examples
1. NTDS.dit Extraction via Backup
Attackers compromise a backup server (often a Tier 0 dependency that is treated as Tier 1) and restore NTDS.dit, then extract every domain hash offline.
2. PetitPotam → AD CS
PetitPotam coerces a DC to authenticate to an attacker-controlled host. The attacker relays the DC's authentication to AD CS to obtain a certificate as the DC, then uses it for DCSync.
3. Volume Snapshot Abuse
An attacker with local admin on a DC creates a volume shadow copy and copies NTDS.dit and SYSTEM hive offline.
4. KRBTGT Hash Extraction → Golden Ticket
After DCSync, attackers extract the KRBTGT hash and forge tickets giving any privilege for years — until KRBTGT is rotated twice.
DC Security Best Practices
- Treat every DC as Tier 0. No Tier 1/2 software should touch them.
- Limit physical and virtual access. Encrypt DC VMs and snapshots.
- Restrict logon rights — only Tier 0 admins.
- Patch promptly, especially privilege escalation and authentication CVEs.
- Disable unnecessary services (Print Spooler off where not needed).
- Enforce LDAP signing and channel binding.
- Restrict NTLM at DCs.
- Audit replication rights (DCSync).
- Rotate KRBTGT twice annually.
- Backup DCs separately from general infrastructure; store offline.
- Monitor authentication patterns, replication anomalies, registration of new DCs.
- Use RODCs for branch offices.
- Test DR procedures for forest-wide recovery.
DC Hardening Checklist
- All DCs at supported OS / patch level?
- Tier 0 admin model enforced?
- PAWs used for DC administration?
- Unnecessary services disabled (Spooler, etc.)?
- LDAP signing / channel binding enforced?
- DCSync rights audited?
- KRBTGT rotated twice in last year?
- Backups of NTDS.dit secured?
- Monitoring for DCSync, DCShadow, Golden Ticket?
- Forest recovery plan tested?
How Forestall Helps
Forestall maps every identity that can reach your DCs — directly or via paths through delegations, ACLs, OU permissions, and AD CS. It surfaces the choke points to remediate first and tracks DC reachability over time as Tier 0 risk is reduced.
Frequently Asked Questions
How many DCs do I need?
At least two per domain for redundancy; more depending on user count, sites, and load. Always design for the loss of any single DC.
Should DCs run other services?
No. DCs should be dedicated; running file shares, applications, or databases on a DC dramatically increases risk.
Can DCs be virtualized?
Yes, with care. Protect snapshots, encrypt VMs, restrict hypervisor admins, and avoid exposing DC VMs in shared management planes.
What is the relationship between DCs and Entra ID?
If you sync AD with Entra ID via Entra Connect, AD compromise often becomes Entra compromise. Treat the Entra Connect server as Tier 0 too.
What's the highest-impact attack against a DC?
DCSync — it gives every hash, including KRBTGT, enabling Golden Tickets and full impersonation.
Conclusion
Domain Controllers are the brain of an Active Directory environment. Securing them — strict Tier 0 isolation, hardened OS and protocols, audited replication rights, secure backups, KRBTGT rotation, and continuous monitoring — is one of the most important investments any enterprise can make. If your DCs fall, your domain falls; if your DCs hold, you keep most adversaries from achieving their objectives.
Treat every DC as Tier 0 — and prove it.
Forestall surfaces every identity that can reach your DCs, directly or via attack paths.