Step 4: Location and desponsibilities of domain dontrollers in Active Directory

Domain controllers control the keys to your Windows kingdom. They need to be even more secure than your other servers. Ensure their security by following these steps from Active Directory expert Derek Melber.

Domain controllers are responsible for authenticating domain computers, domain users, creating new Active Directory objects, applying Group Policy, and so much more. To successfully control all of these tasks, it is best to keep the domain controllers in Active Directory where they are designed to live. There is only one organizational unit (OU) in the default installation of Active Directory, which is one for the domain controllers....

All domain controllers should reside under this OU to ensure the Group Policy object(s) that are linked to the domain controller's OU function properly and to prohibit errant Group Policy settings from another OU from configuring the domain controllers.

Domain controllers not only authenticate objects, but they control certain actions within Active Directory. There are a total of five Flexible Single Master Operator (FSMO) roles that need to be controlled by one or more domain controllers. You need to configure these on the best domain controllers and document where these roles exist. In addition to the FSMO roles, you also need to configure domain controllers to house the Global Catalog (GC) or not. The GC helps clients and servers locate objects within Active Directory faster, as well as help other services locate resources in Active Directory more efficiently.

By protecting your domain controllers from different attacks and access points, you will increase security of all domain controllers as well as the network in general. Since the domain controllers control the keys to the kingdom, they should receive the attention they deserve for protection. If you can establish protection against physical access, network access, communications, and the domain controllers roles, you will go a long way to protecting the enterprise that the domain controllers are in charge of.


Securing Windows domain controllers

  Introduction
 Step 1: Physical Access
 Step 2: Network Access
 Step 3: Domain Controller Communications
  Step 4: Location and Responsibilities of Domain Controllers in Active Directory

ABOUT THE AUTHOR:
Derek Melber, MCSE, MVP and CISM, is the director of compliance solutions for DesktopStandard Corp. He has written the only books on auditing Windows security available at The Institute of Internal Auditors' bookstore, and he also wrote the Group Policy Guide for Microsoft Press -- the only book Microsoft has written on Group Policy. You can contact Melber at derekm@desktopstandard.com.
Copyright 2005 TechTarget
This was first published in March 2006

Dig deeper on Microsoft Active Directory Security

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchServerVirtualization

SearchCloudComputing

SearchExchange

SearchSQLServer

SearchWinIT

SearchEnterpriseDesktop

SearchVirtualDesktop

Close