-1

In short: I do not know where to start reading so that I can understand how to configure a DC.

The long question:

In the environment I work, we use an outdated domain controller and I have to create a new one. The problem is that I can not yet grasp the idea of the Domain Controller. The one we use is actually used just for authenticating users (single domain, no one else in the forest, no other forest).

The theory I (think) know in short is:

  • An active directory is a database that stores information about computers and users.
  • A domain controller is a server that holds the active directory and maybe other services such as DNS.
  • A windows server can be a domain controller if it has active directory.
  • I can restrict users from using a printer for example.
  • I can change the settings for a given user account (let's say desktop background?)

What I can not grasp is generally the big picture, but specifically:

  • Why are there users and computers and not just users, what can I do with each of them.
  • If I restrict a user from using a printer, what is it that prevents him from actually using it if he can reach it (by ip for instance).
  • Why would I put different types of users in different containers, instead of just putting them in "Users" and then making them members of different groups that have different rights. Is it just an aesthetic matter, everything being tidy and sorted?
  • The biggest problem: I do not know what else it can do (please give me some example situations where it could help)

What I guess I expected was that there would be more to this wonder, the Domain Controller, than just authenticating users.

Any help on any of the above matters would be greatly appreciated. Thanks in advance!

Sakis
  • 1
  • @1.618 not sure where you've heard this, but it's not true in any sense. The term `domain controller` is not obsolete and applies **only** to AD. Essentially, everything in your comment is the exact opposite of what it should say. You may benefit from reading the question that this was closed as a duplicate of. – MDMarra Feb 22 '14 at 20:31
  • Again, this is not true at all. Some examples here: http://blogs.technet.com/b/kevinholman/archive/2013/09/25/upgrading-domain-controllers-to-windows-server-2012-r2.aspx http://blogs.technet.com/b/askpfeplat/archive/2012/09/03/introducing-the-first-windows-server-2012-domain-controller.aspx http://blogs.technet.com/b/keithmayer/archive/2012/08/06/safely-cloning-an-active-directory-domain-controller-with-windows-server-2012-step-by-step-ws2012-hyperv-itpro-vmware.aspx#.UwkKU5K9KSM there are plenty of other examples as well. Wherever you heard this info was incorrect. – MDMarra Feb 22 '14 at 20:37
  • It is also all over the AD DS design guide, which was last updated for Server 2012 here - http://technet.microsoft.com/en-us/library/cc754678(v=ws.10).aspx – MDMarra Feb 22 '14 at 20:40
  • @MDMarra Ok, actually I confused my terms a little here, and I was thinking of "PDC". In AD, there is no "PDC" and "BDC". Not claiming that as fact, that's just my recollection. I have deleted my original comment. – 1.618 Feb 22 '14 at 20:40
  • Correct, the terms and concepts of a PDC and BDC were deprecated when Windows 2000 Server was released. The term "domain controller" or "DC" is still correct and widely used. – MDMarra Feb 22 '14 at 20:41

1 Answers1

1

To answer just a piece of your question, which is kind of broad:

Here are a few reasons why computers appear in AD as accounts.

  1. Policies can apply to computers as well as users.
  2. Computers need credentials, too, even if it's only to execute policies applied to computers ("install this software from this share"). You cannot access this password. It changes regularly. (I sometimes see it change in my monitoring software--a second of credential mismatch that shows up in the SQL error log--but that's the only way you'd know.)
  3. It's just the way Kerberos works in AD. You need account credentials, a trusted machine, and a proper timestamp or else you can't log in. (Untrusted machines fall back to NTLM.)

Also, you generally group users and computers into OUs in order to apply policies to them.

Check out the question and answers in the "duplicate" link. It's good stuff.

Katherine Villyard
  • 18,510
  • 4
  • 36
  • 59