13.3 Domain Controllers

If it were not for domain controllers, you would not have an Active Directory. The domain controllers are responsible for the entire authentication of users, storage of objects, control of GPOs, and control of the Active Directory database. This is a lot of responsibility, which also requires a lot of security. The following is a list of key responsibilities of a domain controller in Active Directory:

Authentication of users

The domain controllers are responsible for authenticating all the users that submit credentials. The desired authentication protocol is Kerberos, but if the computer that is generating the authentication does not support Kerberos, a form of NTLM will be used. In most cases, NTLM v2 will be used in place of Kerberos. Table 13-1 breaks down which scenarios use Kerberos and which use NTLM.

Storage of the Active Directory database

The domain controllers store the Active Directory database locally in the file system. This is just a single file, with some accompanying files for support. The NTDS.DIT file is the real Active Directory database; it lives in the %systemroot%\NTDS folder. If this file is compromised or corrupted, it can bring down the entire Active Directory. Ideally, the database for Active Directory should be located on a dedicated physical drive that does not include the system volume.

Storage of GPOs and logon scripts

The domain controllers are also responsible for the GPOs (both default and new) as well as the logon scripts. Both the GPOs and the logon scripts are stored in folders under the %systemroot%\SYSVOL folder. The GPOs are under the %systemroot%\SYSVOL\sysvol\<domainname>\Policies folder. Each is listed by its Global Unique Identifier (GUID). The scripts are all located under the GPOs if they are configured through GPOs. However, if they are the "traditional" logon scripts that are configured via the user account properties, they will be stored under %systemroot%\SYSVOL\sysvol\<domainname>\scripts. Here, scripts are shared as NETLOGON, just as in Windows NT. GPOs or scripts that are modified or corrupted may not run, which could leave some or all computers without the proper security configuration. Also, if an attacker modifies a GPO or script from this location, she could give herself additional access to resources if enough information is known about the network.

Table 13-1. Windows Server 2003 authentication protocols

Operating system sending credentials

Windows Server 2003 role receiving credentials

Authentication protocol used

Windows NT

Standalone server


Windows 9x or NT

Domain controller


Windows 2000, XP, or Server 2003

Standalone or untrusted server


Windows 2000, XP, or Server 2003

Domain controller


The folder structure of the domain controllers is determined at the time a server is promoted to be a domain controller. You have the opportunity to place the directory database file, the transaction logs for the database file, and the SYSVOL folder. Regardless, you need to place all these key files on an NTFS volume. Then, make sure that these folders are kept secure, so that an attacker is not able to access or corrupt the files.