Active Directory · Term

What is a Domain Controller?

A Domain Controller is the server that runs Active Directory, authenticates every logon, and holds every account’s password hash. Compromise one and you compromise the domain. Here is what a Domain Controller is and why it is the prize.

Active Directory · TermAll services
TL;DR

A Domain Controller (DC) is a Windows server running Active Directory Domain Services. It stores the directory database (NTDS.dit), authenticates every logon using Kerberos and NTLM, and enforces security policy across the domain. Because it holds the password hash of every account, including Domain Admins and KRBTGT, compromising a Domain Controller is equivalent to compromising the entire domain, which is why DCs are the top-priority Tier 0 asset to protect.

By John Dill, Red Team Lead, SecureLayer7Updated

What a Domain Controller is

A Domain Controller is the server that *is* Active Directory for a domain. Its jobs:

  • Authenticate logons as the Kerberos Key Distribution Center and via NTLM.
  • Hold the directory database, NTDS.dit, which contains every user, computer, group, and their password hashes.
  • Replicate with other DCs to keep them in sync.
  • Enforce policy through Group Policy and the SYSVOL share.

Most domains run several DCs for resilience. Each one is a full copy of the kingdom’s keys.

Why it is the prize

Reaching a Domain Controller, or Domain Admin rights over it, is the goal of nearly every Active Directory attack:

  • It enables DCSync to pull every hash including KRBTGT (secretsdump.py -just-dc ...).
  • It exposes NTDS.dit for a full credential dump.
  • It allows pushing code, including ransomware, to every domain-joined machine.

The whole attack chain in this section, enumeration, Kerberoasting, relay, ACL and AD CS abuse, exists to reach this single class of server.

How to protect Domain Controllers

  • Apply tiered administration. Only Tier 0 admins touch DCs, and only from clean, trusted systems.
  • Keep Domain Admin credentials off lower-tier machines so attackers cannot pivot up.
  • Patch DCs promptly and minimise installed roles and software on them.
  • Monitor for DCSync replication from non-DC sources and for shadow-copy or backup access.
  • Protect DC backups, which contain NTDS.dit.

References

  1. [1]MITRE ATT&CK Enterprise Matrix(MITRE)
  2. [2]Microsoft: Kerberos Authentication Overview(Microsoft)
  3. [3]NIST SP 800-115 Technical Guide to Security Testing(NIST)
Related terms

Common questions

Active Directory, asked often

Need your Active Directory tested?

Scope an engagement

Test your Active Directory before an attacker does.

We run internal and Active Directory penetration tests that follow the real path from one low-privilege user to Domain Admin, then hand your team a report with reproducible evidence and a fix for every step. Free re-test included.

See all services30-min scoping call, fixed-price proposal in 48 hours.