1
00:00:05,660 --> 00:00:08,120
So what is a domain controller?

2
00:00:08,150 --> 00:00:17,210
A domain controller is a server that stores a copy of the address directory database or NTD as the did

3
00:00:17,210 --> 00:00:18,020
file.

4
00:00:18,020 --> 00:00:22,250
And it also stores a copy of the SES file folder.

5
00:00:22,280 --> 00:00:30,780
All domain controllers except raw disease store read, write copy of both entities.

6
00:00:30,800 --> 00:00:40,340
The date and this well folder entity as the date is a database itself, and the Cicero folder contains

7
00:00:40,340 --> 00:00:47,230
all the templates, settings and files for GPOs or group policy objects.

8
00:00:47,240 --> 00:00:55,280
Domain controllers view the Multi Master replication process to copy data from one domain controller

9
00:00:55,280 --> 00:00:56,170
to another.

10
00:00:56,180 --> 00:01:05,130
This means that for most operations, data can be modified on any domain controller except foreign roads.

11
00:01:05,150 --> 00:01:16,220
See the ads Replication service then synchronizes the changes to the AIDS database with all the other

12
00:01:16,220 --> 00:01:22,520
domain controllers in the domain and Windows Server 2016 and higher.

13
00:01:22,520 --> 00:01:31,350
You can use only distributed file system or DFS replication to replicate this useful folders.

14
00:01:31,400 --> 00:01:41,450
Earlier versions of Windows Server use the file replication service or freeze to replicate the folders,

15
00:01:41,450 --> 00:01:50,330
but if address is replaced for several versions of Windows Domain, controllers host several other services

16
00:01:50,330 --> 00:01:52,850
related to Active Directory.

17
00:01:52,880 --> 00:02:01,430
This includes the Kerberos Authentication Service, which user and computer accounts use for signing

18
00:02:01,430 --> 00:02:11,600
authentication and the key distribution Center or KDC, which issues the ticket grant and ticket to

19
00:02:11,600 --> 00:02:15,860
an account that signs into the Active Directory domain.

20
00:02:15,860 --> 00:02:22,400
Optionally, you can configure domain controllers to host a copy of the Global catalog.

21
00:02:22,430 --> 00:02:29,270
All users in an Active Directory domain exist in the Active Directory database.

22
00:02:29,270 --> 00:02:37,160
If the database is unavailable for any reason, all the operations that depend on domain based authentication

23
00:02:37,160 --> 00:02:38,180
will fail.

24
00:02:38,180 --> 00:02:48,050
So as a best practice and AIDS domain should have at least two domain controllers, this makes the database

25
00:02:48,050 --> 00:02:54,680
more available and spreads the authentication load during peak signing times.

26
00:02:54,680 --> 00:03:02,030
So when planning your infrastructure, please consider two domain controllers as the absolute minimum

27
00:03:02,030 --> 00:03:07,520
for most enterprises to ensure high availability and performance.

28
00:03:07,520 --> 00:03:15,200
Now when you deploy domain controller in a branch office where physical security is less than optimal,

29
00:03:15,200 --> 00:03:21,860
you can use additional measures to reduce the impact of a breach of security.

30
00:03:21,860 --> 00:03:29,600
One option is to deploy an raw DC or redundant the domain controller, which was created exactly for

31
00:03:29,600 --> 00:03:30,830
these purposes.

32
00:03:30,830 --> 00:03:41,330
The RTC contains a read only copy of the ated database and by default it does not cache any user passwords.

33
00:03:41,330 --> 00:03:49,520
You can configure the row DC to cache the passwords for users in the branch office, but again, it's

34
00:03:49,520 --> 00:03:51,380
not by default.

35
00:03:51,380 --> 00:03:53,960
Even raw DC is compromised.

36
00:03:53,960 --> 00:04:01,820
The potential loss of information is much lower than with a full read write domain controller.

37
00:04:01,820 --> 00:04:10,820
Another option here is to use Bitlocker drive encryption to encrypt the domain controllers hard drive.

38
00:04:10,820 --> 00:04:18,890
If someone steals the hard drive, Bitlocker will help to ensure that the malicious hacker has difficulty

39
00:04:18,920 --> 00:04:22,040
getting any useful information from it.

40
00:04:22,070 --> 00:04:29,090
Please know that Bitlocker is a drive encryption feature that is available for Windows Server operating

41
00:04:29,090 --> 00:04:33,200
systems and certain Windows client operating systems.

42
00:04:33,200 --> 00:04:41,510
Bitlocker encrypts the entire drive to help prevent the computer from starting unless it receives a

43
00:04:41,510 --> 00:04:46,640
private key and optionally passes an integrity check.

44
00:04:46,670 --> 00:04:52,130
A hard drive remains encrypted even if you transfer it to another computer.