Computer Domain Model

The terms domain and domain controller are often used when speaking about organizations’ IT infrastructures. But what exactly is behind these terms?

Read our brief article, in which we use Univention Corporate Server to exemplify what a domain and a domain controller are and what functions they have. 

What Is a Domain?

A domain is a conceptual entity that is characterized by a common security and trust context. This means, the members of the domain know and trust each other. External systems and users do not have access to the resources and services provided within the domain, such as computers, files, etc.

Structure of a Domain

Members in a domain can be, for example, users and groups, but also client computers and server systems. The core component of such a domain is the information about who is a member and how this member can authenticate, i.e. can prove his own membership.

Definition and Task of the Domain Controller

The management of this information is done by at least one server system, which is a member of the domain and is designated by its position as a domain controller. It controls and manages the domain respectively its belonging information. In small environments, one domain controller is often sufficient. In medium and large environments, several such domain controllers are generally used for reasons of failure safety and load distribution. All the data is automatically synchronized between these different domain controllers (keyword: replication).

In such a domain, various services are offered for which authentication is necessary. That is, the users and computers must demonstrate that they are a member of the domain before they get access. Examples are file and print services. Various methods can be used for authentication, such as LDAP authentication, RADIUS, or Kerberos (see below).

Domain Names

A domain also always has a name. Computers such as clients and server systems that are members of the domain, have a so-called Fully Qualified Domain Name (FQDN), which is composed of the host name and the domain name:

Domain name: intranet.example.org
FQDN:        ucs-01.intranet.example.org
     Host name -^   | ^- Domain name

Through this FQDN systems and services in the network can be identified and found.

Domain Services for Authentication

UCS now creates such a domain, manages users and computer data, controls access rights, and provides various, also supporting services for authentication.

This includes:

  • OpenLDAP as directory service – using, for example, the LDAP base dc=intranet,dc=example,dc=org
  • Kerberos – using, for example, the Kerberos realm INTRANET.EXAMPLE.ORG
  • DNS – especially Kerberos, but also many other services require a working name resolution via DNS – for example with the DNS zone intranet.example.org
  • SAML – for web-based Single Sign-On
  • Optional:
    • RADIUS – for example for WLAN
    • Active Directory – for example with the LDAP base DC = intranet, DC = example, DC = org
    • NetBIOS / WINS – for example INTRANET

These services, which in principle can also be operated independently, are pre-configured and intertwined in UCS in such a way that they are valid and functioning within the same domain. As a result, UCS provides an optimal basis for operating a heterogeneous IT environment in which various systems and services can be connected via the domain functionality.

Further information on UCS’s authentication services can be found at Login and Authentication Services.

We’d be happy if this article brought you some light into the “domain jungle”.

Open Soure Software Consultant and member of the Professional Services Team of Univention

What's your opinion? Leave a comment!

Comments

  1. Good article and very infirmative about a domain and the controler.
    Thanks
    Thabit

Your email address will not be published. Required fields are marked *