The professional structure of domains and the use of domain controllers bring order to IT infrastructures. This is especially important when organizations are growing rapidly. Professional domain management allows their IT to grow dynamically. Otherwise, the infrastructure becomes a kind of “patchwork carpet” of many small solutions and unorganized resources, some of which act independently of each other, may interfere with each other and thus require a high level of maintenance. Not to mention the complexity of maintaining users twice as often and the risks associated with data replication, data protection, and system reliability.
In the following article, we first explain briefly what a domain is and then describe the tasks of a domain controller. Finally, we become practical and see how the concept of “domain/domain controllers” has been implemented in Univention Corporate Server.
The Concept of a Domain
A domain is a conceptual entity that is characterized by a common security and trust context. This means, the members of the domain know and trust each other. External systems and users do not have access to the resources and services provided within the domain, such as computers, files, etc.
Structure of a Domain
Members in a domain can be, for example, users and groups, but also client computers and server systems. The core component of such a domain is the information about who is a member and how this member can authenticate, i.e. can prove his own membership.
The Domain Controller: Definition and Task
The management of this information is done by at least one server system, which is a member of the domain and is designated by its position as a domain controller. It controls and manages the domain respectively its belonging information. In small environments, one domain controller is often sufficient. In medium and large environments, several such domain controllers are generally used for reasons of failure safety and load distribution. All the data is automatically synchronized between these different domain controllers (keyword: replication).
In such a domain, various services are offered for which authentication is necessary. That is, the users and computers must demonstrate that they are a member of the domain before they get access. Examples are file and print services. Various methods can be used for authentication, such as LDAP authentication, RADIUS, or Kerberos (see below).
Domains Need Names
A domain also always has a name. Computers such as clients and server systems that are members of the domain, have a so-called Fully Qualified Domain Name (FQDN), which is composed of the host name and the domain name:
Domain name: intranet.example.org
FQDN: ucs-01.intranet.example.org
Host name -^ | ^- Domain name
Through this FQDN systems and services in the network can be identified and found.
Domain Services for Authentication
UCS now creates such a domain, manages users and computer data, controls access rights, and provides various, also supporting services for authentication.
This includes:
- OpenLDAP as directory service – using, for example, the LDAP base dc=intranet,dc=example,dc=org
- Kerberos – using, for example, the Kerberos realm INTRANET.EXAMPLE.ORG
- DNS – especially Kerberos, but also many other services require a working name resolution via DNS – for example with the DNS zone intranet.example.org
- SAML – for web-based Single Sign-On
- Optional:
- RADIUS – for example for WLAN
- Active Directory – for example with the LDAP base DC = intranet, DC = example, DC = org
- NetBIOS / WINS – for example INTRANET
These services, which in principle can also be operated independently, are pre-configured and intertwined in UCS in such a way that they are valid and functioning within the same domain. As a result, UCS provides an optimal basis for operating a heterogeneous IT environment in which various systems and services can be connected via the domain functionality.
Further information on UCS’s authentication services can be found at Login and Authentication Services.
We’d be happy if this article brought you some light into the “domain jungle”.
