What is a Domain Controller?

A Domain Controller (DC) is a central server responsible for managing users, devices and access rights within a Windows domain.

It is the core of an Active Directory environment, where all authentication and authorisation take place.

Domain Controllers are widely used in both IT and OT environments to manage users, roles, policies and access control.

🧠 What does a Domain Controller do?

• Manages user accounts and passwords
• Authenticates users at sign-in (e.g. via Kerberos)
• Determines whether users may access systems or files
• Distributes and enforces Group Policy (Group Policy Objects / GPOs)
• Synchronises data with other DCs in the same domain

🛠 Example functions

🧱 Domain Controller in OT

In OT networks, DCs are used for, among other things:

• Centralised access control for SCADA, HMI and Engineering Stations
• Authentication of personnel via RBAC and IAM
• Limiting permissions for suppliers or maintenance staff via GPOs
• Logging of sign-ins and changes (for SIEM or auditing)

Important: Domain Controllers in OT typically need to be shielded via a DMZ or Jump Server to limit risks.

🔐 Domain Controller and security

• Integrate MFA with AD
• Conduct regular access reviews of group membership
• Harden via Microsoft Security Baselines
• Forward logs to SIEM
• Test backup and restore (e.g. via Disaster Recovery)

✅ Benefits of a Domain Controller

• Centralised user and permission management
• Fast access and authentication within a domain
• Enforce Group Policy at scale
• Essential for compliance and auditing
• Support for federated access (SSO, Azure AD)

📌 In summary

A Domain Controller is the pivot of access management in a Windows network, and plays a key role in both IT and OT security architecture.