Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
Domain controller (Windows)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
On [[Microsoft Servers]], a '''domain controller''' ('''DC''') is a [[Server (computing)|server computer]]<ref name="DomainControllerRoles">{{cite web | title = Domain Controller Roles | work = Microsoft TechNet or A domain controller (DC) is a server that responds to security authentication requests within a Windows Server domain. It is a server on a Microsoft Windows or Windows NT network that is responsible for allowing host access to Windows domain resources. A domain controller is the centerpiece of the Windows Active Directory service. It authenticates users, stores user account information and enforces security policy for a Windows domain. | url = https://technet.microsoft.com/en-us/library/cc786438(WS.10).aspx | accessdate = Dec 4, 2009 }}</ref><ref>{{cite web | title = Domain Controller Roles | work = Windows Server 2003 Technical Reference | publisher = Microsoft TechNet | url = https://technet.microsoft.com/en-us/library/cc786438(WS.10).aspx | quote = A domain controller is a server that is running a version of the Windows Server® operating system and has Active Directory® Domain Services installed. | accessdate = 2012-11-21 | date = 2010-06-03 }} </ref> that responds to security authentication requests (logging in, etc.) within a [[Windows domain]].<ref>{{Cite news|url=https://www.techopedia.com/definition/4193/domain-controller|title=What is a Domain Controller? - Definition from Techopedia|newspaper=Techopedia.com|access-date=2016-11-16}}</ref><ref>{{Cite web|url=http://scientificera.com/windows/45-windows/224-what-is-a-domain-controller.html|title=Answering: What Is a Domain Controller & What Does it Do?|last=|first=|date=|website=scientificera.com|publisher=|language=en-US|access-date=2016-11-16}}</ref> A ''domain'' is a concept introduced in [[Windows NT]] whereby a user may be granted access to a number of computer resources with the use of a single username and password combination. == History == One domain controller per domain was configured as the primary domain controller (PDC), all other domain controllers were backup domain controllers (BDC). Because of the critical nature of the PDC, best practices dictated that the PDC should be dedicated solely to domain services, and not used for file, print or application services that could slow down or crash the system. Some network administrators took the additional step of having a dedicated BDC online for the express purpose of being available for promotion if the PDC failed. A BDC could authenticate the users in a domain, but all updates to the domain could only be made via the PDC, which would then propagate these changes to all BDCs in the domain. If the PDC was unavailable the update would fail. If the PDC was permanently unavailable an existing BDC could be promoted to be and later versions introduced [[Active Directory]] ("AD"), which largely eliminated the concept of PDC and BDC in favor of [[multi-master replication]]. However, there are still several roles that only one domain controller can perform, called the [[Flexible single master operation]] roles. Some of these roles must be filled by one DC per domain, while others only require one DC per [[Active Directory#Forests, Trees and Domains|AD Forest]]. If the server performing one of these roles is lost, the domain can still function, and if the server will not be available again, an administrator can designate an alternate DC to assume the role in a process known as "seizing" the role. ==Primary domain controller== In Windows NT 4, one DC serves as the primary domain controller (PDC). Others, if they exist, are usually a backup domain controller (BDC). The PDC is typically designated as the "first".<ref>{{Cite web|url=https://technet.microsoft.com/en-us/library/cc786438%28WS.10%29.aspx|title=Domain Controller Roles|publisher=Microsoft Tech net 3 June 2010|accessdate=13 February 2011}}</ref> The "User Manager for Domains" is a utility for maintaining user/group information. It uses the domain security database on the primary controller. The PDC has the master copy of the user accounts database which it can access and modify. The BDC computers have a copy of this database, but these copies are read-only. The PDC will replicate its account database to the BDCs on a regular basis.<ref>{{Cite web|url=https://technet.microsoft.com/en-us/library/ms151196.aspx|title=Peer-to-Peer Transactional Replication|publisher=Microsoft Technet - date undisclosed|accessdate=13 February 2011}}</ref> The BDCs exist in order to provide a backup to the PDC, and can also be used to authenticate users logging on to the network. If a PDC should fail, one of the BDCs can then be promoted to take its place. The PDC will usually be the first domain controller that was created unless it was replaced by a promoted BDC. ===PDC emulation (Primary Domain Controller)=== In modern releases of Windows, domains have been supplemented by the use of [[Active Directory]] services. In Active Directory domains, the concept of primary and secondary domain controller relationships no longer applies. PDC emulators hold the accounts databases and administrative tools. As a result, a heavy workload can slow the system down. The DNS service may be installed on a secondary emulator machine to relieve the workload on the PDC emulator. The same rules apply; only one PDC may exist on a domain, but multiple replication servers may still be used.<ref>{{Cite web|url=https://technet.microsoft.com/en-us/library/cc816793%28WS.10%29.aspx|title=Reducing the Workload on the PDC Emulator Master|publisher=Microsoft Technet 9 January 2009|accessdate=13 February 2011}}</ref> * The PDC emulator master acts in place of the PDC if there are [[Windows NT 4.0]] domain controllers (BDCs) remaining within the domain, acting as a source for them to replicate from. * The PDC emulator master receives preferential replication of password changes within the domain. As password changes take time to replicate across all the domain controllers in an Active Directory domain, the PDC emulator master receives notification of password changes immediately, and if a logon attempt fails at another domain controller, that domain controller will forward the logon request to the PDC emulator master before rejecting it. * The PDC emulator master also serves as the machine to which all domain controllers in the domain will synchronise their clocks. It, in turn, should be configured to synchronise to an external [[Network Time Protocol|NTP]] time source.<ref>{{Cite web|url=https://technet.microsoft.com/en-us/library/cc794937%28WS.10%29.aspx|title=Configure the Time Source for the Forest|publisher=Microsoft Technet 9 January 2009|accessdate=13 February 2011}}</ref> ===Samba=== Primary Domain Controllers (PDC) have been faithfully recreated on the [[Samba software|Samba]] emulation of Microsoft's [[Server message block|SMB]] client/server system. [[Samba software|Samba]] has the capability to emulate an NT 4.0 domain, as well as modern Active Directory Domain Services<ref>{{Cite web|url=https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller|title=Setting up Samba as an Active Directory Domain Controller - SambaWiki|website=wiki.samba.org|language=en|access-date=2018-04-20}}</ref> on a [[Linux]] machine.<ref>{{Cite web|url=http://support.microsoft.com/kb/250263|title=Server Manager Shows PDC and BDC as Workstations with Samba Linux Server in Network|publisher=Microsoft Technet 1 November 2006|accessdate=13 February 2011}}</ref> ==Backup domain controller== In Windows NT 4 domains, the backup domain controller (BDC) is a computer that has a copy of the user accounts database. Unlike the accounts database on the PDC, the BDC database is a read-only copy. When changes are made to the master accounts database on the PDC, the PDC pushes the updates down to the BDCs. These additional domain controllers exist to provide fault tolerance. If the PDC fails, then it can be replaced by a BDC. In such circumstances, an administrator promotes a BDC to be the new PDC. BDCs can also authenticate user logon requests and take some of the authentication load from the PDC. When [[Windows 2000]] was released, the NT domain as found in NT 4 and prior versions was replaced by [[Active Directory]]. In Active Directory domains running in native mode, the concept of the PDC and BDC do not exist. In these domains, all domain controllers are considered equals. A side effect of this change is the loss of ability to create a "read-only" domain controller. [[Windows Server 2008]] reintroduced this capability. ==Nomenclature== Windows Server can be one of three kinds: Active Directory "domain controllers" (ones that provide identity and authentication), Active Directory "member servers" (ones that provide complementary services such as file repositories and schema) and [[Features new to Windows 7#HomeGroup|Windows Workgroup]] "stand-alone servers".<ref> {{cite web | url = https://technet.microsoft.com/en-us/library/cc737059.aspx | title = Planning for domain controllers and member servers | work = Windows Server 2003 Product Help | publisher = Microsoft TechNet | quote = [...] servers in a domain can have one of two roles: domain controllers, which contain matching copies of the user accounts and other Active Directory data in a given domain, and member servers, which belong to a domain but do not contain a copy of the Active Directory data. (A server that belongs to a workgroup, not a domain, is called a stand-alone server.) | date = 2005-01-21 | accessdate = 2012-11-21 }} </ref> The term "Active Directory Server" is sometimes used by Microsoft as synonymous to "Domain Controller"<ref>{{cite web | url = https://technet.microsoft.com/en-us/library/capacity-planning-for-domain-controllers.aspx | title = Capacity Planning for Active Directory Domain Services | publisher = Microsoft TechNet | quote = Evaluating Active Directory Server RAM [...] Evaluating the amount of RAM that a domain controller (DC) needs is actually quite a complex exercise. | date = 2012-10-12 | accessdate = 2012-11-21 | archive-url = https://web.archive.org/web/20121129084522/http://technet.microsoft.com/en-us/library/capacity-planning-for-domain-controllers.aspx | archive-date = 2012-11-29 | url-status = dead }}</ref><ref>{{cite web | url = http://support.microsoft.com/kb/324753/ | title = Q324753: How To Create an Active Directory Server in Windows Server 2003 | publisher = Microsoft Support | quote = How To Create an Active Directory Server in Windows Server 2003 [...] To convert a Windows Server 2003 computer into the first domain controller in the forest, follow these steps [...] | date = 2011-09-11 | accessdate = 2012-11-21 }} </ref><ref>{{cite web | url = http://support.microsoft.com/kb/302914/ | title = Q302914: How Outlook 2000 accesses Active Directory | publisher = Microsoft Support | quote = [...] you must restart Outlook if that particular Active Directory server stops responding. | date = 2007-02-27 | accessdate = 2012-11-21 }} </ref><ref>{{cite web | url = http://support.microsoft.com/kb/253841/ | title = Q253841: XADM: Troubleshooting Active Directory Connector Replication Issues | publisher = Microsoft Support | quote = Is a Connection Agreement configured for the Exchange Server computer to the Active Directory server? | date = 2007-02-27 | accessdate = 2012-11-21 }} </ref><ref> {{cite web | url = http://support.microsoft.com/kb/825916/ | title = Q825916: Exchange 2000 Active Directory Connector Does Not Successfully Replicate Changes to Group Membership in Windows Server 2003 Active Directory in Forest Functional Levels 1 or 2 | publisher = Microsoft Support | quote = [...] changes do not replicate between a Windows Server 2003 Active Directory server (in forest functional level 1 or in forest functional level 2) and a Microsoft Exchange Server 5.5 computer [...] | date = 2006-10-27 | accessdate = 2012-11-21 }} </ref> but the term is discouraged.<ref>Comment officially marked as "answer" by Microsoft-employed forum moderator "Arthur_Li". {{cite web | url = http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/60e064b5-5c6f-4c96-9abb-e3e51f4265c9/ | archive-url = https://archive.today/20130103233916/http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/60e064b5-5c6f-4c96-9abb-e3e51f4265c9/ | url-status = dead | archive-date = 2013-01-03 | title = AD server vs. Domain Controller vs. Member Server, et al. | work = Microsoft TechNet Forums | author = Jorge Mederos | quote = [...] the term "AD Servers" is not a phrase you will find in any of the technical books and I myself have not heard that term used in the industry. | date = 2010-10-11 | accessdate = 2012-11-21 }}</ref> == References == {{reflist}} == External links == * [http://support.microsoft.com/kb/247811 How domain controllers are located in Windows] * [http://www.turnkeylinux.org/domain-controller Pre-integrated open source domain controller] {{DEFAULTSORT:Domain Controller}} [[Category:Microsoft server technology]] [[Category:Active Directory]]
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)
Pages transcluded onto the current version of this page
(
help
)
:
Template:Cite news
(
edit
)
Template:Cite web
(
edit
)
Template:Reflist
(
edit
)