Monthly Archive


Domain Controllers

I found this part completed post & can’t remember if I ever published it.  If I did we’ll put it down to my forgetfulness.

The role of Domain Controllers in an Active Directory environment still seems to be causing problems nine years after the introduction of Windows 2000 and Active Directory.

In an NT environment it was nice and simple – all changes were made at the PDC and were the replicated out to the read-only BDCs.

In Active Directory all of the Domain Controllers function in a multi-master manner i.e. changes can be made at any Domain Controller and will then replicate to all of the other Domain Controllers. This concept is complicated by the fact that some tasks can only be performed by a single Domain Controller at a time. These are the FSMO roles:

Forest Level

  • Schema Master – only Domain Controller that can be used to update the schema
  • Domain Naming Master – must be contactable when adding or removing domains.

Domain Level

  • PDC Emulator – replicates to NT BDCs in the domain (they should have gone long ago), controls time synchronisation and is used if logon fails due to the password is incorrect to determine if the password has changed (password changes are immediately replicated to the PDC Emulator)
  • RID Master – responsible for administering and issuing RIDs to Domain Controllers to enable new objects to be created in the directory
  • Infrastructure Master – updates object’s SID and distinguished name in a cross domain reference

These roles can be transferred between Domain Controllers quite easily. Notice that there is no BDC or PDC. The PDC Emulator emulates an NT PDC it is not a PDC. Lets forget about PDC\BDC they have gone the way of the dinosaurs.

More details can be found here

A domain should ideally have at least two Domain Controllers for resiliency. A test domain could only use one if rebuilding is acceptable.

Domain Controllers should, ideally, be dedicated to the role. Layering applications or file and print operations on to a Domain Controller will weaken the security and may cause performance issues. Some small organisations may need to run other applications or services on a Domain Controller but this should be a position of last resort.

Given modern hardware costs new Domain Controllers should use 64bit hardware and OS versions. Put a good allowance of RAM into the machine and the whole of the Active Directory database can be held in memory. Performance will increase to the point where you may be able to remove some of the 32bit Domain Controllers.  Windows 2008 R2 is 64 bit only so have to go down the 64 bit route.


Leave a Reply