domain controller is a basic element in the Active Directory domain AD. Many friends who are new to the Active Directory domain AD do not know where to start. What does the Active Directory domain controller mean? What is the use? How to create a new domain controller? What is the difference between the primary domain controller and the additional domain controller? What should I do to restore the device configuration backup of the domain controller? A lot of problems have bothered the beginners of the Active Directory domain AD. The article "Domain Controller" is derived from the Microsoft Active Directory Domain AD Operation Guide tutorial, which allows you to start how to start the Active Directory domain AD domain control. The device has a general understanding.
Domain Controllers
When you create the first domain controller in your organization, you also create the first domain, the first forest, the first site, and Active Directory. Domain controllers running Windows Server 2003 store directory data and manage user and domain interactions, including user login processes, authentication, and directory searches. Domain controllers are created using the Active Directory Installation Wizard. For more information, see Using the Active Directory Installation Wizard.
Note
You cannot install Active Directory on a computer running Windows Server 2003, Web Edition, but you can join the computer as a member server to an Active Directory domain. For more information about Windows Server 2003, Web Edition, see Windows Server 2003 Web Edition Overview.
When using a domain controller in your organization, you need to consider how many domain controllers are needed, the physical security of those domain controllers, and the plan to back up domain data and upgrade domain controllers.
Determining the Number of Domain Controllers Needed
For high availability and fault tolerance, a small organization using a single local area network (LAN) might only need one domain with two domain controllers. Large organizations with multiple network locations require one or more domain controllers at each site to provide high availability and fault tolerance.
If your network is divided into multiple sites, it is usually a good practice to configure at least one domain controller in each site to improve network performance. When a user logs in to the network, they must contact the domain controller as part of the login process. If the customer has to connect to a domain controller at a different site, the login process will take a long time. For more information, see Copying between sites.
By creating a domain controller in each site, user logins can be performed more efficiently within the site. For information on how to create additional domain controllers, see Creating additional domain controllers.
To optimize network communication, you can also configure domain controllers to receive directory replication updates only during off-peak hours. For information on how to schedule site replication, see Configuring Site Link Replication Availability.
When the site's domain controller is also a global catalog, the network performs best. This way, the server can complete object queries throughout the forest. However, having multiple domain controllers as global catalogs can increase the replication traffic of the network. For more information on global catalogs, see Roles in Global Catalogs. For more information on adding a global catalog to a site, see Global Catalogs and Sites.
A domain controller that assumes the infrastructure master role cannot be used as a global catalog in a domain with multiple domain controllers. For more information, see Manipulating Host Roles.
Physical Security
Physical access to domain controllers provides malicious users with unauthorized access to encrypted passwords. Therefore, it is recommended to lock all domain controllers in your organization in a secure room, allowing only limited public access. Additional security measures (such as Syskey) can be taken to further protect the domain controller. For more information on Syskey, see System Key Utility.
Backup Domain Controllers
You can use the Backup tool (included in the Windows Server 2003 family) to back up domain directory partition data and data from other directory partitions from any domain controller in the domain. Using the backup tool on a domain controller, you can:
Back up Active Directory when the domain controller is online.
Use the batch file command to back up Active Directory.
Back up Active Directory to removable media, available network drives or files.
Back up other systems and data files.
When you use the backup tool on a domain controller, all system components and all distributed services that Active Directory depends on are automatically backed up. This related data, including Active Directory, is collectively referred to as system state data.
On a domain controller running Windows Server 2003, the System State data includes the system startup file, the system registry, the class registration database for COM+ (an extension of the component object model), the SYSVOL directory, and the Certificate Services database ( If installed, Domain Name System (if installed), Cluster Service (if installed), and Active Directory. It is recommended to back up the System State data on a regular basis.
For general information about System Status data, see System Status Data. For more information on how to back up System State data, see Backing Up System State Data. For more information on how to restore a System State backup, see Restoring System State Data.
You can use Active Desktop from a server running Windows Server 2003 to install Active Directory on a server running Windows Server 2003. For more information, see Creating additional domain controllers.
Upgrading Domain Controllers
On domain controllers running Windows NT 4.0, to successfully upgrade the domain, you first need to upgrade the primary domain controller (PDC). After upgrading the PDC, you can upgrade the backup domain controller (BDC). For more information, see Upgrading from a Windows NT Domain.
If you currently have a Windows 2000 forest that does not have any Windows Server 2003 domain controllers running, you will need to prepare the forest and target domain before upgrading a domain controller running Windows 2000. For more information, see Upgrading from a Windows 2000 domain