On Microsoft Servers, a domain controller (DC) is a server computer [1] [2] that responds to security authentication requests (logging in, etc.) within a Windows domain. [3] [4] A domain is a concept introduced in Windows NT whereby a user may be granted access to a number of computer resources with the use of a single username and password combination.
With one domain controller per domain was configured as the primary domain controller all other domain controllers were backup domain controllers
Because of the critical nature of the PDC, best practices dictated that the PDC should be dedicated solely to domain services, and not used for file, print or application services that could slow down or crash the system. Some network administrators took the additional step of having a dedicated BDC online for the express purpose of being available for promotion if the PDC failed.
A BDC could authenticate the users in a domain, but all updates to the domain could only be made via the PDC, which would then propagate these changes to all BDCs in the domain. If the PDC was unavailable the update would fail. If the PDC was permanently unavailable an existing BDC could be promoted to be and later versions introduced Active Directory ("AD"), which largely eliminated the concept of PDC and BDC in favor of multi-master replication. However, there are still several roles that only one domain controller can perform, called the Flexible single master operation roles. Some of these roles must be filled by one DC per domain, while others only require one DC per AD Forest. If the server performing one of these roles is lost, the domain can still function, and if the server will not be available again, an administrator can designate an alternate DC to assume the role in a process known as "seizing" the role.
In Windows NT 4, one DC serves as the primary domain controller (PDC). Others, if they exist, are usually a backup domain controller (BDC). The PDC is typically designated as the "first". [5] The "User Manager for Domains" is a utility for maintaining user/group information. It uses the domain security database on the primary controller. The PDC has the master copy of the user accounts database which it can access and modify. The BDC computers have a copy of this database, but these copies are read-only. The PDC will replicate its account database to the BDCs on a regular basis. [6] The BDCs exist in order to provide a backup to the PDC, and can also be used to authenticate users logging on to the network. If a PDC should fail, one of the BDCs can then be promoted to take its place. The PDC will usually be the first domain controller that was created unless it was replaced by a promoted BDC.
In modern releases of Windows, domains have been supplemented by the use of Active Directory services. In Active Directory domains, the concept of primary and secondary domain controller relationships no longer applies. PDC emulators hold the accounts databases and administrative tools. As a result, a heavy workload can slow the system down. The DNS service may be installed on a secondary emulator machine to relieve the workload on the PDC emulator. The same rules apply; only one PDC may exist on a domain, but multiple replication servers may still be used. [7]
Primary Domain Controllers (PDC) have been faithfully recreated on the Samba emulation of Microsoft's SMB client/server system. Samba has the capability to emulate an NT 4.0 domain, as well as modern Active Directory Domain Services [9] on a Linux machine. [10]
In Windows NT 4 domains, the backup domain controller (BDC) is a computer that has a copy of the user accounts database. Unlike the accounts database on the PDC, the BDC database is a read-only copy. When changes are made to the master accounts database on the PDC, the PDC pushes the updates down to the BDCs. These additional domain controllers exist to provide fault tolerance. If the PDC fails, then it can be replaced by a BDC. In such circumstances, an administrator promotes a BDC to be the new PDC. BDCs can also authenticate user logon requests and take some of the authentication load from the PDC.
When Windows 2000 was released, the NT domain as found in NT 4 and prior versions was replaced by Active Directory. In Active Directory domains running in native mode, the concept of the PDC and BDC do not exist. In these domains, all domain controllers are considered equals. A side effect of this change is the loss of ability to create a "read-only" domain controller. Windows Server 2008 reintroduced this capability.
Windows Server can be one of three kinds: Active Directory "domain controllers" (ones that provide identity and authentication), Active Directory "member servers" (ones that provide complementary services such as file repositories and schema) and Windows Workgroup "stand-alone servers". [11] The term "Active Directory Server" is sometimes used by Microsoft as synonymous to "Domain Controller" [12] [13] [14] [15] [16] but the term is discouraged. [17]
Active Directory (AD) is a directory service developed by Microsoft for Windows domain networks. Windows Server operating systems include it as a set of processes and services. Originally, only centralized domain management used Active Directory. However, it ultimately became an umbrella title for various directory-based identity-related services.
Samba is a free software re-implementation of the SMB networking protocol, and was originally developed by Andrew Tridgell. Samba provides file and print services for various Microsoft Windows clients and can integrate with a Microsoft Windows Server domain, either as a Domain Controller (DC) or as a domain member. As of version 4, it supports Active Directory and Microsoft Windows NT domains.
In computing, a directory service or name service maps the names of network resources to their respective network addresses. It is a shared information infrastructure for locating, managing, administering and organizing everyday items and network resources, which can include volumes, folders, files, printers, users, groups, devices, telephone numbers and other objects. A directory service is a critical component of a network operating system. A directory server or name server is a server which provides such a service. Each resource on the network is considered an object by the directory server. Information about a particular resource is stored as a collection of attributes associated with that resource or object.
The Security Account Manager (SAM) is a database file in Windows XP, Windows Vista, Windows 7, 8.1, 10 and 11 that stores users' passwords. It can be used to authenticate local and remote users. Beginning with Windows 2000 SP4, Active Directory authenticates remote users. SAM uses cryptographic measures to prevent unauthenticated users accessing the system.
Integrated Windows Authentication (IWA) is a term associated with Microsoft products that refers to the SPNEGO, Kerberos, and NTLMSSP authentication protocols with respect to SSPI functionality introduced with Microsoft Windows 2000 and included with later Windows NT-based operating systems. The term is used more commonly for the automatically authenticated connections between Microsoft Internet Information Services, Internet Explorer, and other Active Directory aware applications.
A Windows domain is a form of a computer network in which all user accounts, computers, printers and other security principals, are registered with a central database located on one or more clusters of central computers known as domain controllers. Authentication takes place on domain controllers. Each person who uses computers within a domain receives a unique user account that can then be assigned access to resources within the domain. Starting with Windows Server 2000, Active Directory is the Windows component in charge of maintaining that central database. The concept of Windows domain is in contrast with that of a workgroup in which each computer maintains its own database of security principals.
Flexible Single Master Operations, or just single master operation or operations master, is a feature of Microsoft's Active Directory (AD). As of 2005, the term FSMO has been deprecated in favour of operations masters.
LAN Manager is a discontinued network operating system (NOS) available from multiple vendors and developed by Microsoft in cooperation with 3Com Corporation. It was designed to succeed 3Com's 3+Share network server software which ran atop a heavily modified version of MS-DOS.
Group Policy is a feature of the Microsoft Windows NT family of operating systems that controls the working environment of user accounts and computer accounts. Group Policy provides centralized management and configuration of operating systems, applications, and users' settings in an Active Directory environment. A set of Group Policy configurations is called a Group Policy Object (GPO). A version of Group Policy called Local Group Policy allows Group Policy Object management without Active Directory on standalone computers.
Distributed File System (DFS) is a set of client and server services that allow an organization using Microsoft Windows servers to organize many distributed SMB file shares into a distributed file system. DFS has two components to its service: Location transparency and Redundancy. Together, these components enable data availability in the case of failure or heavy load by allowing shares in multiple different locations to be logically grouped under one folder, the "DFS root".
The graphical identification and authentication (GINA) is a component of Windows NT 3.51, Windows NT 4.0, Windows 2000, Windows XP and Windows Server 2003 that provides secure authentication and interactive logon services. GINA is a replaceable dynamically linked library that is loaded early in the boot process in the context of Winlogon when the machine is started. It is responsible for handling the secure attention sequence, typically Control-Alt-Delete, and interacting with the user when this sequence is received. GINA is also responsible for starting initial processes for a user (such as the Windows Shell) when they first log on. GINA is discontinued in Windows Vista.
Apple Open Directory is the LDAP directory service model implementation from Apple Inc. A directory service is software which stores and organizes information about a computer network's users and network resources and which allows network administrators to manage users' access to the resources.
In a Windows network, NT LAN Manager (NTLM) is a suite of Microsoft security protocols intended to provide authentication, integrity, and confidentiality to users. NTLM is the successor to the authentication protocol in Microsoft LAN Manager (LANMAN), an older Microsoft product. The NTLM protocol suite is implemented in a Security Support Provider, which combines the LAN Manager authentication protocol, NTLMv1, NTLMv2 and NTLM2 Session protocols in a single package. Whether these protocols are used or can be used on a system which is governed by Group Policy settings, for which different versions of Windows have different default settings.
Data Protection Application Programming Interface (DPAPI) is a simple cryptographic application programming interface available as a built-in component in Windows 2000 and later versions of Microsoft Windows operating systems. In theory, the Data Protection API can enable symmetric encryption of any kind of data; in practice, its primary use in the Windows operating system is to perform symmetric encryption of asymmetric private keys, using a user or system secret as a significant contribution of entropy. A detailed analysis of DPAPI inner-workings was published in 2011 by Bursztein et al.
AGDLP briefly summarizes Microsoft's recommendations for implementing role-based access controls (RBAC) using nested groups in a native-mode Active Directory (AD) domain: User and computer accounts are members of global groups that represent business roles, which are members of domain local groups that describe resource permissions or user rights assignments. AGUDLP and AGLP summarize similar RBAC implementation schemes in Active Directory forests and in Windows NT domains, respectively.
Inter-domain routing is data flow control and interaction between Primary Domain Controller (PDC) computers. This type of computer uses various computer protocols and services to operate. It is most commonly used to multicast between internet domains.
A roaming user profile is a file synchronization concept in the Windows NT family of operating systems that allows users with a computer joined to a Windows domain to log on to any computer on the same domain and access their documents and have a consistent desktop experience, such as applications remembering toolbar positions and preferences, or the desktop appearance staying the same, while keeping all related files stored locally, to not continuously depend on a fast and reliable network connection to a file server.
Browser service or Computer Browser Service is a feature of Microsoft Windows to let users easily browse and locate shared resources in neighboring computers. This is done by aggregating the information in a single computer "Browse Master". All other computers contact this computer for information and display in the Network Neighborhood window.
In computer security, pass the hash is a hacking technique that allows an attacker to authenticate to a remote server or service by using the underlying NTLM or LanMan hash of a user's password, instead of requiring the associated plaintext password as is normally the case. It replaces the need for stealing the plaintext password to gain access with stealing the hash.
A domain controller (DC) is a server that responds to security authentication requests within a computer network domain. It is a network server that is responsible for allowing host access to domain resources. It authenticates users, stores user account information and enforces security policy for a domain. It is most commonly implemented in Microsoft Windows environments, where it is the centerpiece of the Windows Active Directory service. However, non-Windows domain controllers can be established via identity management software such as Samba and Red Hat FreeIPA.
A domain controller is a server that is running a version of the Windows Server® operating system and has Active Directory® Domain Services installed.
[...] servers in a domain can have one of two roles: domain controllers, which contain matching copies of the user accounts and other Active Directory data in a given domain, and member servers, which belong to a domain but do not contain a copy of the Active Directory data. (A server that belongs to a workgroup, not a domain, is called a stand-alone server.)
Evaluating Active Directory Server RAM [...] Evaluating the amount of RAM that a domain controller (DC) needs is actually quite a complex exercise.
How To Create an Active Directory Server in Windows Server 2003 [...] To convert a Windows Server 2003 computer into the first domain controller in the forest, follow these steps [...]
[...] you must restart Outlook if that particular Active Directory server stops responding.
Is a Connection Agreement configured for the Exchange Server computer to the Active Directory server?
[...] changes do not replicate between a Windows Server 2003 Active Directory server (in forest functional level 1 or in forest functional level 2) and a Microsoft Exchange Server 5.5 computer [...]
[...] the term "AD Servers" is not a phrase you will find in any of the technical books and I myself have not heard that term used in the industry.