Information about Active Directory Domain Services

Updated: March 10, 2009

Active Directory Domain Services (AD DS) is a system that provides features such as authentication, policy-setting enforcement, and centralized management of users and computers. AD DS is implemented by computers that are running a Windows Server operating system and acting as domain controllers. If you have one or more domain controllers in your environment, AD DS is present in your environment.

You may be familiar with the terminology “primary domain controllers” (PDCs) and “backup domain controllers” (BDCs). This is legacy terminology that refers to Windows NT® 4.0 domain controllers. As of the Microsoft® Windows® 2000 Server operating system, there are no PDCs or BDCs—domain controllers have equal responsibilities with the exception of operations master roles, which are explained later in this section. Therefore, it does not make sense to refer to a DC as your “primary domain controller” unless it is running Windows NT 4.0.

Domain controllers store data in an area called SYSVOL. SYSVOL is located on domain controllers’ system drives. For example, the default SYSVOL location in Windows Server 2003 is C:\WINDOWS\SYSVOL. The data includes user objects, group objects, computer objects, and Group Policy objects (GPOs).

Domain controllers communicate with each other to replicate copies of SYSVOL, which causes each domain controller in your environment to have a copy of each object. This means that when at least one domain controller is available, your environment will continue to function (for example, users can log on).

AD DS is organized in hierarchical trees to make it easy to apply changes across groups of objects. These trees are called domains. Domains are collected in groups called forests. Each forest has one root domain, which is the first domain that you create in the forest. Forests do not have their own names—they are referenced by the name of their root domain.

Domains are referenced by names such as adventure-works.com. Domains should always have at least two parts (in the example, adventure-works is one part, and com is the second part). In complex AD DS configurations, a single forest can have multiple domains (for example, adventure-works.com and contoso.com), but only the domain that is created first will be the root domain. Domains can have subdomains (also called child domains), such as hr.adventure-works.com.

A typical AD DS configuration in a midsize organization is one forest that contains one domain with several subdomains, in an environment that has two domain controllers. For example, your domain might be adventure-works.com with two subdomains: engineering.adventure-works.com and accounting.adventure-works.com. The following diagram shows this configuration:

AD DS configuration

Figure 1   A typical AD DS configuration in a midsize organization

Domain controllers can be operations masters. An operations master is a domain controller that holds at least one of the following five operations master roles:

 

Operations Master Role Number of Masters for this Role Description

Schema master

One domain controller per forest

Governs all changes to the AD DS schema

Domain naming master

One domain controller per forest

Adds and removes domains to and from forest

Primary domain controller (PDC) emulator

One domain controller per domain

Allows coexistence with Windows NT 4.0 domain controllers

Relative identifier (RID) master

One domain controller per domain

Allocates unique identifiers to security principals

Infrastructure master

One domain controller per domain

Facilitates relationships between this domain and other domains

By default, the first domain controller that you introduced into your environment automatically assumed all five operations master roles. These roles do not move automatically when you add new domain controllers, so unless you have manually moved these roles, they are held by the first domain controller in your environment.

Although the operations master roles are important, they are not critical to the daily operational needs of your environment. For example, if you have two domain controllers with all the operations master roles residing on a single domain controller, and then that domain controller becomes unavailable, users can still log on and new objects can still be created. For this reason it is acceptable to have all operations master roles held by one domain controller.

To learn more about operations master roles, see the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=89141).

Community Additions

ADD
Show: