Updated: November 25, 2009
Applies To: Windows Server 2008
Domain controllers are servers that host Active Directory Domain Services (AD DS) resources. These servers host essential services in AD DS, including the following:
- Kerberos Key Distribution Center (kdc)
- NetLogon (Netlogon)
- Windows Time (W32time)
- Intersite Messaging (IsmServ)
- File Replication (ntfrs): required if the forest functional level is lower than Windows Server 2008 or if an upgraded forest is at the Windows Server 2008 functional level and Distributed File System Replication (DFSR) is not yet configured
- Distributed File System (Dfs): if the forest functional level is Windows Server 2008 and DFSR is in use
In addition, domain controllers host the SYSVOL share. Domain controllers must register Domain Controller Locator (DC Locator) records with Domain Name System (DNS) so that domain member computers can locate resources on the domain.
The following is a list of the managed entities that are included in this managed entity:
The directory service is a database with multiple data partitions, as well as the processes to maintain, manage, and secure the database. Domain controllers host and replicate the directory service database inside the forest. The directory service also provides services for managing and authenticating resources in the forest.
The Windows Time service (W32time) automatically synchronizes the local computer's time with other computers on the network.
The Windows Time service architecture consists of the following components:
The Windows Time service internal time synchronization process involves the following steps:
If a computer has been designated as a time server, it can send the time on to any computer requesting time synchronization at any point in this process.
The Security Accounts Manager (SAM) is a database that stores user accounts and security descriptors for users on the local computer.
You can use Local Security Authority (LSA) policy to manage trust relationships between domains. The LSA also provides a software interface for other software components when they query mappings of account names to security identifiers (SIDs) between the local domain and trusted domains.
The NetLogon service verifies NTLM logon requests, and it registers, authenticates, and locates domain controllers. Also, to maintain compatibility with older operating systems, NetLogon manages replication of the user account database to back up domain controllers running Windows NT 4.0 and earlier.
The global catalog is a distributed data repository that facilitates searches and logons in an Active Directory forest. The Active Directory replication system builds global catalog data automatically.
One or more domain controllers in an Active Directory forest host the global catalog. The domain controllers that host the global catalog are called global catalog servers.
Users and applications can use the global catalog to locate objects in any domain in the forest by searching for an attribute of the object. For example, an administrator can use the global catalog to search for a user's last name to locate that user's account in the forest. A user can also use the global catalog to search the forest for a list of printers that are organized by location.
The global catalog facilitates logons by ensuring that membership in universal groups from all domains is represented in the user's access credentials (also known as the access token).