Domain Controller

Domain Controller is a Microsoft Windows Server that manages the domain security policy.

What is Domain Controller?

A Microsoft Windows Server that manages the domain security policy. Users and computers that need to obtain access to network resources within the domain must be authenticated by a domain controller in the domain. Windows NT domain controllers are the foundation of Windows NT Directory Services (NTDS), while Windows 2000 domain controllers are based on Active Directory.

In a Windows NT–based network, the domain controllers form a hierarchy. There are two types of Windows NT domain controller:

  • The primary domain controller (PDC), which contains a writable master copy of the domain directory database. A domain can have only one PDC, which is at the top of the domain controller hierarchy. All changes to directory information (such as user accounts or passwords) must be made on the PDC.
  • The backup domain controller (BDC), which contains read-only replicas of the domain directory database stored on the PDC. There can be zero or more BDCs per domain. BDCs provide redundancy and load balancing for the domain. Periodically, the BDCs in a domain undergo directory synchronization with the PDC to ensure that the BDCs contain an accurate copy of the domain directory database. This replication ensures the proper functioning of the NTDS.

A Windows 2000 domain controller is any Windows 2000 server with the optional Active Directory service installed. Windows 2000 domain controllers contain a complete, writable copy of the Active Directory information for the domain in which they are installed. Run the Active Directory Installation Wizard to promote any Windows 2000 member server to the role of a domain controller. A domain controller manages information in the Active Directory database and enables users to log on to the domain, be authenticated for accessing resources in the domain, and search the directory for information about users and network resources. A Windows 2000 domain controller contains a writable copy of the domain directory database.

Unlike in a Windows NT–based network, where domain controllers are in a hierarchy, all domain controllers in a Windows 2000–based network are equal, and changes to the domain directory database can be made at any domain controller. Replication of directory information between Windows 2000 domain controllers follows a multimaster model. In this configuration, each domain controller acts as a peer to all other domain controllers. In other words, there are no primary or backup domain controllers in Windows 2000, only domain controllers.

In a pure Windows 2000 networking environment, all domain controllers can be configured to run in native mode. If you have a mix of Windows NT 4 and Windows 2000 domain controllers, the Windows 2000 domain controllers must be configured to run in mixed mode.


If you need to move a Windows NT domain controller to a new domain, you must reinstall Windows NT. Domain controllers cannot migrate from one domain to another because when you create a domain, a unique security identifier (SID) is created to identify the domain, and domain controllers have this SID hard-coded into their domain directory database.

You can use the administrative tool Active Directory Users and Computers to convert a Windows 2000 domain controller from mixed mode to native mode. However, domain controllers running in native mode cannot be changed to mixed mode.

If you create a new domain controller for an existing Windows 2000 domain, this new domain controller is referred to as a replica domain controller. Replica domain controllers are typically created to provide fault tolerance and better support for users who access resources over the network.


To upgrade a Windows NT–based network to Windows 2000, upgrade the PDC first. This allows the domain to immediately join a domain tree, and administrators can administer the domain using the administrative tools of Windows 2000 and create and configure objects in Active Directory.

An important issue regarding domain controllers in Windows 2000–based networks is where to place them. After an administrator implements Active Directory and populates its initial information, most Active Directory–related traffic will come from users querying for network resources.

The key to optimizing user queries is in how you locate the domain controllers and the global catalog servers on your network. Placing a domain controller at each physical site optimizes query traffic but increases replication traffic between sites. Nevertheless, the best configuration is usually to place at least one domain controller at each site with a significant number of users and computers.