IT administrators have been working with and around Active Directory since the introduction of the technology in Windows 2000 Server. Windows 2000 Server was released on February 17, 2000 but many administrators began working with Active Directory in late 1999 when it was released to manufacturing (RTM) on December 15, 1999.
In this part of our tutorial we’ll speak about domain controller.
What is Domain Controller?
The domain controller is the backbone of Active Directory. Without a domain controller, you can’t have a directory!
You can use up to 1,200 domain controllers in a single domain. But, don’t judge another administrator’s environment by the size or scale of it! Let’s look at the evolution of the domain controller:
- Windows NT 3.1 introduced the original Microsoft domain
Windows NT 3.1 (subsequently 3.5 and then 3.51) should not be confused with Windows 3.1 which was a 16-bit client operating system. The domain functionality included with Windows NT was not a multi-master model like AD DS. Thus, there was a primary domain controller (PDC) and backup domain controllers (BDCs). All changes were handled by the PDC. A BDC could be promoted to a PDC in a disaster recovery situation. Today, we have the PDC Emulator FSMO role which is directly related to the original PDC.
- Windows 2000 Server introduced Active Directory
With the release of Windows 2000 Server, Microsoft revamped a large amount of the traditional domain and marketed the service as Active Directory. A key feature of Active Directory was the multi-master model which allowed most of the Active Directory functionality, including changes, to take place on any DC in the domain.
- Windows Server 2003 introduced new features
With Windows Server 2003, Active Directory was updated with some administrative enhancements (such as multi-selecting objects in ADUC), added the ability to create forest trusts, and added the universal group membership caching feature. Other features were added or expanded too, especially around command-line administration.
- Windows Server 2003 R2 introduced AD FS and Active Directory Application Mode (ADAM)
AD FS and ADAM were big enhancements, especially looking at them today in 2015. Back then, they weren’t used much though. ADAM later became AD LDS while AD FS was updated along the way for cloud integration.
- Windows Server 2008 introduced read-only domain controllers (RODCs) and fine-grained password policies
With Windows Server 2008, RODCs became an option which allowed administrators to deploy DCs in insecure computer closets at branch offices, among other uses. In addition, fine-grained password policies were introduced, albeit with some administrative challenges such as not having a graphical user interface to manage the policies. Windows Server 2008 R2 introduced the recycle bin and the PowerShell module. Windows Server 2008 R2 continued refining some of the features introduced in Windows Server 2008 and offered the Recycle Bin and a PowerShell module which was paramount for administrators to be able to effectively manage AD DS from PowerShell.
- Windows Server 2012 introduced simplified management and enhanced virtualization support
The long awaited graphical user interface tools to manage the Recycle Bin and fine-grained password policies were introduced. Additionally, virtualization was enhanced and support for virtualizing DCs became mainstream. See https://technet.microsoft.com/en-us/library/hh831477.aspx for a complete guide on the changes.
- Windows Server 2012 R2 focused on security enhancements
New features included multi-factor authentication, single sign-on from connected devices, and multi-factor access control. See https://technet.microsoft.com/en-us/library/dn268294.aspx for a complete guide on the changes.
More information about Active Directory basisc you will find in our AD tutorial for beginners.
FAQ
What is a domain controller?
A domain controller is a Windows server that manages user authentication and authorization within a Windows domain network. It stores user account information, enforces security policies, and authenticates users when they log into domain-joined computers. Domain controllers run Active Directory Domain Services, which maintains a centralized database of network objects including users, computers, groups, and organizational units. When someone logs into a domain computer, the domain controller verifies their credentials and determines what resources they can access based on their identity and group memberships. This centralized identity management approach enables consistent security policies across the entire network and provides the foundation for least privilege access controls. Data security that starts with identity relies on properly configured domain controllers to enforce access policies and monitor user activity.
How to make your server 2019 a domain controller?
Promoting a Windows Server 2019 to domain controller requires installing the Active Directory Domain Services role and running the domain controller promotion wizard. First, ensure your server meets requirements including a static IP address, proper DNS configuration, and sufficient disk space. Install the AD DS role using Server Manager or PowerShell:
Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementToolsAfter installation, run dcpromo through Server Manager’s notification area or use PowerShell:
# For a new forest
Install-ADDSForest
# For an existing domain
Install-ADDSDomainControllerThe wizard guides you through configuring the domain name, forest functional level, DNS options, and Directory Services Restore Mode password. Post-promotion, verify the domain controller is functioning correctly by checking Event Viewer logs and testing authentication. Always plan your Active Directory structure carefully before promotion, as changes become more complex once the domain controller is operational.
How many domain controllers do I need for a small office?
Small offices typically need at least two domain controllers for redundancy and fault tolerance, even with as few as 85 users across multiple locations. The rule of thumb is one domain controller per site plus one additional for backup, but this depends on your specific requirements. For organizations with 85 users and 4 offices, consider placing one domain controller at your main site and additional domain controllers at remote sites with slow WAN connections or many users. A hub-and-spoke topology with two domain controllers at the main office and Read-Only Domain Controllers (RODCs) at smaller remote sites often provides the best balance of performance and security. Remember that domain controllers handle authentication requests, so users experience login delays when connecting to remote domain controllers over slow network links. Plan for growth and consider that domain controller placement directly impacts user experience and network security.
How to demote a domain controller?
Demoting a domain controller requires careful planning to avoid disrupting authentication services and transferring any FSMO roles the server holds. First, identify if the domain controller holds any FSMO roles:
netdom query fsmoTransfer them to another domain controller if necessary. Ensure you have at least one other functioning domain controller in the domain before proceeding. Use Server Manager’s Remove Roles and Features wizard or PowerShell:
Uninstall-ADDSDomainControllerThe process removes Active Directory data, demotes the server to member server status, and updates DNS records. During demotion, specify a local administrator password for the server’s post-demotion state. Verify the demotion completed successfully by checking that the server no longer appears in Active Directory Sites and Services and that remaining domain controllers can authenticate users properly. Plan this process during maintenance windows as it temporarily affects replication.
What does a domain controller do?
A domain controller serves as the central authority for network authentication, authorization, and directory services in a Windows domain environment. It authenticates user credentials when people log into domain-joined computers, determines what resources users can access based on their identity and group memberships, and enforces security policies across the network. Domain controllers also replicate Active Directory data with other domain controllers to ensure consistency and availability, handle DNS services for domain name resolution, and manage Group Policy distribution to ensure consistent configuration across all domain computers. Beyond basic authentication, domain controllers provide audit logging of user activities, support single sign-on functionality, and enable centralized management of user accounts and computer objects. This centralized identity management creates the foundation for implementing least privilege access controls and monitoring user behavior to detect potential security threats before they become breaches.
