Active Directory Physical Structure

Domain Controllers

Of course, you can’t have a domain without at least one domain controller, since this is where the Active Directory database is stored. Unlike Windows NT, which had only one writable copy of the domain database (stored on the PDC), in Windows 2000 every domain controller has a writable copy of the Active Directory database. As such, all domain controllers in an Active Directory environment are more or less equal. This makes things more complex however, since any domain controller can make an update, instead of everything being done on one system. As in NT 4, you should have at least two domain controllers in a domain for the purpose of redundancy, and usually many more, depending on the size of the organization.

You create a domain controller in Windows 2000 by running the Active Directory Installation Wizard, dcpromo.exe. This tool not only allows you to create new domain controllers, but also new domains, trees, and forests. It will also allow you to change a domain controller back into a member server if you change your mind.

After a domain controller is created, it will hold a copy of the Active Directory database (ntds.dit), and will be capable of authenticating users from that domain. The Active Directory database is actually made up of what is referred to as 3 partitions, as outlined below:

Figure: Active Directory database partitions

The domain partition is replicated amongst domain controllers in the same domain only, while the configuration and schema partitions get replicated to every single domain controller in the entire forest.

Although I will get into this in much more detail later in the series, you should be aware that some domain controllers differ from others in terms of special roles that they can hold. I have briefly outlined the basics of each role below:

Global Catalog Server – A global catalog server is a domain controller that knows about every single object that exists within Active Directory, from all domains. However, it stores only a subset of the attributes of every object, those that are considered most important. By default only one domain controller in the entire forest carries this role – the first domain controller created in the forest. More global catalog servers can (and should) be created throughout the forest. If a domain controller were acting as a global catalog server, then it would have a fourth partition as part of its Active Directory database – the Global Catalog partition.

Author: Dan DiNicolo

Dan DiNicolo is a freelance author, consultant, trainer, and the managing editor of He is the author of the CCNA Study Guide found on this site, as well as many books including the PC Magazine titles Windows XP Security Solutions and Windows Vista Security Solutions. Click here to contact Dan.