Domain controllers

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Domain controllers

When you create the first domain controller in your organization, you are also creating the first domain, the first forest, the first site, and installing Active Directory. Domain controllers running Windows Server 2003 store directory data and manage user and domain interactions, including user logon processes, authentication, and directory searches. Domain controllers are created by using the Active Directory Installation Wizard. For more information, see Using the Active Directory Installation Wizard.


  • You cannot install Active Directory on a computer running Windows Server 2003, Web Edition, but you can join the computer to an Active Directory domain as a member server. For more information about Windows Server 2003, Web Edition, see Overview of Windows Server 2003, Web Edition.

When using domain controllers in your organization, you will want to think about how many domain controllers you’ll need, the physical security of those domain controllers, a plan for backing up the domain data, and upgrading domain controllers.

Determining the number of domain controllers you need

A small organization using a single local area network (LAN) might need only one domain with two domain controllers for high availability and fault tolerance. A larger organization with many network locations will need one or more domain controllers in each site to provide high availability and fault tolerance.

If your network is divided into sites, it is often good practice to put at least one domain controller in each site to enhance network performance. When users log on to the network, a domain controller must be contacted as part of the logon process. If clients must connect to a domain controller located in a different site, the logon process can take a long time. For more information, see Replication between sites.

By creating a domain controller in each site, user logons are processed more efficiently within the site. For information about how to create additional domain controllers, see Create an additional domain controller.

To optimize network traffic, you can also configure domain controllers to receive directory replication updates only during off-peak hours. For information about how to schedule site replication, see Configure site link replication availability.

The best network performance is available when the domain controller at a site is also a global catalog. This way, the server can fulfill queries about objects in the entire forest. However, enabling many domain controllers as global catalogs can increase the replication traffic on your network. For more information about the global catalog, see The role of the global catalog. For more information about adding global catalogs to sites, see Global catalogs and sites.

In domains with more than one domain controller, do not enable the domain controller holding the infrastructure master role as a global catalog. For more information, see Operations master roles.

Physical security

Physical access to a domain controller can provide a malicious user unauthorized access to encrypted passwords. For this reason, it is recommended that all domain controllers in your organization be locked in a secured room with limited public access. You can use additional security measures such as Syskey for extra protection on domain controllers. For more information about Syskey, see The system key utility.

Backing up domain controllers

You can back up domain directory partition data and data from other directory partitions by using Backup, which is included with the Windows Server 2003 family, from any domain controller in a domain. By using the backup tool on a domain controller, you can:

  • Back up Active Directory while the domain controller is online.

  • Back up Active Directory using batch file commands.

  • Back up Active Directory to removable media, an available network drive, or a file.

  • Back up other system and data files.

When you use the backup tool on a domain controller it will automatically back up all of the system components and all of the distributed services upon which Active Directory is dependent. This dependent data, which includes Active Directory, is known collectively as the System State data.

On a domain controller running Windows Server 2003, the System State data consists of the system startup files; the system registry; the class registration database of COM+ (an extension to the Component Object Model); the SYSVOL directory; Certificate Services database (if installed); Domain Name System (if installed); Cluster service (if installed); and Active Directory. It is recommended that you regularly back up System State data.

For general information about the System State, see System State data. For more information about how to back up the System State, see Back up System State data. For more information about how to restore a System State backup, see Restore System State data.

You can install Active Directory on a server running Windows Server 2003 by using a restored backup taken from a domain controller running Windows Server 2003. For more information, see Creating an additional domain controller.

Upgrading domain controllers

On domain controllers running Windows NT 4.0, you will first need to upgrade the primary domain controller (PDC) to successfully upgrade the domain. Once the PDC has been upgraded, you can upgrade the backup domain controllers (BDCs). For more information, see Upgrading from a Windows NT domain.

If you currently have a Windows 2000 forest that does not have any domain controllers running Windows Server 2003, you will need to prepare the forest and the target domain before you can upgrade domain controllers running Windows 2000. For more information, see Upgrading from a Windows 2000 domain.