6.1.1.3.1 Domain Controller Object
In AD DS, each normal (not read-only) DC in a domain has a domain controller object in its default NC. The DC's domain controller object is the DC's computer object (subject to the computer object constraints specified in [MS-SAMR] sections 3.1.1.6 and 3.1.1.8) with additional requirements as described in this section.
An AD DS RODC has a read-only domain controller object as specified in section 6.1.1.3.2. An AD LDS DC does not have a domain controller object.
userAccountControl: {ADS_UF_SERVER_TRUST_ACCOUNT | ADS_UF_TRUSTED_FOR_DELEGATION}
primaryGroupID: Contains the value 516.
This attribute is populated by the system during creation of the DC corresponding to the DC object. The primary group of a DC object is the domain relative well-known Domain Controllers security group. So the primaryGroupID attribute of a DC object equals the RID of the Domain Controllers security group, 516.
servicePrincipalName: This attribute contains all of the SPNs (2) for a normal (not read-only) DC, as specified in [MS-DRSR] section 2.2.2.
dNSHostName: Fully qualified DNS name of the DC.
msDS-AdditionalDnsHostName: Additional DNS names by which the DC can be identified.
objectCategory: Contains the distinguished name of the classSchema object for the computer class. This is the value of the defaultObjectCategory attribute of the computer class.