Find here what a domain controller is and what it's used for in an Active Directory forest made of trees, domains, sites and organizational units.
Domain and domain controller are Microsoft proprietary concepts, so throughout this article we refer to Microsoft Windows client and server operating systems, users of them, and their resources.
What is a Domain?
Numerous interconnected client and server computers, as well as user accounts are commonly grouped together into a logical unit called a domain. Shared objects such as printers also belong to a domain.
Since Windows 2000, domains belong to an Active Directory (AD) forest, which is a hierarchical structure of the Microsoft computers in an organization. Active Directory has been devised for the purpose of serving the computing needs of large and geographically dispersed organizations. A forest is made up of trees, containers for one or more domains, and the actual domains.
In an AD domain user accounts and computers are objects dubbed security principals; the shared objects are called resources in AD. These objects belong to a domain, but can optionally be grouped into organizational units (OUs) for administration purposes.
Domains and OUs usually reflect the logical structure of an organization (e.g. sales), not the geographic location. Geography is accounted for by the AD concepts of sites, explained below.
The Role of Domain Controller
A domain controller is a server running a database of AD including entries for all objects in the domain. A domain controller knows which security principal has access to which resources including the privilege level. The domain controller manages access to all resources silently in the background after a user has signed on to a domain by applying the single sign-on principle and pass-through authentication.
If a client demands access to a certain resource the domain controller checks its database for a corresponding entry of privileges. If positive, the DC grants an access token. Otherwise, access to the resource will be denied.
For every organization there must be at the least one domain controller in the AD forest, but it is common to have at the least a second server configured as domain controller to allow for uninterrupted services. Their databases are automatically being replicated. In particular when domains are organized into sites (e.g. America and Europe), then it is important that each site has at the least one domain controller to prevent authentication traffic traveling across the Atlantic, which would result in lag.
The topology of an AD forest including the domains and OUs largely depends on the organization’s size and structure under consideration. AD is very scalable; upwards and downwards. For a user belonging to an AD domain the job of domain controllers is a transparent process, whereas for administrators managing the forest including all the configuration options in the trees, domains, sites and OUs can be challenging.
Domain Controller in a Nutshell
Definition of a Domain Controller: A domain controller can be defined as a specialized computer in a Microsoft Active Directory Forest for authenticating users and computers, and managing access to resources.
Legacy Domain Controllers: Until Windows 2000 domain controllers were known as Primary Domain Controller (PDC) and one or more Backup Domain Controllers (BDCs).
Author's own experience
Image source: http://itgrammar.com/store/index.php?_a=viewProd&productId=9