Let’s talk about Domain Controllers.
Intro to Domain Controllers
Domain Controllers are controllers of Active Directory. They authenticate users logging in, they keep information on different settings, store the majority of Exchange configuration settings among many other things. They are extremely critical to most organizations and if all domain controllers in an organization fail, the organization will effectively be dead in the water.
This is a subject where in #windows-server (irc.freenode.net), admins go around and around. At last check, official microsoft recommendation is domain.company.tld. However, many admins like to use domain.local or some other unresolvable .tld, myself included. My personal domain that I use for testing is escapedrabbit.local. Regardless, whichever naming convention you pick, company.com or company.net is generally frowned upon due to DNS headaches you will encounter.
Acronyms used for Domain Controllers
DC (Domain Controllers)
GC (Global Catalogs)
FSMO (Flexable Single Operation Masters)
OM or OpMasters (Operation Masters)
Domain Controllers are simply the base Domain controllers. If Domain Controllers have additional roles, you don’t need to say they are DC since it’s implied.
Global Gatalogs are Domain Controllers that serve various purposes but they serve a purpose for logins. Every site should have at least one. If you have a really busy site, additional Global Catalogs should be deployed. All Global Catalogs are Domain Controllers.
FSMO or OpMasters (Interchangeable terms) are various roles that require a single server only to perform them. They are not used daily by Active Directory but are still critical roles that need to be fulfilled. With exception of PDC role, the rest of roles have nothing to do with the clients and PDC role is rarely used by clients. By default, they are first DC in forest/domain but it’s possible to move them or even seize them if failure occurs on existing FSMO. Once FSMO roles have been seized, the domain controller that is hosting them cannot be reintroduced into the domain. If you manage to recover the FSMO server from its failure, don’t even plug it back into the network. If it’s only a DC, format and reinstall it. I cannot stress this enough. If you have to recover additional information, do not plug it into the network, use a USB hard drive or whatever to recover the information.
This Microsoft KB article has explanations about different roles and what they do: http://support.microsoft.com/kb/324801
So which Domain Controller is in charge?!?!?
Often in #windows-server we will get people talking about their primary/secondary domain controllers. Master/Slave and even root/child have confused people who thought they were talking about domains and not actual domain controllers. Starting in 2000, Active Directory no longer works on Primary/Backup Domain Controller concept. All Domain Controllers are peers and except for FSMO roles, they are all the same level. Don’t use these terms. If you’re trying to specify the FSMO, just say it’s the FSMO server.
So which server is updated when changes are made?
It depends on which DC your ADUC has open. Once a change is made to a DC, it’s replicated throughout the domain.
DNS, or what it’s so important
DNS is critical to Active Directory operation. Clients use DNS extensively to lookup and locate Domain Controllers and other servers. If you’re DNS becomes corrupt, you’re not going to be happy. In most cases, the best way to fix DNS issues is to make sure all Domain Controllers listed in Domain Controller OU are correct (alive/pingable) then run “dcdiag /fix” on a domain controller. DNS should be updated and replicated. This doesn’t fix everything but it’s good place to start.