What is Domain Controler Server
A Domain Controller (DC) is a server in a Windows Server environment that is responsible for managing authentication and authorization within a domain. It serves as the backbone of a Windows-based network, specifically in environments using Active Directory (AD), which is Microsoft’s directory service. A Domain Controller holds the directory information, enforces security policies, and ensures that network resources are accessed by the correct users or systems based on their permissions.
What is a Domain Controller (DC)?
A Domain Controller is a server in a Windows network that manages user logins, security, and access to network reurces.
It’s the brain of an Active Directory (AD) environment.
👉 Example:
When you log in to a company computer, the Domain Controller checks your username & password and decides what files, printers, or servers you can use.
Main Functions of a Domain Controller?
User Authentication: Verifies usernames and passwords.
Authorization: Gives permission to use files, folders, or apps.
Centralized Management: Admins can manage all computers from one place.
Policy Enforcement: Applies security and group policies (GPOs).
Replication: Shares AD data with other domain controllers.
Types of Domain Controllers
| Type | Full Form | Description | Main Role |
|---|---|---|---|
| PDC | Primary Domain Controller | Original DC in old Windows NT systems (Now called PDC Emulator role in AD). | Handles password changes, time sync, and backward compatibility. |
| ADC | Additional Domain Controller | A backup Domain Controller that holds a copy of the AD database. | Provides redundancy and load sharing. |
| CDC | Child Domain Controller | Controller for a child domain under a parent domain. Example: sales.company.com under company.com. | Manages its own users and policies within that subdomain. |
| RODC | Read-Only Domain Controller | Domain Controller with a read-only copy of AD. | Used in branch offices for security — can authenticate users but cannot make changes. |
Example Use Case
Head Office (Main Server Room)
PDC → Main authentication & time synchronization
ADC → Backup and load balancing
Branch Office (Remote Location)
RODC → Local authentication (faster login, more secure)
Department Domain
CDC → For departments like HR or Sales that need separate management
saikatinfotech.com
│
├── PDC (Head Office)
│ – Master DC (authenticates users, manages policies)
│
├── ADC (Backup)
│ – Shares and replicates AD data from PDC
│
├── CDC (Child Domain Controller)
│ – Manages child domain: sales.company.com
│
└── RODC (Branch Office)
– Authenticates local users, no write access to AD
PDC, ADC, CDC, GCDC and RODC
What is a PDC Server?
PDC (Primary Domain Controller) is the main server in a Windows domain that manages and controls all user accounts, passwords, and security settings within the Active Directory (AD) environment.
It is the leader or master controller among all domain controllers.
Main Work of PDC Server
User Authentication:
Checks and approves usernames & passwords when users log in.Password Management:
Handles password changes — if users update passwords, PDC processes them first.Time Synchronization:
Works as the time master — all computers and other domain controllers sync their time with the PDC.Group Policy Management:
PDC applies and manages Group Policies (GPOs) for all computers and users in the domain.Replication Control:
Shares updated AD data with other domain controllers (like ADCs).
Example
Suppose your company domain is company.com.
When any employee logs in:
The PDC server checks their username and password.
It decides if they are allowed to access files, printers, or applications.
It updates any new password or policy changes.
PDC in a Domain Setup Example?
company.com
│
├── PDC → Main Domain Controller (Head Office)
├── ADC → Backup Domain Controller
├── CDC → Child Domain Controller (sales.company.com)
└── RODC → Read-only DC (Branch Office)
Advantages of a PDC Server?
Centralized control over all users and computers.
High security and easy management.
Supports multiple DCs (ADC, CDC, RODC).
Ensures smooth login and authentication process.
In short:
PDC Server = Main Domain Controller that handles authentication, passwords, policies, and time management for all computers in a Windows domain.
What is an ADC Server?
ADC stands for Additional Domain Controller.
It is a secondary or backup domain controller in a Windows Active Directory (AD) network.
The ADC has the same copy of the Active Directory database as the main server (PDC or DC).
If the main Domain Controller fails, the ADC can continue authentication and management, so the network keeps running smoothly.
Main Work / Functions of ADC Server
Backup of Active Directory Database:
The ADC keeps an exact replica of the Active Directory (AD) from the main Domain Controller.
It updates automatically through replication.User Login & Authentication:
If the main DC (PDC) is busy or goes down, the ADC authenticates user logins and provides access to network resources.Load Balancing:
In large networks, both PDC and ADC share the login and authentication workload — making the system faster and more reliable.High Availability / Redundancy:
Ensures continuous operation of the network even if the main DC fails — no downtime for users.Replication Management:
The ADC constantly syncs and updates its data from the main DC using replication services, so both always have the latest information.
Example Scenario
Your company has one main PDC (Primary Domain Controller) and one ADC.
When users log in, sometimes the PDC authenticates them.
If the PDC is down or under maintenance, the ADC automatically takes over.
Users can still log in and access files — no interruption in service.
When the PDC comes back, data syncs automatically.
company.com
│
├── PDC → Main Domain Controller (Handles main AD operations)
└── ADC → Backup / Secondary Domain Controller (Replicates AD data)
Advantages of ADC Server?
| Benefit | Description |
|---|---|
| High Availability | Keeps the domain working even if PDC fails. |
| Load Sharing | Helps share user login requests. |
| Data Redundancy | Keeps a synced copy of Active Directory. |
| Faster Logins | Reduces load on the main DC for large networks. |
| Improved Reliability | Network doesn’t stop during maintenance or failure. |
Simple Definition:
👉 An ADC Server is a backup domain controller that keeps a copy of the Active Directory from the main DC, helps with authentication, and ensures the network keeps running even if the main DC fails.
What is a CDC Server?
CDC stands for Child Domain Controller.
It is a Domain Controller (DC) that manages a child domain — a sub-domain under a main (parent) domain in a Windows Active Directory (AD) network.
👉 In simple terms:
A CDC controls and manages users, computers, and resources of its own subdomain, while still being connected to the main domain.
Example of Parent and Child Domains
Parent Domain:
company.comChild Domains:
sales.company.comhr.company.comit.company.com
Each of these child domains can have its own Child Domain Controller (CDC) to manage that department or branch.
Work / Function of a CDC
Manages Local Users and Computers:
Each child domain has its own users, groups, and computers.
The CDC handles logins and policies for that specific child domain.Local Authentication:
When a user fromsales.company.comlogs in, the Sales CDC authenticates them locally — no need to contact the main DC every time.Policy and Resource Control:
The CDC applies its own Group Policies for the child domain, while still following global rules from the parent domain.Replication with Parent DC:
The CDC syncs data with the parent domain’s controller to keep everything updated.Delegated Administration:
Each department or branch can have its own admin team to manage local users and resources without affecting the parent domain.
What is a GCDC Server?
GCDC stands for Global Catalog Domain Controller.
It is a special type of Domain Controller (DC) that holds a Global Catalog (GC) — a readable copy of all objects (like users, groups, computers) from every domain in the entire Active Directory Forest.
👉 In simple words:
A GCDC stores important information from all domains, not just one — so users anywhere in the network can find and log in quickly.
Main Work / Function of a GCDC Server
Stores Global Catalog Data:
Keeps a partial, read-only list of all objects (users, computers, groups) from every domain in the AD forest.
Helps locate resources across domains quickly.
Supports Universal Group Membership:
During login, a GCDC verifies universal group membership (groups that exist across multiple domains).
Faster Logins in Multi-Domain Networks:
When a user logs in, the GCDC quickly checks user information and group membership even if the user belongs to another domain.
Improves Search Performance:
Allows users or applications to search for objects (like users, printers, or computers) anywhere in the forest without contacting every domain controller.
Fault Tolerance:
If one GCDC goes down, another can respond — improving reliability.
Simple Definition:
👉 A GCDC (Global Catalog Domain Controller) is a special domain controller that stores a partial copy of all directory objects from every domain in the forest — allowing fast user logins, quick searches, and efficient cross-domain access.
What is RODC (Read-Only Domain Controller)?
RODC stands for Read-Only Domain Controller.
It is a special type of Domain Controller used in remote or branch offices where physical security or network reliability is limited.
👉 In simple terms:
A RODC has a read-only copy of the Active Directory (AD) database.
It can authenticate users locally, but cannot make changes to the AD.
Main Work / Function of RODC
Read-Only Active Directory Database:
The RODC keeps a copy of the AD database but cannot modify it.
All changes (like password updates, new users) can only be made on a writable DC (like the PDC or ADC).
Local Authentication:
Authenticates users locally at the branch site for faster login.
If the user’s password is not cached, the RODC contacts the main DC to verify it.
Improved Security:
Because it’s read-only, if the RODC is stolen or hacked, the attacker cannot change or damage the AD database.
Password Caching:
The RODC can store (cache) only selected user passwords — usually for local staff.
Admins can choose which accounts are allowed for caching.
Replication from Main DC:
The RODC replicates data one-way from the main DC (PDC or ADC).
It does not replicate data back, ensuring higher security.
Why We Need RODC?
| Reason | Description |
|---|---|
| Security in Remote Sites | Protects AD data in locations that are not physically secure. |
| Fast Login | Users at remote sites can log in without always contacting the main DC. |
| Low Bandwidth Support | Works efficiently even over slow WAN connections. |
| Limited Admin Rights | Local administrators can manage servers without full domain privileges. |
RODC in a Network Example?
company.com
│
├── PDC → Main DC (Writable)
├── ADC → Backup DC
└── RODC → Branch Office (Read-Only Copy)
Key Features Comparison
| Feature | PDC/ADC (Writable DC) | RODC (Read-Only DC) |
|---|---|---|
| AD Database Type | Read & Write | Read-Only |
| Password Storage | All users | Selected users (optional) |
| Data Replication | Two-way | One-way (from main DC only) |
| Security Risk if Stolen | High | Very Low |
| Ideal Use | Main office | Branch / Remote office |
👉 A RODC (Read-Only Domain Controller) is a secure domain controller that stores a read-only copy of the Active Directory database, used mainly in branch offices to provide fast local logins and protect AD data from tampering or theft.
Where to Deploy an RODC Server
You should deploy an RODC in remote, branch, or less-secure locations —
not in the main data center or head office.
Ideal Places to Deploy RODC
| Location | Reason |
|---|---|
| 🏬 Branch Offices / Remote Sites | Local users can log in faster without contacting the main DC. |
| 🏫 Small Offices or Departments | Limited IT staff — RODC provides AD services with low risk. |
| 🌍 Locations with Low Bandwidth | RODC reduces network traffic by authenticating locally. |
| 🔒 Physically Insecure Sites | If someone steals the server, they can’t modify AD data. |
| 🏗️ Temporary Project Sites | Easy to deploy, secure, and low-maintenance for short-term operations. |
Why Deploy RODC There?
Security Protection:
Since RODC holds a read-only AD copy, even if stolen, it cannot change or damage Active Directory data.Fast Local Logins:
Users in remote sites log in faster because the RODC authenticates them locally.Limited Password Caching:
You can choose whose passwords are stored — ideal for local employees only.Low Network Dependency:
Works even if the WAN link to headquarters is slow or temporarily down.Limited Administration Rights:
Local IT staff can manage the RODC server without full AD domain admin access.
Example Scenario?
Head Office (Main Data Center)
│
├── PDC → Primary Domain Controller (Writable)
├── ADC → Backup Domain Controller
│
└── Branch Office
└── RODC → Read-Only Domain Controller
↳ Authenticates local users
↳ Replicates AD data (one-way) from Head Office
In this example:
The Head Office manages AD updates and password changes.
The Branch Office has an RODC to handle logins locally and securely.
Best Practices for Deploying RODC?
Place it behind a firewall in remote locations.
Enable password caching only for local users who need offline login.
Use strong physical security (lock the server room).
Configure read-only DNS on the RODC for faster local name resolution.
Regularly monitor replication health between RODC and main DC.
PDC, ADC, CDC,and RODC Slide PPT
