concept domain controller in category active directory

This is an excerpt from Manning's book Learn Active Directory Management in a Month of Lunches. Login to get full access to this book.

Time synchronization within your Active Directory is important because the time stamp is used during the authentication process. If your PC’s time is more than five minutes different from the domain controller, your authentication attempt will be rejected (time zones are managed automatically, so don’t worry about them). The computer’s clock will drift over time. I’ve seen cases where it’s been wrong by hours. In those cases authentication wouldn’t be possible. Time synchronization overcomes these problems.

Chapter 12. Managing domain controllers

Domain controllers are the most essential part of your Active Directory. Creating domain controllers was covered in detail in chapter 11, and this chapter shows how to manage them. It starts with discovering the domain controllers in your environment, and then covers testing their availability and the services they offer.

The chapter then moves on to global catalogs—the extra piece of domain controller functionality that enables you to access a subset of the attributes of every object in the forest in every domain. The global catalog is essential for the correct functioning of a multi-domain forest and Exchange email servers. After learning how to find global catalogs, you’ll see techniques for promoting domain controllers to be global catalogs (as well as demoting them).

In Active Directory all domain controllers are equal, but some roles (tasks) can only be performed by one domain controller at a time. These are the Flexible Single Master Operations (FSMO) roles. You need to know how to discover the FSMO role holders, what they do, and how to move the role between domain controllers. The chapter also includes a lab section.

First up—how to discover the domain controllers in your environment.

Don’t be tempted to move domain controllers out of this default OU. The Default Domain Controllers GPO is automatically applied to this OU, and some tools, such as dcdiag.exe, don’t work correctly if the domain controller is in another OU.

The display in figure 12.1 shows the name of the domain controller and its type. In this case, both domain controllers are also global catalogs (see section 12.2). It’s also possible to use AD Sites and Services to discover domain controllers, as described in section 12.2.1.

Using PowerShell to find domain controllers

PowerShell supplies a cmdlet, Get-ADDomainController, for finding the domain controllers in your environment. It can display an interesting set of information, including the AD site and IP address:

PS> Get-ADDomainController -Filter * |
Format-Table Name, Site, IPv4Address, IsGlobalCatalog, IsReadOnly -AutoSize

Name     Site  IPv4Address   IsGlobalCatalog IsReadOnly
----     ----  -----------   --------------- ----------
SERVER02 Site1 192.168.2.1              True      False
SERVER03 Site1 192.168.2.202            True      False

copy

The IPv4 address is shown in the example. The IPv6 address is also available if required. Get-ADDomainController looks for domain controllers in the same site as the machine you’re using. Use the –SiteName parameter to force a search in another site.

You can force the discovery of the domain controller you used to log on to the domain as follows:

Figure 17.1. Intrasite replication among three domain controllers. The arrows indicate that replication occurs as two one-way replication processes to create bidirectional replication between pairs of domain controllers.