Functions of a Domain Controller in Active Directory

In Active Directory Domain Services (AD DS), a domain controller (DC) is a server that hosts the directory service for a domain. Each DC stores a copy of the Active Directory database (the directory partitions for that domain) and uses replication to keep directory data consistent with other domain controllers.

Domain controllers are foundational to identity and access in Windows environments because they provide authentication, authorization, and directory lookup services for users, computers, and applications.

Core functions of a domain controller

1. Stores directory data: holds objects and attributes for the domain (users, computers, groups, OUs, policies, and configuration data).
2. Authenticates and authorizes access: validates sign-ins and issues access decisions based on group membership and security policies (Kerberos is the primary authentication protocol in modern domains).
3. Replicates directory changes: participates in multi-master replication so updates made on one DC converge across other DCs.
4. Supports directory queries: answers LDAP directory searches used by Windows components and enterprise applications.
5. Enforces policy and security settings: hosts and distributes Group Policy and supports domain-wide security controls (password policy, lockouts, Kerberos settings, and more).
6. Integrates with DNS for service location: publishes DC and service records in DNS so clients can find authentication and directory services.

Some domain controllers also perform special roles. For example, a DC can be a Global Catalog (GC) server to speed up forest-wide searches, or it can host FSMO roles (such as PDC Emulator or RID Master) that provide single-master coordination for specific operations. In branch-office deployments, organizations may use a Read-Only Domain Controller (RODC) to reduce risk while still providing local authentication and directory reads.

A domain can have one or many domain controllers. The right number depends on your availability requirements, user population, geographic distribution, WAN link reliability, and the need for local authentication in remote sites.

In a small environment with a single site and stable connectivity, a common baseline is two domain controllers to provide fault tolerance. If one DC is offline for maintenance or failure, the second DC can still service authentication and directory requests.

In larger or geographically distributed environments, you typically place domain controllers in major locations (sites) so users authenticate locally. This reduces latency during sign-in and avoids unnecessary WAN traffic. Availability and consistency are supported through multi-master replication.

AD DS uses multi-master replication: most directory updates can be made on any writable DC, then replicated to others. Because replication is not instantaneous, two DCs might briefly show different values for the same object until convergence completes. A correct site topology (sites, subnets, and site links) helps replication use WAN links efficiently.

In the next lesson, we’ll look at the different types of domain controllers (writable DCs, RODCs, and GCs) and where each type fits in a practical design.

Click the Exercise link below to complete an exercise on how to allocate the number of domain controllers properly.
Allocating Domain Controllers - Exercise