What are DC roles?

Domain Controller Roles

  • Global Catalog Server
  • Single Master Operations

Global Catalog Server – A global catalog server is a DC that stores a full copy of all objects in the directory for its host domain and a partial copy of all objects for all other domains in the forest.

The global catalog performs three key functions:

  1. It enables users to log on to a network by providing universal group membership information to a domain controller when a logon process is initiated.
  2. It enables finding directory information regardless of which domain in the forest actually contains the data.
  3. It resolves UPNs when the authenticating domain controller does not have knowledge of the account.

Single Master Operations

Every Active Directory forest must have domain controllers that fulfill two of the five single master operations roles. The forest-wide roles are:

  • Schema master
  • Domain naming master

Every Active Directory domain must have domain controllers that fulfill three of the five single master operations roles. The domain-wide roles are:

  • Relative identifier (RID) master
  • Primary domain controller (PDC) emulator
  • Infrastructure master

Ports required:

Global Catalog Server  3268(TCP), 3269(TCP)

LDAP   389(TCP and UDP)

Kerberos  88(UDP)

RPC  135(TCP)


Schema Master –  controls all updates and modifications to the schema. To update the schema of a forest, you must be a member of the schema Administrator group, and you must enable the schema to be modified in the schema console.

Domain Naming Master – controls the addition or removal of domains in the forest.

RID Master – allocates sequences of RIDs to each of the various domain controllers in its domain. Whenever a domain controller creates a user, group, or computer object, it assigns the object a unique security identifier (SID). The SID consists of a domain SID that is the same for all SIDs that are created in the domain and a RID that is unique for each SID that is created in the domain.

PDC Emulator -In a Windows Server 2003 domain in native mode, the PDC emulator receives preferential replication of password changes that are performed by other domain controllers in the domain. If a password was recently changed, that change takes time to replicate to every domain controller in the domain. If a logon authentication fails at another domain controller because of a bad password, that domain controller will forward the authentication request to the PDC emulator before it rejects the logon request.

Infrastructure Master – is responsible for updating the group-to-user references whenever group memberships are changed.

If modifications to user accounts and group memberships are made in different domains, there is a delay between the time that you rename a user account and the time when a group that contains that user will display the new name of the user account. The infrastructure master of the group’s domain is responsible for this update; it distributes the update through multimaster replication.



Author: MStechJi

IT professional with 8.5 years of experience in providing Remote Infrastructure Support in Windows Server environment including MS Azure. Intent to increase my knowledge and experience and share some tips and tricks I’ve learnt along the way.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s