Concepts and Planning << >>

Domain Controllers

Windows NT Server computers can serve as domain controllers that authenticate logon requests within each domain. There are two types of domain controllers:

Primary domain controllers (PDCs)   A domain has only one PDC, which maintains the security database of all user account information in the domain. All changes to the security database must be made on the copy stored on the PDC.

Backup domain controllers (BDCs)   A domain can have any number of BDCs. Although not required, one or more BDCs provide load balancing and fault tolerance. A BDC also stores copies of the domain's security database and can be used to authenticate user names and passwords when the PDC is not available. Because the PDC automatically replicates all changes to a BDC, the BDC is always up-to-date, so that the domain continues to function if the PDC fails.

Although a Windows NT Server computer with Microsoft Exchange Server installed does not have to be a domain controller, you should decide whether to host Microsoft Exchange Server on domain controllers. Base your decision on the type and number of servers available in the site.

You can designate one Microsoft Exchange Server computer as a domain controller if it has enough capacity to perform Microsoft Exchange Server tasks and authenticate logon requests.

In large domains, the most significant issue for domain controllers is the amount of memory. Domain controllers supporting more than 15,000 users should have enough memory to perform administrative tasks. Estimate the necessary amount of memory according to the size of the Security Accounts Manager (SAM) database, which holds security information, including user account names and passwords. The domain controller needs approximately three times the system memory of the SAM database.

If the Microsoft Exchange Server computers are the only Windows NT Server computers in your network, designate one of them as the PDC. The others can be designated as BDCs or servers without domain control responsibilities. Alternatively, you can dedicate Windows NT Server computers as domain controllers.

Place your domain controllers in a domain with reliable network connectivity. If a domain has servers at different physical locations connected by a wide area network (WAN) connection, each location should have at least one BDC.

In a large domain, the domain controller can be very busy validating Windows NT user accounts as users log on. You can install a Windows NT Server computer to act as a domain controller to transfer this workload from the Microsoft Exchange Server computer.

You should configure at least one server as a BDC, but you should have several BDCs in a domain. In a site with slow or unreliable connections, have at least one BDC in every segment of the WAN. If the connection to the main part of the network is down, the BDC can continue to validate all the local users.