Domains

The domain is a logical component that acts as a central administrative point for AD DS objects, such as users, groups, and computers. Domains use a specific portion of the AD DS database and can be connected to other domains in a parent-child structure or a tree structure. The AD DS database stores all domain objects, and each domain controller holds a copy of the AD DS database.

AD DS uses a multi-master replication model. This means that every domain controller in the domain can make a change to the objects in the domain and that change will be replicated in all other domain controllers.

The AD DS domain provides authentication and authorization for domain-joined users. Every time the domain user wants to sign in to a domain-joined computer, AD DS must authenticate the login. Windows operating systems use authorization and access-control technologies to allow authenticated users to access resources.

Every domain in a forest has some objects that are unique to that domain:

• Domain Admins group: By default, every domain has an administrator account and a Domain Admins group. The administrator account is a member of the Domain Admins groups, and the Domain Admins groups is, also by default, a member of the local Administrators group on each domain-joined computer.
• RID master role: The Relative Identifier (RID) master role is a domain-specific role that's responsible for assigning a unique SID to the new AD DS object. If the RID master server isn't online, you might have issues adding new objects to the domain.
• Infrastructure master role: This FSMO role is responsible for inter-domain object references, when objects from one domain are part of a group in another domain. If servers with this role are unavailable, domain controllers that aren't configured as a global catalog servers won't be able to authenticate users.
• PDC emulator role: The Primary Domain Controller (PDC) emulator FSMO role is responsible for time synchronization. The PDC master is the time source for a domain and all PDC masters in the forest synchronize their time with the PDC in the forest root domain. The PDC master is a domain controller that receives information if the user changes their password and replicates that information to other domain controllers. The PDC emulator also plays a big role in editing the GPO, because a PDC holds an editing copy. This prevents potential issues if multiple administrators want to edit the same GPO at the same time.