Does it matter which domain controller you select when you need to perform routine maintenance on Active Directory? Did you know that you can specify which domain controller that you use to administer Active Directory objects? If you answered no to either one of these questions, this article is for you. It is important to specify the domain controller that you need to administer, to ensure that the updates are made efficiently and effectively to the Active Directory database. All of the built-in administrative tools allow you to control the domain controller that is being updated, which is extremely powerful.
Administering Users, Groups, and Computers
Unless you have purchased a third party tool for routine administration, you are most likely using the Active Directory Users and Computers console to update user, group, and computer accounts. This tool provides you with a clear view of Active Directory and all of the objects that are stored within it.
To control which domain controller you will use to update Active Directory, you will follow these steps:
1. Right-click on the domain node within Active Directory Users and Computers.
2. Select the "Connect to Domain Controller" option from the drop down menu.
3. Click on the desired domain controller in the dialog box that appears, then click the OK button.
This will allow you to focus on any domain controller within the domain for making updates. The reason that this is important is so you can target which domain controller receives the updates immediately. In a case where you are trying to update a user accounts' credentials or group membership, you will want to target a domain controller that is located in the clients Active Directory site. If a domain controller in a different site is updated, the user might not see the changes that you make to Active Directory until all of the domain controllers replicate and converge.
Other reasons that you want to ensure that a specific domain controller is selected for updates include:
- Changes to group membership
- Adding new objects to Active Directory
- Changing user account information (Terminal Services log on, RAS capabilities, etc)
- Delegation of administration of Active Directory objects
The one aspect of administration that you typically don't want to control as tightly is Group Policy. Both the Active Directory Users and Computers and Group Policy Management Console will choose the domain controller that runs the PDC Emulator role. This is a good idea in almost every case, to ensure that you know where all of the Group Policy updates are being directed.
Choosing which domain controller you update can solve many problems for users and administrators throughout the enterprise. If a domain controller is updated that won't service a user or computer, the changes won't affect the user or computer until the domain controllers converge that change across sites. This convergence might take hours to occur. There are many reasons to specify domain controllers when updating objects and the ability to do so is very simple.
Derek Melber manages http://www.auditingwindows.com, the first dedicated Web site for Windows auditing and security. Derek's new book series on "Auditing Windows Security" is now available at The IIA Bookstore. Online training is also available which coincides with the books, which you can find at http://www.auditlearning.com. Derek provides customized training for auditors, security professionals, and network admins; e-mail Derek for more details. You can contact Derek Melber at email@example.com