Domain controllers enable users to log on to the network and access resources for which they have suitable permissions. They also enable users to search Active Directory for shared folders, shared printers, and other published information. A domain must have least one domain controller—in fact, promoting a standalone WS2003 computer to the domain controller role is what creates the domain. However, for redundancy, a minimum of two domain controllers is recommended for each domain, for if you have only one domain controller and it goes down, no one will be able to log on. If your company has multiple sites separated by slow WAN links, you probably also want at least one domain controller at each site to reduce logon traffic over the WAN and to enable logons when the WAN goes down. See Site later in this chapter for more information.
When a user wants to log on to the network from a client computer, the client computer first needs to find a domain controller to authenticate its logon request. What happens is that the client issues a DNS query to locate the nearest domain controller that the client can use. The client then contacts this domain controller, and authentication is performed using one of two authentication protocols:
This protocol is used to authenticate computers running Active Directory client software, which is included with WS2003, W2K, and XP. Active Directory client extensions are also available for Windows ...