6.1.1.3.1 Domain Controller Object

In AD DS, each normal (not read-only) DC in a domain has a domain controller object in its default NC. The DC's domain controller object is the DC's computer object (subject to the computer object constraints specified in [MS-SAMR] sections 3.1.1.6 and 3.1.1.8) with additional requirements as described in this section.

An AD DS RODC has a read-only domain controller object as specified in section 6.1.1.3.2. An AD LDS DC does not have a domain controller object.

objectClass: computer

userAccountControl: {ADS_UF_SERVER_TRUST_ACCOUNT | ADS_UF_TRUSTED_FOR_DELEGATION}

primaryGroupID: Contains the value 516.

This attribute is populated by the system during creation of the DC corresponding to the DC object. The primary group of a DC object is the domain relative well-known Domain Controllers security group. So the primaryGroupID attribute of a DC object equals the RID of the Domain Controllers security group, 516.

servicePrincipalName: This attribute contains all of the SPNs (2) for a normal (not read-only) DC, as specified in [MS-DRSR] section 2.2.2.

dNSHostName: Fully qualified DNS name of the DC.

msDS-AdditionalDnsHostName: Additional DNS names by which the DC can be identified.

objectCategory: Contains the distinguished name of the classSchema object for the computer class. This is the value of the defaultObjectCategory attribute of the computer class.