18.104.22.168.2 Network Domains and Domain Controllers
In a network domain, certain Windows servers can be configured to be domain controllers. A domain controller is a server that has made its account database available to other machines in a controlled manner.
Because the account database is typically distributed across multiple domain controllers, there can be a mix of different versions of the individual servers. Active Directory defines a functional level, which serves as a version level for the entire directory. For more information about functional levels, see [MSFT-ADDSFL].
A domain has built-in groups that are defined by Microsoft and created in the domain during installation. For example, built-in groups include the Domain Users, Domain Computers, and Domain Admins groups. By default, the Domain Users group includes all users who are defined in the domain.
A domain controller accepts authentication requests on behalf of the machines that have chosen to trust it and for accounts in its domain.
A domain controller can have peers within the domain, which are other servers that also have been configured to host this account database. Any server that participates in the domain as a domain controller may or may not allow changes; the configuration is a choice of the administrator.
When a change is allowed, the servers replicate the change so that all domain controllers have the same information.