Backup Domain Controller (BDC)

Last Edited



Definition of Backup Domain Controller in Network Encyclopedia.

What is BDS (backup domain controller)?

A Backup Domain Controller is a Microsoft Windows NT domain controller containing a read-only copy of the master domain directory database located on the primary domain controller (PDC).

When Windows 2000 was released, the NT domain, as found in NT 4 and prior versions, was replaced by Active Directory. In Active Directory domains running in native mode, the concept of the PDC and BDC do not exist. In these domains, all domain controllers are considered equals. A side effect of this change is the loss of ability to create a “read-only” domain controller. Windows Server 2008 reintroduced this capability.

A Windows NT domain can have zero or more backup domain controllers (BDCs) for load balancing and redundancy. The BDCs periodically undergo directory synchronization in a Windows domain by retrieving a copy of the directory database from the PDC. A BDC can perform logon validation and authentication like a PDC, but it cannot manage accounts – for example, it cannot change user passwords.

Backup Domain Controller
Backup Domain Controller

Backup Domain Controller in WANs

The placement of BDCs in wide area networks (WANs) that are based on Windows NT is an important issue. In a master domain model scenario, user accounts are centralized in a master domain located at company headquarters, while users and shared network resources are distributed in resource domains located at branch offices in different locations. The users in this scenario must log on to the master domain in order to access resources in the enterprise. There are two ways of facilitating this:

  • Locate all BDCs belonging to the master domain at headquarters. Unfortunately, when users at the branch offices want to log on, they will have to use the relatively slow WAN link to do so. The additional logon traffic can cause congestion on the WAN link, particularly at certain times of the day.
  • Locate one or more BDCs belonging to the master domain at each branch office (resource domain). This will facilitate logons by users located at branch offices, since they can log on to one of these BDCs locally instead of being validated over the relatively slow WAN link by a domain controller at headquarters. However, directory replication traffic between the BDCs located at the branch offices and the PDC at headquarters can cause congestion over the WAN links. To make directory synchronization more efficient over the WAN link, registry parameters such as ReplicationGovernor and ChangeLogSize can be adjusted, and batch files can be scheduled using the at command to configure different replication rates at different times of the day.

Backup Domain Controller for Fault Tolerance

Every Windows NT network should have at least one BDC for fault tolerance. If the PDC fails, the BDC can be promoted to take its place. One BDC can support approximately 2000 users on a network, but many factors can affect this figure.