Active Directory server roles

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Active Directory server roles

Computers that function as servers within a domain can have one of two roles: member server or domain controller. A server that is not in a domain is a stand-alone server.

Member servers

A member server is a computer that:

  • Runs an operating system in the Windows 2000 Server family or the Windows Server 2003 family.

  • Belongs to a domain.

  • Is not a domain controller.

A member server does not process account logons, participate in Active Directory replication, or store domain security policy information.

Member servers typically function as the following types of servers: file servers, application servers, database servers, Web servers, certificate servers, firewalls, and remote access servers. For more information about server roles, see Server roles.

The following security-related features are common to all member servers:

  • Member servers adhere to Group Policy settings that are defined for the site, domain, or organizational unit.

  • Access control for resources that are available on a member server.

  • Member server users have assigned user rights.

  • Member servers contain a local security account database, the Security Accounts Manager (SAM).

Domain controllers

A domain controller is a computer that:

  • Runs an operating system in the Windows 2000 Server family or the Windows Server 2003 family.

  • Uses Active Directory to store a read-write copy of the domain database, participate in multimaster replication, and authenticate users.

Domain controllers store directory data and manage communication between users and domains, including user logon processes, authentication, and directory searches. Domain controllers synchronize directory data using multimaster replication, ensuring consistency of information over time. For more information about multimaster replication, see Replication overview.

Active Directory supports multimaster replication of directory data between all domain controllers in a domain; however, multimaster replication is not appropriate for some directory data replication. In this case, a domain controller, called the operations master, will process data. In an Active Directory forest, there are at least five different operations master roles that are assigned to one or more domain controllers. For more information about operations masters, see Operations master roles.

As the needs of your computing environment change, you might want to change the role of a server. Using the Active Directory Installation Wizard, you can install Active Directory on a member server to make it a domain controller, or you can remove Active Directory from a domain controller to make it a member server. For more information about domain controllers, see Domain controllers.


  • You cannot install Active Directory on a computer running Windows Server 2003, Web Edition, but you can join the computer to an Active Directory domain as a member server. For more information about Windows Server 2003, Web Edition, see Overview of Windows Server 2003, Web Edition.