6.1.2.1 DC Existence

For any DC in the forest, the following objects MUST exist:

• nTDSDSA object: See section 6.1.1.

• server object: See section 6.1.1.

• Domain Controller object (in AD DS, not AD LDS): See section 6.1.1.

For the purposes of this section, an RODC object is a Domain Controller object.

Any one of these objects can be said to "represent" the DC.

Relationships:

• The server object is the parent of the nTDSDSA object. On AD DS, the name of the server object is the computer name of the DC; on AD LDS, the name of the server object is the computer name, followed by "$", followed by the instance name of the DC.

• On AD DS, the attribute on the server object MUST reference the domain controller object.

• On AD DS, the dNSHostName attribute of the domain controller object MUST equal the dNSHostName attribute of the server object.

• The dNSHostName attribute of the server object MUST equal the DNS hostname of the computer that is physically the DC.

• On AD DS, every value of the servicePrincipalName attribute of the domain controller object, which has a DNS hostname as the instance name (see section 5.1.1.4, "Mutual Authentication", for SPN (2) construction), MUST have an instance name equal to the dNSHostName of the domain controller object.