In last post, we have discussed about RID Master. In this post we will understand the 3rd and last domain level role, the PDC (Primary Domain Controller) Emulator which is undoubtedly the most important role. Most of you must be thinking that when every DC has the same authority in Active Directory, why this role is known as Primary Domain Controller?
Before Active Directory was introduced in Windows Server 2000, we had Windows NT Server. NT domain has only one master server at a time who used to control other NT servers. When we moved to AD where all DCs has equal powers, PDC Emulator actually used to act as a Master Server for existing NT environment. Back then, this was the most important role of a PDC holder. But since now you are not going to see NT infrastructure at all, this functionality is not relevant. However if you have worked on Windows NT Server, you should consider yourself lucky. 🙂
Apart from this, PDC serves few more critical responsibilities:
- Responsible for time sync which means PDC acts as a Time Server for the infrastructure and sync the time in the entire AD infrastructure. All domain controllers sync time from PDC and all other computers/servers sync time with respective DCs in the site.
- Since it’s time server, it will directly impact the AD Replication. If the time gap is over 300 seconds in different domain controllers, you will be getting many replication errors.
- Responsible for password change sync. Any password change for any account gets first replicated with PDC and then other DCs. If you face any authentication issue, the request will first go to PDC to find out any possible change.
- Account lockout is processed on the PDC Emulator. All the account lockout related logs will be populated in PDC’s Security Event Logs.
- Responsible for SYSVOL sync in all domain controllers which helps all GPOs to be updated in all DCs.
- PDC is responsible to run the login scripts properly.
- PDC must be available when we are raising forest or domain function levels.
- PDC Emulator must be available while creating any external trust.
- If you are using DFS, PDC Emulator must be available while changing DFS Namespace.
- PDC Emulator holds the “Domain Master Browser” role which is outdated now. I don’t think any one is still using Windows Vista or XP. If so, it’s required.
What if my PDC Emulator is down? Frankly speaking, you are gone. You have to recover it as soon as possible (how? will discuss in later posts). It’s a mission critical FSMO role which will create immediate impact in the infrastructure. If your infrastructure is too big (100 of DCs), you will start getting many sev issues. Issue will be mostly related to time sync, replication, password sync, GPOs and login script related issues.
Since the PDC is so important, it’s always recommended:
- To keep it in a VM instead of a physical server so that if DC fails, you can quickly recover it.
- If you are placing PDC role in a physical machine, always keep it in the best and most updated hardware you have.
This is all for this post. Your feedback and questions are welcome.