pdc emulator fsmo role

FSMO Role: PDC Emulator


The Primary Domain Controller (PDC) Emulator FSMO role is one of the three domain-wide operations master roles, i.e. in each domain there should be only one domain controller which is the owner of this role. Initially, the main task of PDC Emulator was to ensure compatibility with earlier versions of Windows. In a mixed environment with Windows NT4.0/95/98 clients and NT4 domain controllers, the PDC Emulator performs (for them only) the following functions:

  • Processing of password change for users and computers;
  • Replication of updates to the BDCs (Backup Domain Controller);
  • Executes the tasks of the Domain Master Browser.

Primary Domain Controller (PDC) Emulator role

Starting from the functional level of the Windows 2000 domain, the domain controller with the PDC Emulator role performs the following functions:

  1. Responsible for changing passwords and monitoring user locks for password errors. The password changed on any other domain controller is first replicated to the PDC Emulator. If authentication on any other domain controller was not successful, the request is repeated with the PDC Emulator. If the account is successfully authenticated immediately after an unsuccessful attempt, the PDC Emulator is notified about it and resets the counter of unsuccessful attempts. It is important to note that if the PDC Emulator is not available, the password change information will still spread across the domain, it just happen a bit slower.
  2. The Group Policy Editor by default connects to the PDC Emulator server and all changes to the GPO in reality occur on it. If PDC Emulator is not available, it is necessary to specify which domain controller you want to connect.
  3. By default, the PDC Emulator is the time server for the clients in the domain. The PDC Emulator of the root domain in the forest is the default time server for the PDC Emulator in the child domains. For more information about configuring network time in a domain take a look at this post Windows Time Sync Using Group Policy.
  4. Changes to the Distributed File System (DFS) namespace are made on the domain controller with the PDC Emulator role. DFS root servers periodically request updated metadata from it. Inaccessibility of the PDC Emulator may result in incorrect operation of the DFS.
  5. The process of increasing the domain or forest functional level is performed on the Primary Domain Controller Emulator.
  6. During the installation of the first domain controller, the NetLogon service creates in the DNS special SRV record _ldap._tcp.pdc._msdcs.DnsDomainName. This entry allows clients to discover the PDC emulator. Only the owner of this role can modify this record.
  7. Active Directory has so-called Well Known Security principals. Examples are the Everyone, Authenticated Users, System, Self, and Creator Owner. They are all managed by a domain controller with the PDC Emulator role.
  8. The SDProp (Security Descriptor propagator) mechanism runs on the PDC emulator. This mechanism “tidies up” access control lists (ACL’s) for Active Directory objects.
READ ALSO  How to Avoid Reserved or Hidden Partition in Windows 8

Microsoft best practices about the placement of the PDC Emulator role

  • Place the PDC emulator and RID master roles on one domain controller;
  • Be sure to configure the PDC emulator to synchronize the time from the correct external time source;
  • If you are using virtualized domain controllers, make sure that guest virtual machine OS’s do not synchronize time from the virtualization host;
  • Do not modify SDProp mechanism.

How to transfer PDC Emulator role?

There are no dedicated snap-in to manage Primary Domain Controller Emulator role. You can view the current owner of the role and transfer the role to another DC using the Active Directory Users and Computers snap-in.

  1. Run ADUC.
  2. Right click on the tree root and select Change Domain controller.
    active directory change domain controller
  3. Select the DC to which you want to transfer the FSMO role.
    change directory server
  4. In the ADUC console right click on the root of the domain and select Operations Master. Switch to the PDC tab.
    operations master pdc emulator
  5. To transfer the Primary Domain Controller Emulator role to another domain controller and click Change button.
    pdc emulator
  6. After that, you must confirm the action and receive a notification about the successful transfer of the role.

This concludes the overview of the PDC Emulator FSMO role.


You may also like:

Configuring GPO Proxy Settings for Internet Explor... The article shows how to configure GPO proxy settings for Internet Explorer 11 browser using Active Directory Group Policies. In earlier versions of I...
Installing Active Directory Snap-in on Windows 10 One of the main Active Directory domain management tools is the MMC snap-in Active Directory Users and Computers (ADUC). To work with ADUC snap-in in ...
How to hide specific OU in Active Directory The first thing you see while opening Active Directory Users and Computers (ADUC) snap-in is AD containers (Organization Unit, OU), in which user acco...
Change Default OU permissions in Active Directory By default, each newly created organizational unit (OU) in the access list includes read permission for the group Authenticated Users (built-in group)...
Join Domain and Login over a VPN Connection This is a short tutorial on how to join a computer to a domain over a VPN connection. This was very useful for us this weekend. We had to reformat a c...