Archive for NT

Some Clarifying thoughts on the PDC Emulator FSMO Role

Posted in Taz, Technical with tags , , , , , , , , , , , , , , , , on March 2, 2009 by tazspaz

Okay, in this post you are going to find some of my personal thoughts.  :/  Ya, a bit scary right?  However, this topic has been going on for some time and you will find posts, retractions, clarifications, etc all over the web in regards to this topic.

The PDC Emulator and what does it do?  People keep asking the question about there being no actual PDC in the domain any longer in a Windows® domain.  That there is no such thing, that the PDC emulator is only important in a mixed mode environment.

Hey, if that above is true, then why do we really care about this FSMO at all (In Native Mode)?  Why do we need to worry about its placement, and is there really a PDC/BDC environment in the Windows® architecture today?

I started this topic after having a discussion with a Project Manager (PM) about a client today in front of a group of other technical folks who more or less tried to call me stupid.  Even had their own laugh track to start with when they thought I was out of ear shot.  Since this they have been educated a bit more.  J

First let’s start off with you, the reader, receiving a better understanding of why the PDC emulator role is important.  Start off by reading here
Personal Note:  If you have Windows® administration, networking, or security questions, Mitch Tulloch is a Microsoft MVP you can look to for the answers. 

Okay, my hope is that you read the link before continuing.  If not, make sure you go open that link and start reading!

So, Microsoft(r) states that the PDC/BDC relationship no longer exists as we knew it in NT days past.  This is true, technically speaking. Understanding however how things really work for the PDC emulator FSMO might help you to realize that, in a fashion, the old “laws” still exist and that there is really a PDC/BDC role model “after a fashion”.  Let’s take a look at what the PDC Emulator does; start by going here:
(For those of you who didn’t follow the link I will outline below from Daniel Petri from this link: http://www.petri.co.il/understanding_fsmo_roles_in_ad.htm)

In a Windows® 2000/2003 domain, the PDC emulator role has the following functions:

  • Password changes performed by other DCs in the domain are replicated preferentially to the PDC emulator.
  • Authentication failures that occur at a given DC in a domain because of an incorrect password are forwarded to the PDC emulator before a bad password failure message is reported to the user.
  • Account lockout is processed on the PDC emulator.
  • Editing or creation of Group Policy Objects (GPO) is always done from the GPO copy found in the PDC Emulator’s SYSVOL share, unless configured not to do so by the administrator.
  • The PDC emulator performs all of the functionality that a Microsoft Windows NT 4.0 Server-based PDC or earlier PDC performs for Windows NT 4.0-based or earlier clients.*

*This part of the PDC emulator role becomes unnecessary when all workstations, member servers, and domain controllers that are running Windows NT 4.0 or earlier are all upgraded to Windows 2000/2003. The PDC emulator still performs the other functions as described in a Windows 2000/2003 environment.

At any one time, there can be only one domain controller acting as the PDC emulator master in each domain in the forest.

We also need to remember that the PDC emulator is responsible for (as outlined by Mitch Tulloch found on the first link in this post):

  • Root Time
  • Remember if this role holder fails you will see the most problems occurring on your network.
  • For every N domain in the forest you will have N DCs with the PDC emulator role.
  • This role is arguably the most heavily utilized role and should not house the Global Catalog (GC) as this will help load balance in larger environments.

Also of note:  http://en.wikipedia.org/wiki/Primary_Domain_Controller

So the next time you hear someone ask if there is a such thing as a PDC tell them “technically” no in a Native Mode environment.  But as I tell folks, practically speaking, yes.  If you get kick back or “guff” about it, remember there is plenty of fire power out there to back you up.

If they don’t believe you, ask them to shut down the server with the PDC Emulator role. 🙂

(Thank you to Mitch Tulloch and Daniel Petri’s sites and to Google! This post and my thoughts probably wouldn’t have been coherent with out them!) :p

Advertisements