FSMO Role: PDC Emulator

The Primary Domain Controller (PDC) Emulator FSMO position is one of the three domain-wide operations master roles, which means that only one domain controller should own this role in each domain. PDC Emulator’s primary goal was to assure compatibility with earlier versions of Windows. The PDC Emulator performs the following functions (for them only) in a mixed environment with Windows NT4.0/95/98 clients and NT4 domain controllers:

Password changes for users and computers are processed.
Updates are replicated to the BDCs (Backup Domain Controllers), and the Domain Master Browser’s tasks are completed.

Primary Domain Controller (PDC) Emulator role

The domain controller with the PDC Emulator role performs the following functions starting at the functional level of the Windows 2000 domain:

  1. Changes passwords and keeps an eye on user locks for password problems. Any changes to a domain controller’s password are first copied to the PDC Emulator. The request is replayed with the PDC Emulator if authentication on any other domain controller failed. The PDC Emulator is told whether the account is properly authenticated immediately after an unsuccessful attempt, and the tally of unsuccessful tries is reset. It’s worth noting that even if the PDC Emulator isn’t available, the password change information will still spread across the domain, albeit at a slower rate.
  2. By default, the Group Policy Editor connects to the PDC Emulator server, and any modifications to the GPO are made there. If you don’t have access to PDC Emulator, you’ll need to indicate the domain controller you want to connect to.
  3. The PDC Emulator is the time server for the domain’s clients by default. The default time server for the PDC Emulators in the child domains is the PDC Emulator of the forest’s root domain. This post Windows Time Sync Using Group Policy has more information on configuring network time in a domain.
  4. On the domain controller with the PDC Emulator role, changes to the Distributed File System (DFS) namespace are made. It requests updated metadata from DFS root servers on a regular basis. If the PDC Emulator is unavailable, the DFS may not function properly.
  5. On the Primary Domain Controller Emulator, the process of increasing the domain or forest functional level is carried out.
  6. The NetLogon service creates the DNS special SRV record _ldap. tcp.pdc. msdcs.DnsDomainName during the installation of the first domain controller. Clients can use this item to find the PDC emulator. This record can only be modified by the role’s owner.
  7. Well-known security principals exist in Active Directory. Everyone, Authenticated Users, System, Self, and Creator Owner are some examples. A domain controller with the PDC Emulator role oversees them all.
  8. On the PDC emulator, the SDProp (Security Descriptor Propagator) technique is used. This method “cleans up” Active Directory object access control lists (ACLs).

The PDC Emulator role should be placed according to Microsoft’s best practises.

  1. One domain controller should serve as both the PDC emulator and the RID master.
  2. Make that the PDC emulator is set to synchronise with the correct external time source.
  3. Make sure that guest virtual machine OSs do not synchronise time with the virtualization host if you’re utilising virtualized domain controllers.
  4. Do not make any changes to the SDProp mechanism.

What is the procedure for transferring the PDC Emulator role?

The Primary Domain Controller Emulator position does not have its own snap-in. Using the Active Directory Users and Computers snap-in, you may see who currently owns the role and transfer it to another DC.

  1. Activate ADUC.
  2. Change Domain Controller by right-clicking on the tree root.

3. Choose the DC to whom the FSMO job should be transferred. 

4. Select Operations Master from the ADUC console by right-clicking on the domain’s root. Toggle over to the PDC tab.

5. Click the Change button to move the Primary Domain Controller Emulator role to another domain controller.

6. After that, you must confirm the action and wait for a signal that the position has been successfully transferred.

Leave a Reply

Your email address will not be published. Required fields are marked *

Enter Captcha Here :