On a number of forum threads I participated in recently, there was some confusion over the terms ‘PDC’ and ‘BDC’, and how they apply to a modern Active Directory domain.
In short, they don’t apply any more. The only exception to that rule is if you still operate a Windows NT-based domain.
On a Windows NT domain, one Domain Controller was designated the Primary Domain Controller (PDC). You were able to promote (although it was optional) one or more servers as Backup Domain Controllers (BDCs), which offer resilience by taking over the role of the PDC if it fails.
The process was very similar to today’s Active/Passive clusters in Windows Enterprise Server Failover Clustering. The PDC (Active node) was where all the domain update actions took place. These changes were later replicated to the BDCs (Passive nodes), to maintain an up-to-date Active Directory database. If the Active node/PDC failed, one of the BDCs would become the PDC and directory operations would continue while the problem was resolved.
How has this changed?
As I mentioned previously, this concept no longer exists – and hasn’t since Windows 2000. For the Windows 2000 release, Active Directory went through a major redesign.
The Domain Controllers in a Windows 2000, 2003 and 2008 domain now support multi-master replication. This means read and write operations can take place on any DC – changes don’t need to go through the PDC. Each change is later replicated between the other DCs in the domain.
This change meant more flexible environments spread across multiple sites, maybe in different countries or continents, could easily be created and managed.
What is the PDC Emulator (PDCe)?
So, that said, I hear you ask “So what is the PDC Emulator? Why do I still see references to the ‘PDC’ on my domain?”.
Active Directory has 5 FSMO roles (look out for a blog post from me soon about this topic). FSMO stands for Flexible Single Master Operation. Although most standard Active Directory actions can take place on any DC (the multi-master idea), some can only take place on one DC (single-master) to ensure no conflicts occur.
The PDCe role exists largely for backwards compatibility for legacy Operating Systems. They are designed to find the Windows NT PDC on a domain network, so designating a DC as the PDCe means these older Operating Systems continue to work correctly.
The PDCe could also be considered the most important Domain Controller in the domain – although you can survive without this DC if necessary. A number of tasks are assigned to the PDCe which help maintain the domain:
- The PDCe is the most reliable time server in the domain, which all workstations and servers (either directly or indirectly) synchronise their time to. There’s a good post on this on the W32time blog.
- Through PDC chaining, the PDCe has the final say in whether an account is locked out or if a user’s password was correct. Group Policy MVP Florian has a great blog post on this.
- If you are running in Windows 2000 Mixed Mode and still have Windows NT BDCs, the PDCe acts as the PDC for the Windows NT machines, and manages replication with them
Hopefully you now have a much better understanding of the terms PDC, BDC and PDC Emulator, and how they apply to your environment. Multi-master replication has transformed Active Directory; almost every change can be made on any DC anywhere on your network, rather than going through the PDC.
However, the PDC Emulator is still an important Domain Controller. While it is not as critical as in Windows NT days and your domain can survive without it, I suggest you keep the PDCe online and accessible from the other DCs as much as possible.