A Primary Domain Controller (PDC) is a server computer in a pre-Windows 2000 NT server Domain. A domain is a concept used in NT server operating systems whereby a user may be granted access to a number of computer resources with the use of a single username and password combination.
access and modify. The BDC computers have a copy of this database, but these copies are read-only.
The PDC will replicate its account database to the BDCs on a regular basis. The BDCs exist in order to
provide a backup to the PDC, and can also be used to authenticate users logging on to the network. If a
PDC should fail, one of the BDCs can then be promoted to take its place. The PDC will usually be the
first domain controller that was created unless it was replaced by a promoted BDC.
The PDC emulator master receives preferential replication of password changes within the domain. As
password changes take time to replicate across all the domain controllers in an Active Directory domain,
the PDC emulator master receives notification of password changes immediately, and if a logon attempt
fails at another domain controller, that domain controller will forward the logon request to the PDC
emulator master before rejecting it.
In Windows NT 4 server domains, the Backup Domain Controller (BDC) is a computer that has a
copy of the user accounts database. Unlike the accounts database on the Primary Domain Controller
(PDC), the BDC database is a read only copy. When changes are made to the master accounts database
on the PDC, the PDC pushes the updates down to the BDCs.
Most domains will have at least one BDC, often there are several BDCs in a domain. These domains
exist to provide fault tolerance. If the PDC fails, then it can be replaced by a BDC. In such
circumstances, an administrator promotes a BDC to be the new PDC. BDCs can also authenticate user
logon requests - and take some of the authentication load from the PDC.
FSMOs are specialized domain controller (DC) tasks, used where standard data transfer and update
methods are inadequate. AD normally relies on multiple peer DCs, each with a copy of the AD database,
being synchronized by multi-master replication. The tasks which are not suited to multi-master
The Infrastructure Master maintains security identifiers, GUIDs, and DN for objects referenced across
domains. Most commonly it updates user and group links.This is another domain-specific role and its
purpose is to ensure that cross-domain object references are correctly handled. For example, if you add a
user from one domain to a security group from a different domain, the Infrastructure Master makes sure
this is done properly. As you can guess however, if your Active Directory deployment has only a single
domain, then the Infrastructure Master role does no work at all, and even in a multi-domain environment it
is rarely used except when complex user administration tasks are performed. Because of this, the
hardware requirements for machines holding this role are relatively small.
The PDC Emulator operations master role processes all password changes in the domain. Failed
authentication attempts due to a bad password at other domain controllers are forwarded to the PDC
Emulator before rejection. This ensures that a user can immediately login following a password change
from any domain controller, without having to wait several minutes for the change to be replicated. The
PDC Emulator Operations Master role must be carefully sited in a location to best handle all password
Password changes performed by other DCs in the domain are replicated preferentially to
the PDC emulator.
Authentication failures that occur at a given DC in a domain because of an incorrect
password are forwarded to the PDC emulator before a bad password failure message is reported
to the user.
backward compatibility,The PDC emulator performs all of the functionality that a Microsoft Windows NT 4.0 Server-based PDC or earlier PDC performs for Windows NT 4.0-based or earlier clients.
The Domain Naming Master tracks the names of all domains in the forest and is required to add new
domains to the forest or delete existing domains from the forest. It is also responsible for group
By default AD assigns all operations master roles to the first DC created in a forest. If new domains are
created in the forest, the first DC in a new domain holds all of the domain-wide FSMO roles. This is not
a satisfactory position. Microsoft recommends the careful division of FSMO roles, with standby DCs
ready to take over each role. When a FSMO role is transferred to a different DC, the original FSMO
holder and the new FSMO holder communicate to ensure no data is lost during the transfer. If the
original FSMO holder experienced an unrecoverable failure, you can force another DC to seize the lost
roles; however, there is a risk of data loss because of the lack of communications. If you seize an
FSMO role instead of transferring the role, that domain controller can never be allowed to host that
FSMO role again,except for the PDC emulator Master operation and the Infrastructure Master
Operation. Corruption can occur within Active Directory. FSMO roles can be easily moved between
DCs using the AD snap-ins to the MMC or using ntdsutil which is a command line based tool.
Certain FSMO roles depend on the DC being a Global Catalog (GC) server as well. For example, the
Infrastructure Master role must not be housed on a domain controller which also houses a copy of the
global catalog in a multi-domain forest (unless all domain controllers in the domain are also global
catalog servers), while the Domain Name Master role should be housed on a DC which is also a GC.
When a Forest is initially created, the first Domain Controller is a Global Catalog server by default. The
Global Catalog provides several functions. The GC stores object data information, manages queries of
these data objects and their attributes as well as provides data to allow network logon.
The PDC emulator and the RID master should be on the same DC, if possible. The Schema Master and
Domain Name Master should also be on the same DC. To provide fault tolerance, there should be at
least 2 domain controllers available within each domain of the Forest. Furthermore, the Infrastructure
Master role holder should not also be a Global Catalog Server, as the combination of these two roles on
the same host will cause unexpected (and potentially damaging) behaviour in a multi-domain
This action might not be possible to undo. Are you sure you want to continue?