In an Active Directory Domain, there is a special Domain Controller which holds the FSMO Role “PDC Emulator”.
As its name suggests, it is there to ease migration from NT 4 domains to Active Directory 2000 and up domains by letting this PDC Emulator DC behave like a NT4 Primary Domain Controller. This allows to keep running NT4 BDC (Backup Domain Controllers) and NT4 Clients while you migrate core DCs to Windows 2000 and up.
However, if you think the PDC Emulator is useless if you have no NT4 component in your infrastructure… you’re wrong !
It serves many other different purposes :
- When you use GPMC to modify a GPO (Global Policy Object), GPMC will by default perform the modification on the DC holding the PDC Emulator role. This prevents two administrators making conflicting modifications on the same GPO
- The PDC Emulator is responsible of keeping the time synchronized on all the DCs
- When a password is changed on a DC, this is immediately replicated to the DC holding the PDC Emulator role, and then according to the normal replication scheduling, on the other DCs. When a user fails to authenticate on a DC, this DC will immediately check with the PDC Emulator to know if this failure is due to a password change not yet replicated if it is the case, and the authentication matches the new one, then the authentication succeeds. This reduces the latency for a password change to take effect.
To make it short, even in a full Windows 2000 and up Domain, the PDC Emulator role is one of the most important ones …