Options

dumb question pdc emulator

sentraser20sentraser20 Member Posts: 10 ■□□□□□□□□□
in AD Infra 70-294
I'm sure this is a dumb question, but you can only have one PDC emulator per domain. Right?
· Share on FacebookShare on Twitter

Comments

  • Options
    meadITmeadIT Member Posts: 581 ■■■■□□□□□□
    Correct
    The Active Directory Installation Wizard (Dcpromo.exe) defines five FSMO roles: schema master, domain master, RID master, PDC emulator, and infrastructure. The schema master and domain naming master are per-forest roles. The remaining three, RID master, PDC emulator, and infrastructure master, are per-domain roles.

    from http://support.microsoft.com/kb/223346
    CERTS: VCDX #110 / VCAP-DCA #500 (v5 & 4) / VCAP-DCD #10(v5 & 4) / VCP 5 & 4 / EMCISA / MCSE 2003 / MCTS: Vista / CCNA / CCENT / Security+ / Network+ / Project+ / CIW Database Design Specialist, Professional, Associate
    · Share on FacebookShare on Twitter
  • Options
    UncleCidUncleCid Member Posts: 66 ■■□□□□□□□□
    I believe that, the PDC emulator is the server that is the source for time replication on that domain. It is also fundamental in the migration of any Windows NT servers into your network too, i believe as well. If no holds me to it, it also must be a Domain Controller, too.

    I forgot how you set the time for for it, though. ><
    · Share on FacebookShare on Twitter
  • Options
    royalroyal Member Posts: 3,352 ■■■■□□□□□□
    Using win32tm.

    PDC Emulator does other things. It's the default DC that is used to modify GPO settings so Sysvol replication conflicts don't occur when 2 admins are modifying the same GPO. If the PDC is down, you'll notice the GPO is greyed out preventing you from modifying. You can use GPMC to modify the DC that GPMC uses though.

    It also gets notified immediately when bad passwords are provided. For example, if a password change occurs, the PDC emulator gets notified immediately. So if I enter my password and it's correct but the DC doesn't know yet, it'll first check with the PDC to see if it is actually correct before sending a bad password notification to the user.

    It also handles account lockouts.

    It is a also the PDC for pre-win2k accounts. So if you still have a lot of Win9x users, try to place the PDC in a location that contains the most 9x users you have.
    “For success, attitude is equally as important as ability.” - Harry F. Banks
    · Share on FacebookShare on Twitter
  • Options
    ClaymooreClaymoore Member Posts: 1,637
    Yes, only one PDC emulator per domain and it is responsible for the following tasks:

    1. If you have any NT BDCs, this is the PDC they will talk to
    2. When you create or update a GPO, it is updated here and then replicated out to the other DCs.
    3. It is the master Time Server for the other DCs in the domain. Clients will sync time with the DC that authenticated them, and you can look at W32Time events in the client system event logs to see which DC authenticated the client. Although the PDC emulator doesn't have to be sync'd to an external time source - the PCs in the domain all have to have the same time, but it doesn't have to be the correct time - I believe that it is set to time.windows.com by default. This can be changed by editing the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters and change the NtpServer value to a different time server or add others for redundancy.
    4. It synchronizes password changes across the domain. If an authentication between a client and server fails because the password hashes don't match, it's possible that the user has changed his password. The server or DC recognizes this possibility and will contact the PDC emulator to see if the password has changed. If it has, the server will update itself with the new hash and authenticate the user. If it hasn't, the server will deny access. I have never run into this situation, but I see where it would be possible if you have multiple sites and slow AD replication.
    Clay Moore's Blog
    · Share on FacebookShare on Twitter
  • Options
    UncleCidUncleCid Member Posts: 66 ■■□□□□□□□□
    hehe, I never thought about using the regedit to change it.

    I looked a little online and in my microsoft book.

    In Ch.4 of the 70-294 book (FSMO roles), pg. 93, it says

    "The following command shows the syntax that is used to point to an external time source:

    net time \\ServerName /setsntp: TimeSource"

    But after surfing around i found that you should be stopping the Win32tm service before doing so... or i'm guessing stop and then restart afterwards.
    Later i found that since "net time" is a predecessor to "Win32tm," Microsoft recommded using the "Win32tm" commands. ( /sadcakes for microsoft selling us outdated material)

    hehe, here is what i found.

    http://technet.microsoft.com/en-us/library/cc759631.aspx
    this explains how net time is outdated

    http://technet.microsoft.com/en-us/library/cc773061.aspx
    this will link you to setting up time service on a PDC server, Client, and to set a client (that is manually configured) to "automaticly synchonize time with the domain hierarchy".

    http://support.microsoft.com/kb/816042
    also this is an in-depth explaination of how to use the registry to change the "Win32tm" service. I do not know if it's for a server or a clent. I saw all the registry keys and went "bleeh." The sub headings said it was, so i figured it prudent.


    I feel like i have contributed, some what, to this thread. Hooray! \m/
    · Share on FacebookShare on Twitter
  • Options
    sentraser20sentraser20 Member Posts: 10 ■□□□□□□□□□
    Thanks for all the great info. Retaking this one Wednesday.
    · Share on FacebookShare on Twitter
Sign In or Register to comment.