The PDC Emulator is one of the five Flexible Single Master Operations (FSMO) roles found in an Active Directory (AD) forest.
There is only one Domain Controller (DC) in each domain that holds this role. By default, this is the first server that was
promoted to a DC in the domain. The main purpose of the PDC Emulator is to operate as a Primary Domain Controller (PDC) for
pre-Windows 2000 clients such as Windows 95, Windows 98, and Windows NT 4.0. At any given time, only one DC in the domain can
hold this role. Most commonly, you may still find some lingering Windows NT 4.0 clients on Active Directory domains. They need
the PDC Emulator to authenticate and process password changes.
Another important role that the PDC Emulator handles is maintaining password updates for the domain. All password changes
made on other DCs are sent to the PDC Emulator for urgent replication. This type of replication does not adhere to inter-site
replication schedules. In addition, when authentication fails for a user being authenticated by another DC, authentication is
retried on the PDC Emulator. If the password was recently changed, but replication has not been fully propagated, the user will
be able to authenticate using the PDC Emulator regardless of the site that the user’s computer is a member of.
Another critical role performed by the PDC Emulator is time synchronization for the domain. The PDC Emulator in the root
domain is generally configured to sync its local clock with an authoritative NTP server. This NTP server may be located on the
internet, such as time.windows.com, or it can be a device on your internal network, such as a GPS atomic clock. The PDC Emulators
in the child domains will synchronize their time with the root PDC Emulator. Domain Controllers in the domain sync with the PDC
Emulator in their respective domains. Clients will then sync their clocks with the DCs in their domain. Time Synchronization is
critical for the Kerberos protocol to authenticate successfully.
If the PDC Emulator were to fail, you may want to restore this role as soon as possible, especially if you have down-level
clients. Your domain won’t stop working at the time of failure, but over a long period of time, you will impact your environment.
If you plan on returning the failed server back to service within a few hours, then you may just want to operate without the PDC
emulator during that time. If the outage will be extended, you should seize the role to another DC in the domain. Of course, if
you plan on bringing down the PDC emulator for extended maintenance, you should gracefully transfer the role. There are two
methods for transferring the PDC Emulator role. You can use the Active Directory Users and Computers snap-in (only if both DCs,
source and target, are operational), or ntdsutil.
Transferring the PDC Emulator role is quite easy. Using the Active Directory Users and Computers snap-in, connect to the
target DC. Then, right click the domain object and click on Operations Master... Click on the PDC Emulator tab. In the top box,
the current DC holding the role should be displayed. In the lower box, you should see the name of the DC that you wish to transfer
the role to.
Or, using the ntdsutil.exe command, type "roles" and hit [enter]. Then type "connections" and hit [enter]. Next type
"connect to server servername" and hit [enter]. Type quit and hit [enter]. The system will bind and continue. Then type
"transfer pdc" and hit [enter]. A confirmation dialog box will be displayed. Click on "Yes". The system will provide some
feedback in regards to this action.
The process of transferring the PDC Emulator role is complete.
Did you find the page informational and useful? Share it using one of your favorite social sites.
Recommended Books & Training Resources
