Solved

PDC related question ( Please try to explan me rather then sending me link)

Posted on 2012-03-20
10
378 Views
Last Modified: 2012-04-05
Hi
I am learning windows 2008 ,
and I have 2 SErver (DC1 and DC2)  and couple of computer
and I was watching a learning dvd

which is saying that :

if Primary domain controller (PDC) emulator master is down then it can be difficult to add computer or new user into DC2

ref:http://technet.microsoft.com/en-us/library/cc773108%28v=ws.10%29.aspx

so to testing .
I shuddown  , DC1 ,
only DC2 is working

and I can see Error on DC2 when i go to check "Operation Master"
and its showing Error on DC1 (Please see the picture)

and also I have realized that DC2 is very slow when i try to traverse Active directory .


my question is :

when DC1 is down and DC2 is up :

still i can autheticaion user via DC2 , if i reboot a pc and i can authenticate user via DC".
so whats the problem ?

so why Primary domain controller (PDC) emulator master is so important ??


(2) when DC1 is going down, why DC2 is so slow (Specially when i try to traverse via AD??


thanks
pdc.gif
0
Comment
Question by:fosiul01
  • 3
  • 3
  • 2
  • +2
10 Comments
 
LVL 57

Accepted Solution

by:
Mike Kline earned 167 total points
ID: 37743463
You get that error because the your PDC is offline

Is the second box also a GC and DNS server?

Yes users can authenticate without a PDC.  I know you didn't want links but there is not one AD person I know that doesn't regularly read the Microsoft askds blog and when they post something good it worth adding here in case you haven't seen it

http://blogs.technet.com/b/askds/archive/2011/02/25/friday-mail-sack-xxxxxxxxxxxx.aspx#pdceauth

Question

Is the PDC Emulator required for user authentication? How long can a domain operate without a server that is running the PDC Emulator role?


Thanks

Mike
0
 
LVL 21

Expert Comment

by:Joseph Moody
ID: 37743480
Hey Mike,

In an unrelated question - what RSS feeds do you subscribe to (if any)? You always seems to have a great article to go with any question.
0
 
LVL 29

Author Comment

by:fosiul01
ID: 37743511
@mike .
sorry i did not meant that way!!
i have seen many people just sent some  links from first page of google but i wanted to know more about it ...

from that link this comments

With the PDCE offline, users who have recently changed their passwords are more likely to get logon or access errors. They will also be more likely to stay locked out if using Account Lockout policies.


while DC1 is offline, I hae changed users password, but they dont get any authentication error .. so far

does it mean :
they will get or they might get or they might not ??

also :

why DC2 is so slow when i am traversing Active directory ?
0
 
LVL 70

Assisted Solution

by:KCTS
KCTS earned 167 total points
ID: 37743624
Assuming you have no pre-windows 2000 machines, the role of the PDC is mainly to sync time across the domain, if the time sync is out by more than 5mins then AD will refuse to authenticate.

Usually the main cause of authentication failure if a machine is down is lack of DHCP, DNS or global catalog since these are essential to authenticate both users and computers.

With the PDC down then, if another global catalog is present and there is another correctly configured DNS server then users and computers can still authenticate if they have valid IP settings.
0
 
LVL 29

Author Comment

by:fosiul01
ID: 37743653
Ok Suppose I have 3 DC,

Dc1 , Dc2 and DC3

I made Dc2 as PDC ( which job role is to keep all password uptodate in between 3 Domain controller)

Now Suppose Dc2 died(pdc)

now i create  a user in DC1 or change password of a user in dc1 , will it be replicate to Dc3 ??

when there is not any PDC ???

or

do i have to change either Dc1 or dc2 as PDc then Password replication will work ??
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 70

Expert Comment

by:KCTS
ID: 37743673
Assuming all other services are running then Yes
0
 
LVL 29

Author Comment

by:fosiul01
ID: 37743682
sorry which one is true ??

will it be replicate to DC3?? or not ??
0
 
LVL 70

Expert Comment

by:KCTS
ID: 37743690
... something called KCC (knowledge consistency checker), works out how to best replicate AD,  replication does not need to go from DC1 to DC2 and then to DC3, KCC will determine the best method.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 37744284
If your PDC is going to be down for more than a day or two I'd transfer it first.  In case of a sudden fail you would have to seize roles

@jmoody10...google reader, I star a lot of blog entries.
0
 
LVL 3

Assisted Solution

by:GlobalStrata
GlobalStrata earned 166 total points
ID: 37755513
The PDC Emulator is used more than to Sync Time.  You needed when you change passwords if you want the password to be replicated right away.  That is where the emergency replication request is sent first and then it is replicated to all other servers.  The PDC is used to Sync Trusts.  Also, when you do Group Policy Changes, that is where the settings get saved first.  When authentication fails at a domain controller other than the PDC emulator, the authentication is retried at the PDC emulator.  For this reason, account lockout is processed on the PDC emulator.  The PDC emulator performs all of the functionality that a Microsoft Windows NT 4.0 Server-based PDC or earlier PDC performs for Windows NT 4.0-based or earlier clients.

Because of the importance of many of these tasks and the amount of resources that it may uses, sometimes it may be preferable for this role to be hosted in a physical Domain Controller.

Reducing the workload on the PDC emulator master
<http://technet.microsoft.com/en-us/library/cc787370(WS.10).aspx>

Regarding you question if it will replicate, the answer is yes but it will replicate in the normal replication cycle.  So if you have sites that replication occurr every 180 mins, expect the password change not to replicate right away unless the PDC Emulator is up and running when the password request is processed.  For more information see the "Replication of Password Changes" section of this article: http://technet.microsoft.com/en-us/library/cc961787.aspx
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

I had a question today where the user wanted to know how to delete an SSL Certificate, so I thought that I would quickly add this How to! Article for your reference. WHY WOULD YOU WANT TO DELETE A CERTIFICATE? 1. If an incorrect certificate was …
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now