03 March, 2011

Roles of a PDC Emulator

1. Backward compatibility for Windows NT BDC – Windows NT BDC only replicates with a PDC. In a domain where we have a Windows NT DC and a Windows 2000 DC, then the Windows 2000 DC will act a PDC for the Windows NT DC to replicate all the changes from the PDC to the BDC

2. Backward compatibility for Windows NT Applications - If there is any application that is designed for Windows NT and it need to find a PDC then this will allow a Windows 2000/2003/2008 domain controller to act as a PDC

3. Password Caching – Any Users password change is replicated to the PDC as a Semi-Urgent Replication. Suppose we have a DC (Non-PDC) on which we have changed the password of a user. Now this information will be replicated to the PDC. In case there is any schedule defined for the replication then that schedule will be ignored and the dc will replicate the password change to the PDC immediately

4.  Account Lockout Policy – Any change in the Account Lockout Policy is also replicated to the PDC as Semi-Urgent Replication

5.  Bad Password Verification – In a scenario where we have three domain controllers (DC1, DC2 and the PDC). User logs on to a client machine and get authenticated from DC1 and then changes his password. This information will be replicated to the PDC as a part of Semi-Urgent Replication. Now the same user logs on to another client machine which get authenticated from DC2. DC2 till now has not received the updated password from the PDC because there is a replication schedule defined between DC2 and the PDC. Now since user is entering his updated correct password which has not been updated on DC2, DC2 before declining the user request will check with the PDC to see if the PDC has an updated password.

6. Group Policy Objects – Whenever you open/edit a group policy, by default it connects to the PDC and open the group policy from there. This is done to reduce the conflict that may occur while making changes in the group policy from different domain controller at the same time. This behavior can be changed from the GPMC Snap-In

7. Time Synchronization – PDC act as an authoritative time server and all the domain controllers in the domain synchronized their time with the PDC. This is done to make sure that the time skew
(time difference) between all the dc`s and the client machines should not be more than 5 minutes else Kerberos authentication will fail.

8. Domain Master Browser – The role of PDC is also to act as a domain master browser. Every subnet has a master browser which contains the list of all the servers in that subnet. Domain Master Browser contains the list of all the master browsers

9. AdminADHolder – The AdminSDHolder thread run on the PDC every 60 Minutes

There are few groups in AD which are of high privilege and are termed as “Protected Groups”. The lists of protected groups are as follow
  • Administrators
  • Account Operators
  • Server Operators
  • Print Operators
  • Backup Operators
  • Domain Admins
  • Schema Admins
  • Enterprise Admins
  • Cert Publishers
  • Administrator (User Account)
  • Krbtgt (User Account)
There are certain default permissions assigned to these protected groups. These permissions associated with these protected groups are controlled by a thread known as “AdminSDHolder”. AdminSDHolder thread runs after every 60 minutes (1 hour) and makes sure that the permissions associated with these protected groups is intact. In case the permissions are altered then the AdminSDHolder thread sets the permissions of that protected group to default.
10. LSA Secret – PDC keeps a track of the TDO Password. This is used to set a secure channel between two domains.