15

Windows Server 2012 R2 w/ GUI, Hyper-V host, VM DC

I am installing my first second Domain Controller(DC) (sounds weird but that really is what I'm doing). I have what I think is a good process to follow from this link.

I wondered if one of the DC's would be considered 'the master', or a different term I have seen, 'the Primary Domain Controller'. But if I understand the way the DC's now work, they all communicate and update each other, they are supposed to take over if one fails, so it doesn't seem like there is such a concept as a Primary Domain Controller anymore. But I keep seeing that terminology used in relatively recent posts.

If someone could clear up why the concept is still being discussed it would help me understand. If there's some relationship like this that I need to establish, I don't see where to do that.

I've also seen where various folks experience problems when the DC's are no longer in sync. What are the primary reasons for that and how does one know that has happened?

Thanks.

Alan
  • 1,003
  • 2
  • 20
  • 36
  • 2
    When you see "PDC" used in regards to anything other than a Windows NT domain, the person doesn't know what they're talking about...unless they're talking about the AD "PDC Emulator" role which can be filled by an AD domain controller. – EEAA May 14 '15 at 18:05
  • If you see PDC, the information is likely outdated, or refers to a small environment where they mean that they only have one real Active Directory server, and another server that they have for failover. – IceMage May 14 '15 at 18:53

1 Answers1

19

Yes and no, sort of.

Active Directory replication in general is multi-master. You can create or change an object on any writable domain controller, and that change will be replicated to all other domain controllers. In this narrow sense, all DCs are "equal."

But there are a select few operations that may only have a single master at one time. These are called Flexible Single Master Operations roles. These roles can only live on one domain controller at a time, and they cannot float by themselves in case of a failure (they must be migrated manually.) Furthermore, there are certain things in an AD domain that will not work unless certain FSMO role holders are online. (Password changes, adding a child domain, etc.) Therefore, it could be said that all domain controllers are not equal.

There are also domain controllers serving as Global Catalogs. A global catalog domain controller holds a full copy of objects from other domains in that forest. Where as domain controllers that are not GCs contain only objects from their own domain. This is another way in which all DCs may not be equal. The simplest and recommended configuration though, is to have all DCs be GCs. But it is not mandatory.

There are also Read Only Domain Controllers (RODCs.) As the name implies, these DCs are not writable.

You can also store things on one domain controller (such as DNS zones) that are not replicated to other domain controllers.

So no, they're not 100% equal in every sense of the word.

People say "Primary Domain Controller" for historical reasons. It used to be that way, way back in the NT 4 days. But there isn't really a "PDC" any more. Similarly there isn't really a "BDC" anymore. Don't refer to them like that, especially if you're asking for help in places like Server Fault, because we will be so hot to correct your terminology that we won't even pay attention to your actual question/problem.

What there is, is a FSMO role called "Primary Domain Controller Emulator," or PDCe. This PDCe role is very important, though we still should not really refer to the domain controller that holds this role as "The PDC."

In many organizations, people deploy a DC in their main office, and they may deploy another DC in a remote location... sometimes they refer to these DCs as "primary" and "backup," just because of the logical layout of their organization. Even though both of those DCs are actually hosting full writable copies of AD.

What's worse, is that there are still today many references to "PDC" even in Microsoft's own documentation and tools. For instance, run nltest /dclist:domain.com or netdom query fsmo, and the command-line tool will tell you who your "PDC" is. (It's actually your PDCe FSMO role holder.) There are still lots of references to a "PDC" in Microsoft APIs and documents. This leads to a lot of confusion for historical reasons.

I've also seen where various folks experience problems when the DC's are no longer in sync. What are the primary reasons for that and how does one know that has happened?

That is a very huge topic and there are many reasons why AD may be divergent across two DCs. The trouble shooting tools you most often use for these problems are repadmin.exe, 'dcdiag.exe, and the AD event logs on the DCs. Google for "AD lingering objects," that may be an interesting read for you.

I'll leave you with this, from a Server 2012 R2 domain controller:

C:\> netdom query pdc
Primary domain controller for the domain:

DC01
The command completed successfully.
Ryan Ries
  • 55,481
  • 10
  • 142
  • 199
  • 1
    More to read on that topic: [FSMO placement and optimization on Active Directory domain controllers](https://support.microsoft.com/en-us/kb/223346/) – Daniel May 14 '15 at 19:37
  • Outstanding response and a great help. I wasn't crazy after all, thinking that PDC is an archaic term. But in the end, it WAS a Microsoft page that made me ask, so your discourse on the background of this topic really helped and I loved your final R2 copy and paste. Based on your comments I did find some TechNet pages on identifying the PDCe, and changing it. So if you lose the machine or server that currently has the PDCe role, can you just use the "Operations Masters" PDC tab to set a new DC as the PDCe and life goes on? – Alan May 14 '15 at 21:43
  • 3
    @Alan Yes - if you want to migrate FSMO roles from one DC to another, you either transfer the role or you seize the role. Transferring the role is the "graceful" route you would take if both DCs were up and healthy. But if the original role holder is completely dead, never to reawaken, then your only recourse is to *seize* the role from another DC. In either case, Active Directory can make a full recovery and everything will be OK. Just remember that if you seize a role from a dead DC, then it is imperative that the old DC never be reconnected to the network. – Ryan Ries May 14 '15 at 22:18
  • You didn't say how many FSMO roles there are... :) – Ward - Trying Codidact May 18 '15 at 06:59
  • 1
    There are [5 FSMO roles](https://support.microsoft.com/en-us/kb/197132). Since all of the FSMO roles need to be present in a domain, the first DC in the forest to be setup holds all 5, and many lazy people refer to that DC as the PDC even though it is wrong to say. There are 2 FSMO roles that are enterprise wide (or 1 per forest) the "Schema Master" and "Domain Naming Master". Often both of those roles are on a single server along with the 3 other roles for the forest root domain, which makes that server important for the whole forest. – BeowulfNode42 Jul 24 '15 at 03:18