The PDC emulator plays a vital role in the operation of any Active Directory domain. It's responsible for time synchronization, processing account lockouts, and more. If the PDC emulator fails, several key domain functions, including security functions, can stop functioning properly.
Symptoms
If your domain exhibits any of the following symptoms, you need to verify the status of the PDC emulator role:
- Users are unable to log on—This symptom can occur if the domain's time synchronization becomes more than about 5 minutes out of sync. The reason is that the PDC emulator is the central source for time sync; a general lack of domain time synchronization can often be traced to the PDC emulator.
- User accounts that should be locked out aren't locked out—The PDC emulator processes account lockouts for the entire domain.
- Pre-Windows 2000 (Win2K) clients are unable to change their passwords—The PDC emulator provides password-change processing for non-Active Directory client computers.
- Windows NT Backup Domain Controllers (BDCs) are not receiving updates to the domain user lists—The PDC emulator is responsible for replicating these updates to down-level domain controllers.
Verification
Some of the symptoms of a PDC emulator failure can be traced to a replication failure, network failure, or other condition unrelated to the PDC emulator. To verify proper operation of the PDC emulator, follow these steps:
- Identify the domain controller that has the PDC emulator role. From the command line of any domain controller, run
dsquery server –hasfsmo pdc
The command-line utility will report the fully qualified name of the domain controller believed to hold the role. Note that server is an actual dsquery parameter and not the name of a particular server on your network.
- Verify network connectivity to the domain controller by using the ping command. Then attempt to connect to the domain controller by using the Active Directory Users and Computer console from another domain controller or client computer. If either of these steps fail, troubleshoot the domain controller for basic network connectivity. Also ensure that all domain controllers in the domain are running the same Windows service pack level.
- Verify that Active Directory replication is working properly. On the domain controller holding the PDC emulator role, run
repadmin /showreps servername
supplying the server name of the domain controller that holds the PDC emulator role. Any errors indicate a problem with Active Directory replication, which you should resolve.
- Verify that the PDC emulator role is functioning. On the domain controller holding the PDC emulator role, force a user account to lock out (by logging on with a bad password multiple times, for example). Verify that the account appears locked out in Active Directory Users and Computers on the domain controller. If not, the PDC emulator has failed. If the account locks out, verify that the locked out status replicates to other domain controllers in the domain. If it does not replicate to some domain controllers, troubleshoot for Active Directory replication failure. If it does not replicate to any domain controllers, the PDC emulator role might have failed.
You will need to be familiar with your domain's account lockout policy in order to effect an account lockout. Note that disabling an account is not the same as the account being locked out, and will not be handled the same by the PDC emulator.
Corrective Action
If you determine that the PDC emulator has failed, try these corrective actions:
- If the domain controller believed by Active Directory to hold the PDC emulator role no longer exists, seize the role on another domain controller in the domain.
- If the domain controller containing the PDC emulator role is still functioning, restart it. Re-verify the proper function of the PDC emulator. If it is still not working properly, attempt to transfer the PDC emulator role to another domain controller. If you cannot, remove the domain controller from the network and seize the PDC emulator role on another domain controller.
- If the domain controller that holds the PDC emulator role has failed, seize the PDC emulator role on another domain controller. Remove the original domain controller from the network and do not reconnect it until it has been repaired and demoted to member server status in the domain.