The Role of the PDC FSMO

Among the many interviews that I have been part of, there is one request that I always make that seems to plague candidates:

Name and give a description of the five FSMO roles.

Surprisingly many candidates struggle to answer this question and this makes me believe two things:

1. The importance of FSMO roles is undervalued
2. There may not be enough info about what the roles do

Of the five roles, three of them are largely well understood – or at least documented (though the Domain Naming Master has some interesting intricacies).  However, the PDC and the Infrastructure Master seem to cause more confusion.  Though the IM is not well understood, Dean Wells, now of Microsoft, has given the role a great treatment which can be found here.

The PDC is a little harder to put your finger on though.  Most candidates come back with one or both of the following answers:

• The PDC handles password changes
• The PDC logs on down-level clients

The first answer makes me cringe but there’s some piece of truth so it’s not to stress over.  Prompting candidates for other functions of the PDC usually brings to light the confusion over this role.  Other things that I hear that the PDC does includes:

• Joins PCs to the domain
• Log on all clients (users and workstations)
• Source for all group policy application
• User account creation
• Authoritative source for SYSVOL
• And others I have forgotten

This has confirmed for me something that I have thought for a long time – it is hard to know what the PDC really does because it just isn’t very well documented.  For all of the KB articles that Microsoft makes available, there isn’t one that lists out definitively the roles of the PDC.  To add to the confusion, some of the articles are misleading or incorrect.

I ran into this personally early on as a directory services admin when I rebooted the PDC, confident it would not impact the directory service.  And mostly it didn’t impact directory services.  But it didn’t hurt some other services – particularly Exchange.

The purpose of this entry is to attempt to create a definitive repository (or as close as we can reasonably get).  It’s very unlikely that we’ll get them all here for one simple reason – the PDC is often the target of other services.  For instance, DFS and clustering have both targeted the PDC to perform special tasks for their service.  So, we’ll start with the ones that we know and we’ll add to the list as we go.

Don’t make the same mistakes that I have and reboot the PDC of a production environment without knowing what organizational services may be impacted.  As time goes by I’ll fill in the details (or direct you to a good explanation) on each of these services, functions, or roles.  For now, I’ll just give you some links.

Services, Functions, Roles, and Uniqueness of the PDC

• Security descriptor propagation
• Password changes
• Urgent replication
• Master Browser
• PDC-specific DNS records
• Time service
• Failed authentication attempts
• Well-known principal management

Services Dependent on or Preferentially Targeting the PDC

• DFS
• Trust setup
• Domain functional level changes
• Clustering
• GPMC
• New user creation (net use fails and ADUC tries)
• Exchange Server Analyzers
• Default target for DsAddSidHistory
• Redirecting default Users and Computers container
• Updating the Default Domain Policy

Please let me know what’s missing.  I’m interested in your input and feedback.