none
Do all domain controller must to communicate with PDC? RRS feed

  • Question

  • Hello,

    I have question regarding Site replication. Our network team want to tighten the network port and only want to allow few server to communicate. Is it got any issue if other Domain Controller in different site cannot reach PDC (port blocking)

    Example  

    Site HQ

    DC:A(PDC)   DC:B   DC:C

    Site Branch

    DC:F  DC:G

    We have two site (Site HQ and Site Branch), but we only allow Site Branch to talk with DC:B for replication, is it got any issue if DC:F and DC:G cannot talk with DCA as (PDC)? I'm afraid DC:F and DC:G detect PDC was down if we block from reach PDC, but i dont know what the impact.

    Thanks





    • Edited by Mg H Friday, November 22, 2019 7:21 AM amend
    Friday, November 22, 2019 6:44 AM

Answers

  • The PDC Emulator has several critical roles that require communication with other DCs in the domain.

    All password changes are immediately forwarded to the PDCe.

    All bad password attempts are forwarded to the PDCe, in case the password has changed. If the PDCe is unavailable this can affect account lockout. In my experience, accounts lock out sooner than expected as DCs repeatedly attempt to communicate with the PDCe.

    The PDCe is also the authoritative time source for all other DCs in the domain.

    Edit: Check how PDC Emulator is involved in account lockout in these docs:

    https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc780271(v=ws.10)

    https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/f96ff8ec-c660-4d6c-924f-c0dbbcac1527

    Edit: It is recommended that the DC with the PDC Emulator role be on the best hardware and OS, the most reliable DC, with good communication. Other FSMO roles affect only Administrators, but the PDCe has the most impact on users. Check this Wiki article where I discuss account lockout issues, and show the results of my tests when the PDCe is not available.

    https://social.technet.microsoft.com/wiki/contents/articles/32490.active-directory-bad-passwords-and-account-lockout.aspx


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)




    • Edited by Richard MuellerMVP Friday, November 22, 2019 1:50 PM
    • Proposed as answer by Dave PatrickMVP Friday, November 22, 2019 11:54 PM
    • Marked as answer by Mg H Saturday, November 23, 2019 6:09 AM
    Friday, November 22, 2019 10:40 AM
  • Hi,

    Agree with Richard, the PDC should me on the most performance domain controller and able to communicate with all domain controllers in same domain to ensure the following roles:

    • Time synchronization between domain controllers: the PDC si time source for other domain controllers in same domain.
    • managed locked account account and bad password, when a user use a bad password the local DC will forward the request to PDC to validate if the password is bad or not. 

    In your case you have to ask your network team to open network flow between the PDC and all other domain controller in same domain.


    Please don't forget to mark the correct answer, to help others who have the same issue. Thameur BOURBITA MCSE | MCSA My Blog : http://bourbitathameur.blogspot.fr/

    • Proposed as answer by Dave PatrickMVP Friday, November 22, 2019 11:54 PM
    • Marked as answer by Mg H Saturday, November 23, 2019 6:09 AM
    Friday, November 22, 2019 11:43 PM

All replies

  • The PDC Emulator has several critical roles that require communication with other DCs in the domain.

    All password changes are immediately forwarded to the PDCe.

    All bad password attempts are forwarded to the PDCe, in case the password has changed. If the PDCe is unavailable this can affect account lockout. In my experience, accounts lock out sooner than expected as DCs repeatedly attempt to communicate with the PDCe.

    The PDCe is also the authoritative time source for all other DCs in the domain.

    Edit: Check how PDC Emulator is involved in account lockout in these docs:

    https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc780271(v=ws.10)

    https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/f96ff8ec-c660-4d6c-924f-c0dbbcac1527

    Edit: It is recommended that the DC with the PDC Emulator role be on the best hardware and OS, the most reliable DC, with good communication. Other FSMO roles affect only Administrators, but the PDCe has the most impact on users. Check this Wiki article where I discuss account lockout issues, and show the results of my tests when the PDCe is not available.

    https://social.technet.microsoft.com/wiki/contents/articles/32490.active-directory-bad-passwords-and-account-lockout.aspx


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)




    • Edited by Richard MuellerMVP Friday, November 22, 2019 1:50 PM
    • Proposed as answer by Dave PatrickMVP Friday, November 22, 2019 11:54 PM
    • Marked as answer by Mg H Saturday, November 23, 2019 6:09 AM
    Friday, November 22, 2019 10:40 AM
  • Hi,

    Agree with Richard, the PDC should me on the most performance domain controller and able to communicate with all domain controllers in same domain to ensure the following roles:

    • Time synchronization between domain controllers: the PDC si time source for other domain controllers in same domain.
    • managed locked account account and bad password, when a user use a bad password the local DC will forward the request to PDC to validate if the password is bad or not. 

    In your case you have to ask your network team to open network flow between the PDC and all other domain controller in same domain.


    Please don't forget to mark the correct answer, to help others who have the same issue. Thameur BOURBITA MCSE | MCSA My Blog : http://bourbitathameur.blogspot.fr/

    • Proposed as answer by Dave PatrickMVP Friday, November 22, 2019 11:54 PM
    • Marked as answer by Mg H Saturday, November 23, 2019 6:09 AM
    Friday, November 22, 2019 11:43 PM
  • Dear Richard/Thameur

    Thanks a lot for the answer. This could be really2 good info for AD administrator. I will advice our network team not to block the communication between all Domain Controller and PDC. Again thank you so much.

    Saturday, November 23, 2019 6:09 AM
  • Hi,

    Thank you for your update .

    If there is anything else we can do for you, please feel free to post in the forum.

    Have a nice day!

    Best regards,

    Cynthia


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, November 25, 2019 2:03 AM