Are all domain controllers on a small network considered equivalent/equal?
Windows Server 2012 R2 w/ GUI, Hyper-V host, VM DC
I am installing my first second Domain Controller(DC) (sounds weird but that really is what I'm doing). I have what I think is a good process to follow from this link.
I wondered if one of the DC's would be considered 'the master', or a different term I have seen, 'the Primary Domain Controller'. But if I understand the way the DC's now work, they all communicate and update each other, they are supposed to take over if one fails, so it doesn't seem like there is such a concept as a Primary Domain Controller anymore. But I keep seeing that terminology used in relatively recent posts.
If someone could clear up why the concept is still being discussed it would help me understand. If there's some relationship like this that I need to establish, I don't see where to do that.
I've also seen where various folks experience problems when the DC's are no longer in sync. What are the primary reasons for that and how does one know that has happened?
Thanks.
Yes and no, sort of.
Active Directory replication in general is multi-master. You can create or change an object on any writable domain controller, and that change will be replicated to all other domain controllers. In this narrow sense, all DCs are "equal."
But there are a select few operations that may only have a single master at one time. These are called Flexible Single Master Operations roles. These roles can only live on one domain controller at a time, and they cannot float by themselves in case of a failure (they must be migrated manually.) Furthermore, there are certain things in an AD domain that will not work unless certain FSMO role holders are online. (Password changes, adding a child domain, etc.) Therefore, it could be said that all domain controllers are not equal.
There are also domain controllers serving as Global Catalogs. A global catalog domain controller holds a full copy of objects from other domains in that forest. Where as domain controllers that are not GCs contain only objects from their own domain. This is another way in which all DCs may not be equal. The simplest and recommended configuration though, is to have all DCs be GCs. But it is not mandatory.
There are also Read Only Domain Controllers (RODCs.) As the name implies, these DCs are not writable.
You can also store things on one domain controller (such as DNS zones) that are not replicated to other domain controllers.
So no, they're not 100% equal in every sense of the word.
People say "Primary Domain Controller" for historical reasons. It used to be that way, way back in the NT 4 days. But there isn't really a "PDC" any more. Similarly there isn't really a "BDC" anymore. Don't refer to them like that, especially if you're asking for help in places like Server Fault, because we will be so hot to correct your terminology that we won't even pay attention to your actual question/problem.
What there is, is a FSMO role called "Primary Domain Controller Emulator," or PDCe. This PDCe role is very important, though we still should not really refer to the domain controller that holds this role as "The PDC."
In many organizations, people deploy a DC in their main office, and they may deploy another DC in a remote location... sometimes they refer to these DCs as "primary" and "backup," just because of the logical layout of their organization. Even though both of those DCs are actually hosting full writable copies of AD.
What's worse, is that there are still today many references to "PDC" even in Microsoft's own documentation and tools. For instance, run nltest /dclist:domain.com
or netdom query fsmo
, and the command-line tool will tell you who your "PDC" is. (It's actually your PDCe FSMO role holder.) There are still lots of references to a "PDC" in Microsoft APIs and documents. This leads to a lot of confusion for historical reasons.
I've also seen where various folks experience problems when the DC's are no longer in sync. What are the primary reasons for that and how does one know that has happened?
That is a very huge topic and there are many reasons why AD may be divergent across two DCs. The trouble shooting tools you most often use for these problems are repadmin.exe
, 'dcdiag.exe
, and the AD event logs on the DCs. Google for "AD lingering objects," that may be an interesting read for you.
I'll leave you with this, from a Server 2012 R2 domain controller:
C:\> netdom query pdc
Primary domain controller for the domain:
DC01
The command completed successfully.