<meta charset="UTF-8">
<meta name="robots" content="noindex,nofollow" />
<link rel="shortcut icon" type="image/x-icon" href="/wiki/images/favicon.ico" />
<link rel="icon" type="image/x-icon" href="/wiki/images/favicon.ico" />

<pre>
!!! Overview
[{$pagename}] ([PDC]) [{$pagename}] is a [Flexible Single Master Operation] and a single [Domain Controller] is necessary to synchronize [time] in an [Microsoft Active Directory]. 


Windows includes the [W32Time] ([Windows Time service]) that is required by the [Kerberos] [authentication] protocol. All Windows-based computers within an enterprise use a common time. The purpose of the time service is to ensure that the [Windows Time service] uses a [hierarchical] [relationship] that controls authority and does not permit loops to ensure appropriate common time usage.

[{$pagename}] of a [AD DOMAIN] is authoritative for the domain. The [{$pagename}] at the root of the [AD Forest] becomes authoritative for the enterprise, and should be configured to gather the time from an external source. All [{$pagename}] holders follow the hierarchy of domains in the selection of their in-bound time partner.

In a [AD DOMAIN], the [{$pagename}] holder retains the following functions:
* [Password Modify Operations] performed by other [Domain Controllers] in the [AD DOMAIN] are replicated preferentially to the [{$pagename}].
* [Authentication] failures that occur at a given [Domain Controller] in a [AD DOMAIN] because of an incorrect [password] are forwarded to the [{$pagename}] before a bad [password] failure message is reported to the user.
* [Account Lockout] is processed on the [{$pagename}].
* performs all of the functionality that a [Microsoft] [Windows Server NT] based PDC or earlier PDC performs for [Windows NT|Windows NT 3.1] 4.0-based or earlier clients.
This part of the [{$pagename}] becomes unnecessary when all workstations, member servers, and domain controllers that are running Windows NT 4.0 or earlier are all upgraded to [Windows Server 2000]. 

[{$pagename}] must still performs the other functions as described in a [Windows Server 2000] environment. 


There is only one [{$pagename}] per [AD DOMAIN] within a [AD Forest]

!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
----
* [#1] - [Active Directory FSMO roles in Windows|https://support.microsoft.com/en-us/help/197132/active-directory-fsmo-roles-in-windows|target='_blank'] - based on information obtained 2018-07-10- 






































































































































































































































































































</pre>