PDC : Trust relationships & automatic tools?

Skip to first unread message

Phil Cox

Apr 16, 1998, 3:00:00 AM4/16/98

I need the answer to a couple of questions:

1. If PDC fails, are there ANY tools which will promote a BDC automatically
without ANY user intervention? What happens when/if the original PDC comes
back on-line?

2. Using trust relationships, the PDC is the "point man" so to speak. If the
PDC dies, CAN/WILL the BDC's maintain the trust relationships? Or does one
of the BDC's need to promoted, then it will maintain the trust relationship?

The answers are time critical, so any info is appreciated.


Kevin Haney, BackOffice MVP

Apr 17, 1998, 3:00:00 AM4/17/98


I have not heard of any tools to promote a BDC to PDC. I am sure you could
write one if you knew the right API's for this. Here are some Knowledge Base
articles that explain this process in detail. Let me know if this helps.


Kevin Haney, BackOffice MVP, MCSE
Rainier Technology
NT 5.0 RDP Member

Phil Cox wrote in message ...

Julian Harper

Apr 24, 1998, 3:00:00 AM4/24/98

The below is an article which I found in technet. It says that you can
promote demote PDC's/BDC's when the other machines are off line. I haven't
tried it, but I was planning to becuase I need to make my PDC a BDC and one
of my BDC's the PDC. If anyone thinks the below is a bad way of doing it
please let me know



PSS ID Number: Q167248
Article last modified on 11-20-1997



The information in this article applies to:

- Microsoft Windows NT Workstation versions 3.5, 3.51, and 4.0
- Microsoft Windows NT Server versions 3.5, 3.51, and 4.0


If a primary domain controller (PDC) is unavailable or needs to be taken
offline, a backup domain controller (BDC) can be promoted in its place.
This should only be done when the PDC is expected to be down for a long
period of time because the automatic demotion of the original PDC to BDC
will not occur. In many circumstances, it is fine to be without a PDC for
a short time. However, if User Manager is needed, or if a user needs to
change his or her password, there must be a PDC present.


Promote BDC to PDC

With the primary domain controller offline or gracefully shut down and
turned off, in Server Manager, promote one of the backup domain
controllers. Because the primary domain controller is offline, you will
receive the following warning:

Server Manager cannot find the Primary Domain Controller for
<DomainName>. You may administer the domain, but certain domain-wide
operations will be disabled.

To see a list of the backup domain controllers in your domain, verify that
the check box is cleared next to the entry "Show Domain Members only"
under the View menu. With this check box cleared, the list presented in
Server Manager is provided by the browser service. When the check box is
selected, the PDC's user account database (SAM) is queried for all Windows
NT-based workstations, servers, and domain controllers that have a
computer account in that domain. The following key in the registry is


Select the backup domain controller you want to promote, and under the
View menu, select Promote to Primary Domain Controller.

Demote PDC to BDC

Whenever domain administration tools are used, the changes or additions
occur at the PDC. When domain synchronization occurs, these changes or
deltas are sent from the PDC to the BDC using this one-way replication.

Because a "stand-in" PDC was necessary while the "original" PDC was
offline, changes have probably been made to the database on the stand-in
computer; it will be important for it to remain the PDC while the original
PDC is demoted. Successfully demoting the original PDC will also cause a
synchronization with the stand-in PDC, giving it the recent changes done
during its absence. Later, the original PDC can once again resume the role
of PDC for the domain by simply promoting it in Server Manager.

To demote the original PDC just brought back online, use Server Manager.
Under the View menu, clear the check box next to "Show domain members
only." This allows a browse list to inform Server Manager that the
computer is configured as a PDC, and will allow it to be demoted. Select
the original PDC, and select "Demote to backup domain controller" under
the Computer menu.

The following is further explanation of the browser information in Server

Check mark next to "Show domain Members Only" (no browser information):


PDC icon (available) Stand-In Windows NT Primary
BDC icon (dimmed) Original Windows NT Backup

No check mark next to "Show domain Members Only" (with browser


PDC icon (available) Stand-In Windows NT <version> Primary
PDC icon (dimmed) Original Windows NT <version> Primary

With the browser information, Server Manager allows the original PDC to be
selected and demoted by choosing "Demote to Backup Domain Controller."
Without the browser information, Server Manager is just looking at the
current PDC's registry, and there is no option to demote the PDC. It is
considered a backup because the registry does not contain the role of all
other domain controllers in the domain. Only its own role is maintained.

The icon and type conventions in Server Manager when browsing information
is introduced are altered when two PDCs are in one domain.

With no browser information, all of the icons are dimmed except for the
PDC, because that is the only computer Server Manager knows is up and
running. Also note that the original PDC has the icon of a BDC, and the
Type is Backup. With no other information other than the SAM on the PDC,
all other domain controllers are BDCs in a usual environment.

When browser information is integrated into the domain list in Server
Manager, the icons can be available because there is a mechanism to
determine if the computers are currently running in the domain. In
addition, Windows NT version information can be included. Also, Windows
for Workgroups computers that have their workgroup name set to that of the
domain name will appear in the list. Notice that the original PDC s icon
is dimmed and the Type has changed from Backup to Primary. This is because
having more than one PDC in a domain violates domain rules, and now the
browser information is parsed, and the intended role of the computer can
be determined.

Two PDCs Active at the Same Time

It may be possible for more than one PDC to be active in a domain at the
same time. This may cause serious problems, but can be the result of
several things. If a network connection such as a router or cable fails,
and during this failure a BDC was promoted, when the failure is resolved,
two PDCs will be active in the domain. Because both are already running,
the Netlogon service does not have the chance of detecting another PDC at
startup time and fails to start. Some other reasons for having more than
one PDC active would be because there is a very slow WAN link, the WINS
databases are out of sync, not configured as push or pull partners, or
replicating too slowly.

When there are two PDCs active at the same time, when it comes time to
resolving the situation, a decision must be made as to which changes that
potentially were made to each User Account database using the
Administrator tools must be lost. Because domain synchronization is a one-
way replication from the PDC to BDC, there is no merging or time-stamp
method for resolving the differences.

In addition to running User Manager on each PDC to determine what accounts
it has, you can type NET USER at the command prompt.

You can choose whichever PDC to demote by having its Netlogon service
"collide" with the other PDC's Netlogon service. The first computer to
successfully start the Netlogon service and browser service, will remain
the PDC. The second PDC that starts and has its Netlogon service fail to
start can be demoted.

Use NET ACCOUNTS to Verify Domain Controller Role

At a command prompt, Cmd.exe, enter the following to determine the current
role of a domain controller:

<DriveLetter>\NET ACCOUNTS

Below is a sample of the output:

Force user logoff how long after time expires?: Never
Minimum password age (days): 0
Maximum password age (days): 42
Minimum password length: 0
Length of password history maintained: None
Lockout threshold: Never
Lockout duration (minutes): 30
Lockout observation window (minutes): 30
Computer role: PRIMARY
The command completed successfully.

The last line indicates the present role of the Domain Controller.

Additional query words: Srvmgr.exe Usrmgr.exe Musrmgr.exe
Keywords : ntnetserv NTSrvWkst kbnetwork
Version : WinNT:3.5,3.51
Platform : winnt
Issue type : kbhowto kbinfo
Copyright Microsoft Corporation 1997.

Daniel Bucherer

Apr 28, 1998, 3:00:00 AM4/28/98

If you plan to swap the roles of your PDC and one of the BDCs, the best way of
doing it is to promote the BDC in question while the PDC is running. This will
automatically denote the PDC to BDC without any trouble.

The KB article covers only the case that your existing PDC dies suddenly, you
promote a BDC in the absence of the PDC and then the original PDC comes back
again. This is not the case in your situation, so don't make things more
complicated than they are.


Reply all
Reply to author
0 new messages