6.1.5.4 PDC Emulator FSMO Role

The PDC Emulator FSMO role owner performs the following functions:

• Password changes performed by other DCs in the domain are replicated preferentially to the PDC emulator.

• If a logon authentication fails at a given DC in a domain due to a bad password, the DC will forward the authentication request to the PDC emulator to validate the request against the most current password. If the PDC reports an invalid password to the DC, the DC will send back a bad password failure message to the user.

• Account lockout is processed on the PDC emulator.

• The PDC emulator FSMO also fulfills the role of the PDC in the NetLogon Remote Protocol methods described in [MS-NRPC] section 3. Therefore, the PDC emulator FSMO MUST support and perform all PDC specific functionality specified in that section. Every DC, other than the PDC emulator FSMO, MUST NOT perform this functionality.

  The PDC emulator periodically queries state about trusting forests and stores it in the msdsForestTrustInfo attribute (see section 3.1.1.6.4).

  Note: Periodically querying trusting forest state and storing that information is also supported in Windows 11, version 22H2 operating system and later.

There is one PDC Emulator FSMO role per domain in a directory. See 3.1.1.7 for more information about the PDC Emulator FSMO role.