MORE INFORMATION
Promote BDC to PDC
With the primary domain controller offline or gracefully shut down and
turned off, in Server Manager, promote one of the backup domain
controllers. Because the primary domain controller is offline, you will
receive the following warning:
Server Manager cannot find the Primary Domain Controller for
<DomainName>. You may administer the domain, but certain domain-wide
operations will be disabled.
The second PDC to be started may report the following errors in the Event log:
Event 3097 Source Netlogon
A primary domain controller is already running in this domain.
Event 7024 Source Service Control Manager
The Net Logon service terminated with service-specific error 3097.
To see a list of the backup domain controllers in your domain, verify that
the check box is cleared next to the entry "Show Domain Members only"
under the View menu. With this check box cleared, the list presented in
Server Manager is provided by the browser service. When the check box is
selected, the PDC's user account database (SAM) is queried for all Windows
NT-based workstations, servers, and domain controllers that have a
computer account in that domain. The following key in the registry is
parsed:
HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names\<ComputerName$>
Select the backup domain controller you want to promote, and under the
View menu, select Promote to Primary Domain Controller.
Demote PDC to BDC
Whenever domain administration tools are used, the changes or additions
occur at the PDC. When domain synchronization occurs, these changes or
deltas are sent from the PDC to the BDC using this one-way replication.
Because a "stand-in" PDC was necessary while the "original" PDC was
offline, changes have probably been made to the database on the stand-in
computer; it will be important for it to remain the PDC while the original
PDC is demoted. Successfully demoting the original PDC will also cause a
synchronization with the stand-in PDC, giving it the recent changes done
during its absence. Later, the original PDC can once again resume the role
of PDC for the domain by simply promoting it in Server Manager.
To demote the original PDC just brought back online, use Server Manager.
Under the View menu, clear the check box next to "Show domain members
only." This allows a browse list to inform Server Manager that the
computer is configured as a PDC, and will allow it to be demoted. Select
the original PDC, and select "Demote to backup domain controller" under
the Computer menu.
The following is further explanation of the browser information in Server
Manager:
Check mark next to "Show domain Members Only" (no browser information):
COMPUTER TYPE
PDC icon (available) Stand-In Windows NT Primary
BDC icon (dimmed) Original Windows NT Backup
No check mark next to "Show domain Members Only" (with browser
information):
COMPUTER TYPE
PDC icon (available) Stand-In Windows NT <version> Primary
PDC icon (dimmed) Original Windows NT <version> Primary
With the browser information, Server Manager allows the original PDC to be
selected and demoted by choosing "Demote to Backup Domain Controller."
Without the browser information, Server Manager is just looking at the
current PDC's registry, and there is no option to demote the PDC. It is
considered a backup because the registry does not contain the role of all
other domain controllers in the domain. Only its own role is maintained.
The icon and type conventions in Server Manager when browsing information
is introduced are altered when two PDCs are in one domain.
With no browser information, all of the icons are dimmed except for the
PDC, because that is the only computer Server Manager knows is up and
running. Also note that the original PDC has the icon of a BDC, and the
Type is Backup. With no other information other than the SAM on the PDC,
all other domain controllers are BDCs in a usual environment.
When browser information is integrated into the domain list in Server
Manager, the icons can be available because there is a mechanism to
determine if the computers are currently running in the domain. In
addition, Windows NT version information can be included. Also, Windows
for Workgroups computers that have their workgroup name set to that of the
domain name will appear in the list. Notice that the original PDC's icon
is dimmed and the Type has changed from Backup to Primary. This is because
having more than one PDC in a domain violates domain rules, and now the
browser information is parsed, and the intended role of the computer can
be determined.
Two PDCs Active at the Same Time
It may be possible for more than one PDC to be active in a domain at the
same time. This may cause serious problems, but can be the result of
several things. If a network connection such as a router or cable fails,
and during this failure a BDC was promoted, when the failure is resolved,
two PDCs will be active in the domain. Because both are already running,
the Netlogon service does not have the chance of detecting another PDC at
startup time and fails to start. Some other reasons for having more than
one PDC active would be because there is a very slow WAN link, the WINS
databases are out of sync, not configured as push or pull partners, or
replicating too slowly.
When there are two PDCs active at the same time, when it comes time to
resolving the situation, a decision must be made as to which changes that
potentially were made to each User Account database using the
Administrator tools must be lost. Because domain synchronization is a one-
way replication from the PDC to BDC, there is no merging or time-stamp
method for resolving the differences.
In addition to running User Manager on each PDC to determine what accounts
it has, you can type NET USER at the command prompt.
You can choose whichever PDC to demote by having its Netlogon service
"collide" with the other PDC's Netlogon service. The first computer to
successfully start the Netlogon service and browser service, will remain
the PDC. The second PDC that starts and has its Netlogon service fail to
start can be demoted.
Use NET ACCOUNTS to Verify Domain Controller Role
At a command prompt, Cmd.exe, enter the following to determine the current
role of a domain controller:
<DriveLetter>\NET ACCOUNTS
Below is a sample of the output:
c:\>NET ACCOUNTS
Force user logoff how long after time expires?: Never
Minimum password age (days): 0
Maximum password age (days): 42
Minimum password length: 0
Length of password history maintained: None
Lockout threshold: Never
Lockout duration (minutes): 30
Lockout observation window (minutes): 30
Computer role: PRIMARY
The command completed successfully.
The last line indicates the present role of the Domain Controller.
Two PDCs Active at the Same Time
If two PDCs are active at the same time, you may receive event ID 5512:
Component:NET
Event ID:5512Log: System
Source:NetLogonType: Error
Explanation: Each domain should have only one PDC. Two PDCs exist in the domain because one of the PDCs stopped working for an extended period. A backup domain controller (BDC) was then promoted to PDC. Now the original PDC is working again.