First of all I'll traduce what I said in Portuguese so that othe PP don't
think that i'm saying something bad about you.
What I said was that you it looked a lot excited talking about PDC and RID.
Which is a positive thing.
So let's loock at Rid Allocation Master Rule:
Domain controllers running Windows 2000 and Windows Server 2003 have a
shared RID pool. The RID operations master is responsible for maintaining a
pool of RIDs to be used by the domain controllers in its domain and for
providing groups of RIDs to each domain controller when necessary. When a
new domain controller running Windows 2000 or Windows Server 2003 is added
to the domain, the RID master allocates a batch of approximately 500 RIDs
from the domain RID pool to that domain controller. Each time a new security
principal is created on a domain controller, the domain controller draws
from its local pool of RIDs and assigns one to the new object. When the
number of RIDs in a domain controller's RID pool falls below approximately
100, that domain controller submits background requests (by means of RPC)
for additional RIDs from the domain's RID master. The RID master allocates a
block of approximately 500 RIDs from the domain's RID pool to the pool of
the requesting domain controller.
The RID master does not actually maintain a pool of numbers. Rather, it
maintains the highest value of the last range it allocated. When a new
request is received, it increments that value by one to establish the low
value in the new RID pool and then adds four hundred and ninety nine to
establish the new maximum value. It sends these two values to the requesting
domain controller to use as its next allocation of RIDs.
If a domain controller's local RID pool is empty, and it cannot contact the
domain's RID master to request additional RIDs, the domain controller will
log event ID 16645, indicating that the maximum account identifier allocated
to the domain controller has been assigned and the domain controller has
failed to obtain a new identifier pool from the RID master. Likewise, when
attempting to add new objects in Active Directory, such as users, computers,
or domain controllers, you might notice event ID 16650 in the System log
indicating that the object cannot be created because the directory service
was unable to allocate a relative identifier. Network connectivity to the
RID master might have been lost or the RID master might have been removed
from the network. In any case, you cannot create new security principal
objects on the domain controller until RID pool acquisition is successful.
Primary Domain Controller (PDC) Emulator
The PDC emulator serves as primary domain controller for compatibility with
earlier Windows operating systems. Windows 2000 Server and Windows Server
2003 interoperate with Windows NT workstations, member servers, and backup
domain controllers. The primary domain controller (PDC) in a Windows NT 3.51
or Windows NT 4.0 domain is responsible for the following:
Processing password changes from both users and computers
Replicating updates to backup domain controllers
Running the Domain Master Browser
Active Directory uses multimaster replication for most directory updates,
including password changes. Therefore, if the PDC emulator becomes
unavailable, the impact is small. However, in a mixed environment with
Windows NT-based domain controllers and Active Directory, the unavailability
of the PDC emulator has the following impact:
When a user of a computer running Windows NT Workstation 4.0, Windows 95, or
Windows 98 without the Active Directory client installed attempts a password
change, the user sees a message similar to the following: "Unable to change
password on this account. Please contact your system administrator."
In a mixed domain, the event logs of Windows NT 4.0 BDCs contain entries
showing failed replication attempts.
In a mixed domain, when a user tries to start User Manager on a Windows NT
4.0 backup domain controller, it results in a "domain unavailable" error
message. If User Manager is already running, you will see an "RPC server
unavailable" message. Attempting to create an account by using the net user
/add command results in a "could not find domain controller for this domain"
message. When you run Server Manager, you will see a message similar to the
following: "Cannot find the primary domain controller for <domain name>. You
may administer this domain, but certain domain-wide operations will be
disabled."
As operating systems are upgraded, either to Windows XP, Windows 2000,
Windows Server 2003, or (for Windows NT Workstation 4.0, Windows 95, and
Windows 98) by installing the Active Directory client, they cease to rely on
the PDC and, instead, behave in the following manner:
Clients do not make password changes at the PDC emulator. Instead,
clients update passwords at any domain controller in the domain.
The PDC emulator does not receive Windows NT 4.0 replication requests
after all Windows NT 4.0 BDCs in a domain are upgraded to Windows 2000
Server or Windows Server 2003.
Clients use Active Directory to locate network resources. They do not
require the Computer Browser service.
After all computers are upgraded to Windows XP, Windows 2000 and Windows
Server 2003, the domain controller holding the PDC emulator role performs
the following functions:
When password changes are performed by other domain controllers in the
domain, they are sent to the PDC emulator by using higher priority
replication.
When an authentication fails with an invalid password at other domain
controllers in the domain, the authentication request is retried at the PDC
emulator before failing. If a recent password update has reached the PDC
emulator, the retried authentication request should succeed.
When an authentication succeeds for an account for which the most recent
authentication attempt at the domain controller failed, the domain
controller communicates this fact ("zero lockout count")
to the PDC emulator. This resets the lockout counter at the PDC emulator in
case another client attempts to validate the same account by
using a different domain controller.
Therefore, when the PDC emulator is unavailable, you might experience an
increase in support requests regarding password difficulties. However,
unlike the Windows NT 4.0 environment, where the PDC was the only computer
that wrote the updated password to the domain, in Windows 2000 Server and
Windows Server 2003, any domain controller can write the password update to
the directory and normal replication will ensure that all domain controllers
in the domain eventually become aware of the change. This will occur even if
the PDC emulator operations master remains unavailable.
WHY is the PDC a large consumer of RIDs? (which I don't agree with, but I
may be missing something) Explain that.
What I think that MS wanted to say was: Generally the PDCe is most used than
any other master rule server for example:
-Password changes performed by other DCs in the domain are replicated
preferentially to the PDC emulator first.
-Authentication failures that occur at a given DC in a domain because of an
incorrect password are forwarded to the PDC emulator for validation before a
bad password failure message is reported to the user.
-Account lockout is processed on the PDC emulator.
-Time synchronization for the domain.
-Group Policy changes are preferentially written to the PDC emulator.
So in conclusion:
You're right when you say that doesn't make sense a PDC is a larger Consumer
of RIDs, because the RID pool is shared among all servers in the same
domain. And the "Job" that the PDCe rule does, in fact doesn't have nothing
to do with the consumption of rid pools, however MS article objective may
try to attract attention for the fact the some application may try utilize
the PDC with preferential order, and if that app creates AD objects that
need SID then IN FACT THE PDC WILL COMSUME MORE RID POOLS THAN ANYOTHER DC.
I believe that you're happy now.
