Hi there, Happy New Year and welcome to my brand new blog "A touch of AD"
In this blog series I'll be "touching" on the key concepts and fundamentals related to Active Directory. Today we'll have a look at PDC Chaining.
Consider this, you're an Admin and a user calls you to reset his password. You assist with the reset and the user is immediately able to logon and you think how did this happen since you only just reset it and you know that the replication interval of 15 minutes is set between your DC's, so you would assume that the password change would have taken 15 minutes to be replicated to the DC that the user is logging onto. This is achieved via PDC chaining.
When the user tries to authenticate and the DC doesn’t believe that the password that was supplied is correct, that DC will repeat the authentication attempt against the PDC FSMO in that domain to see if the PDC has the password. Here is what actually happens.
1. Admin changes the user password. 2. User attempts to logon with new password but the DC that the user is logging onto doesn’t know the password yet. 3. So the DC forwards the request to the PDC. 4. The PDC accepts it and sends the updated user object back to the calling DC telling the calling DC that the authentication request was fine, you are allowed to logon. The updated user object is sent back to the calling DC using ReplicateSingleObject. 5. The original DC authenticates the user and the logon proceeds with the user being unaware.
But this raises two interesting questions, how did the PDC know the password in the first place? And what is ReplicateSingleObject?
The PDC knows the password because of a preferential push to the PDC, so whenever a domain controller receives a password update, that DC, out of replication band, pushes the password change to the PDC. The PDC, under optimal conditions should always have the latest copy of every users password. So in our scenario above, the administrator didn’t necessarily make the password change on the PDC, but could have made the change on any DC and the PDC would still have had the latest password.
ReplicateSingleObject is a mechanism that builds on top of the replication protocol and algorithms, but instead of updating all of the state about how far in sync one DC is with another, we just ignore all of that. We literally say I would like that object on that DC brought over here and we pull it over. It's just a simple way of getting important objects replicated between two specific DC's.
And that is PDC chaining. Thanks for reading and ciao for now!!!
Nice start N. keep it up buddy!