Primary vs. Additional Domain Controllers: What SMBs Need to Know in 2026

If you manage a Windows network, the terms PDC and ADC appear regularly in IT documentation, vendor proposals, and job descriptions. The labels carry historical baggage from the Windows NT era, and their meaning has shifted considerably since Active Directory replaced the original domain model.

This article covers:

• What PDC and ADC Stand For
• What Domain Controllers Actually Do for Your Network
• FSMO Roles Explained: Where the PDC Emulator Fits
• How Many Domain Controllers Does a Small Business Need?
• Setting Up an Additional Domain Controller: Key Considerations
• Domain Controller Redundancy and What Happens When One Fails
• On-Premises DCs, Microsoft Entra ID, or Hybrid: The 2026 Decision

What PDC and ADC Stand For

PDC stands for Primary Domain Controller, a Windows NT concept in which one server held the single writable master copy of the domain directory. All other controllers were Backup Domain Controllers (BDCs): read-only replicas that authenticated users but accepted no directory updates.

ADC stands for Additional Domain Controller, Microsoft’s official term for any secondary DC promoted into an existing Active Directory domain. Promoting one does not create a subordinate replica. It adds a full, equal peer that independently authenticates users, applies Group Policy, and stores a complete writable copy of the directory database.

Windows 2000 replaced the PDC/BDC model with multi-master replication. Every domain controller in a modern environment is writable, and all peers replicate changes to each other automatically. The PDC label survives today only through the PDC Emulator, one of five FSMO roles Microsoft assigns to specific domain controllers within each domain.

What Domain Controllers Actually Do for Your Network

A domain controller handles every function that keeps your Windows network running for authenticated users:

• User authentication. Every login is validated against credentials stored in the domain database (NTDS.DIT) on an available DC.
• Group Policy enforcement. DCs deliver the Group Policy Objects that push security settings, software configurations, and desktop restrictions to every domain-joined machine.
• DNS resolution. Domain controllers host the DNS records that allow workstations and servers to locate each other and domain resources by name.
• Directory replication. New accounts, password resets, and group membership changes replicate to every DC in the domain automatically via multi-master replication.
• Kerberos ticket issuance. DCs issue the Kerberos tickets that authorize access to file shares, printers, and line-of-business applications.

When your only DC goes offline, all five of these functions fail simultaneously.

FSMO Roles Explained: Where the PDC Emulator Fits

Multi-master replication handles most Active Directory changes safely. Certain operations, however, create conflicts if more than one DC processes them at the same time. Microsoft defined five Flexible Single Master Operations (FSMO) roles to assign those tasks to a single authoritative DC per scope.

According to Microsoft’s FSMO role documentation, the five roles are:

1. Schema Master. Controls all updates to the Active Directory schema structure. One per forest.
2. Domain Naming Master. Manages adding and removing child domains within the forest. One per forest.
3. RID Master. Allocates pools of Relative Identifiers used to build unique Security Identifiers for new directory objects. One per domain.
4. Infrastructure Master. Maintains cross-domain group-to-user object references. One per domain.
5. PDC Emulator. The most operationally active FSMO role in daily use. It serves as the authoritative time source for the domain (Kerberos requires all clocks to align within five minutes) and processes password changes before other DCs receive the replication update. It also handles account lockout processing and serves as the preferred target for Group Policy edits. One per domain.

The first DC promoted into a new domain holds all five roles by default. You can transfer roles to other DCs as the environment scales, with no interruption to Active Directory services during the transfer.

How Many Domain Controllers Does a Small Business Need?

A single DC is a single point of failure. When it goes offline, every login, Group Policy refresh, and password change fails until the server is restored.

Two domain controllers is the practical minimum for any organization that depends on Windows authentication. If the first DC becomes unavailable, the ADC automatically handles authentication and Group Policy delivery with no manual failover required.

Sizing in practice for U.S. small businesses breaks down like this:

• 25 to 200 users, single site. Two DCs is the standard configuration. Assign the PDC Emulator role to whichever DC runs on the more reliable hardware.
• Multi-site organizations. Place at least one DC at each physical location. Routing authentication and Group Policy traffic across a slow or unreliable WAN link creates latency and failure points that a local DC eliminates.
• 200+ users or high-uptime requirements. A third DC is justified. Beyond three, the added replication overhead and per-server licensing cost typically outweigh the marginal resilience gain for most organizations in this size range.

Licensing is the line item most DC expansion projects underestimate. Each ADC requires its own Windows Server license plus Client Access Licenses for every user authenticating through it. Factor that cost into the redundancy decision before promoting another controller.

Setting Up an Additional Domain Controller: Key Considerations

Promoting an additional domain controller is a straightforward process, but several configuration decisions determine whether the ADC actually improves resilience or simply adds complexity.

1. Role and OS requirements. The promotion candidate must run a licensed Windows Server edition with the Active Directory Domain Services role installed. The Server Manager wizard or the PowerShell cmdlet Install-ADDSDomainController handles the promotion sequence.
2. DNS and site topology. Review DNS configuration and Active Directory Sites and Services topology before promoting the ADC. Incorrect site assignment causes authentication traffic to route inefficiently across the network, which defeats the purpose of the second DC.
3. Licensing costs. Each ADC requires its own Windows Server license plus CALs for all connecting users. Budget for both before initiating the promotion process.
4. Post-promotion health verification. Run repadmin /replsummary and dcdiag after promotion to confirm replication health before the new DC handles any production authentication workload.
5. Virtualization caveats. For virtualized domain controllers, confirm the hypervisor supports VM-Generation ID and avoid using VM snapshots as a recovery mechanism. Snapshot rollbacks can introduce USN rollback, which corrupts Active Directory replication across all DCs in the domain.

Domain Controller Redundancy and What Happens When One Fails

Running two DCs protects against the most common failure scenarios: a single server going offline, a scheduled maintenance window, or a hardware replacement. Workstations with cached credentials can still unlock locally if both DCs are unreachable. New logins, password changes, and Group Policy refreshes, however, fail until at least one DC comes back online.

The failure mode that DC redundancy cannot address is database corruption. NTDS.DIT corruption from ransomware, hardware failure, or an improper shutdown is among the most severe Active Directory failures. If the corrupted database replicates to all DCs before the problem is detected, every domain controller in the environment propagates the damage.

Redundancy protects against hardware failure. It does not protect against replicated corruption.

Pairing DC redundancy with professional data backup and recovery services closes the gap that failover alone cannot address. A verified, regularly tested System State backup is the only reliable recovery path after full database corruption.

Recovery from a bare-metal DC rebuild without a valid backup is measured in hours to days. With a current System State backup and a documented restore procedure, restoration on equivalent hardware can complete in under an hour. Routine replication health checks using repadmin and dcdiag, combined with a validated backup cadence, belong in every SMB’s scheduled IT maintenance cycle.

On-Premises DCs, Microsoft Entra ID, or Hybrid: The 2026 Decision

The PDC/ADC question does not exist in isolation. For many SMBs evaluating identity infrastructure in 2026, the deeper question is whether to maintain on-premises domain controllers at all.

• On-premises Active Directory remains the right architecture for organizations with legacy applications requiring domain-joined machines, LDAP authentication, or Group Policy management. Moving those workloads to cloud identity requires compatibility testing and, often, application upgrades.
• Microsoft Entra ID (formerly Azure Active Directory) provides cloud-based identity with no on-premises DC hardware to maintain. It fits businesses running primarily on Microsoft 365 and SaaS applications, eliminating FSMO role management and the hardware replacement cycle entirely.
• Hybrid environments connect on-premises Active Directory to Entra ID via Microsoft Entra Connect. This is the most common configuration for businesses mid-transition in 2026, delivering single sign-on for cloud applications while preserving compatibility with on-premises systems.

Whichever architecture your organization selects, the identity layer belongs inside a formally documented plan. Structured business continuity solutions define recovery time objectives and failover procedures before an incident forces the conversation. How long your organization can operate without authentication should be a deliberate decision, not a post-incident discovery.

A managed IT partner can assess whether your current DC setup matches your actual workload and resilience requirements. If on-premises infrastructure is adding maintenance burden without proportional benefit, they can map a path forward.

When domain controllers are properly sized, redundant, backed up, and integrated into a documented recovery plan, identity infrastructure operates as an invisible enabler rather than a recurring liability. That’s the standard every small business should hold its directory services to.

LeadingIT provides managed IT services to businesses across the Chicagoland area, including Active Directory management, domain controller configuration, System State backup, and disaster recovery planning for organizations with 25 to 250 employees.

Contact our Chicagoland IT support team or call 815-788-6041 to schedule a free assessment and get a clear picture of where your identity infrastructure stands today.