The PDC operations master role is a domain-wide setting, which means each domain in the forest will have a PDC operations master role holder. One of the common Active Directory interview questions is this: what FSMO role is responsible for time synchronization? The answer is PDC! In an Active Directory environment, it allows a maximum of five minute time difference (time skew) by default. If it's more than 5 minutes, devices will not be able to add to the domain, users will not be able to authenticate, and the Active Directory-integrated application will start throwing authentication-related errors.

It is important that domain controllers, computers, and servers in the Active Directory domain controller agree on one clock:

Computers and servers in a domain will sync their time with the domain controller they are authenticated with. Then, all of the domain controllers will sync their time with their domain PDC role holder. All the domain PDC role holders will sync the time with the forest root domain PDC role holder. In the end, the root domain PDC role holder will sync the time with an external time source.

Apart from time synchronization, the PDC role holder is also responsible for maintaining password change replications. Also, in the event of authentication failures, PDC is responsible for locking down the account. All the passwords changed in other domain controllers will be reported back to the PDC role holder. If any authentication failure occurs in a domain controller before it passes the authentication failure message to the user, it will check the password saved in the PDC, as that will prevent errors that can occur due to password replication issues. The PDC is also responsible for managing the Group Policy Object (GPO) edit. Every time the GPO is viewed or updated, it will be done from the copy stored in the PDC's SYSVOL folder.

In the Active Directory domain, the PDC role owner can be found using the following command:

Get-ADDomain | select PDCEmulator