Flash Tip: June 8, 2005

Flash Tip: How password changes are communicated between Active Directory sites
by John Savill, https://www.windows2000faq.com

Q: How are password changes communicated between Active Directory sites?

A: When a domain controller carries out a password change, the change is forwarded to the primary domain controller (PDC), which performs the PDC emulator operations master role (also known as Flexible Single Master Operation or FSMO). This type of change isn't an urgent replication but is instead a separate communication that notifies the PDC emulator master outside of regular replication connections.

When a user enters an incorrect password to initiate an authentication request, before failing the authentication, the domain controller that received the authentication request asks the PDC emulator master to verify the password and confirm whether a new password is in use. If the password has changed, the PDC emulator communicates the password to the domain controller outside of normal replication cycles. This communication for verifying incorrect passwords is for any domain controller in the domain, not just those within a local site.

If your PDC isn’t responding in this way, it's possible that someone has turned off the password-change PDC communication for domain controllers in sites that are not local to the PDC emulator. The process for changing the default is described in the FAQ "How can I stop password changes from being pushed to the PDC FSMO over WAN links?" Firewall restrictions can also block the default settings for password verification.

This Windows tip is brought to you by Windows IT Pro (formerly Windows & .NET Magazine), the top technical publication for IT professionals. It’s filled with technical how-to articles, strategies, tips, and solutions. Sign up now to get two free sample issues.