How are password changes communicated between Active Directory (AD) sites?

John Savill

May 16, 2005

1 Min Read
ITPro Today logo in a gray background | ITPro Today

A. When a domain controller (DC) carries out a password change, the change is forwarded to the PDC Flexible Single-Master Operation (FSMO) role holder for the domain. This change isn't an urgent replication but instead is a separate communication that notifies the PDC FSMO outside of regular replication connections. When a client uses an incorrect password to initiate an authentication request, before failing the authentication, the DC that received the authentication request asks the PDC FSMO to verify the password and confirm whether a new password is in use. If so, the FSMO communicates the password to the DC outside of normal replication cycles (out of band). This communication for verifying incorrect passwords is for any DC in the domain, not just those within a local site. If you don't see this behavior, it's possible that someone has turned off the password-change PDC communication for DCs in sites not local to the PDC emulator. The process for doing so is described in the FAQ "How can I stop password changes from being pushed to the PDC FSMO over WAN links?" ( http://www.windowsitpro.com/articles/index.cfm?articleid=21788 ). Firewall restrictions can also block the password-verification default behavior.

About the Author

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like