Effects of Machine Account Replication on a Domain

 Last reviewed: March 17, 1998
Article ID: Q175468
The information in this article applies to:
  • Microsoft Windows NT Workstation version 4.0
  • Microsoft Windows NT Server version 4.0

IMPORTANT: This article contains information about editing the registry. Before you edit the registry, make sure you understand how to restore it if a problem occurs. For information on how to do this, view the "Restoring the Registry" online Help topic in Regedit.exe or the "Restoring a Registry Key" online Help topic in Regedt32.exe.

SYMPTOMS

For each Windows NT Workstation that is a member of a domain, there is a discrete communication channel (for example, the secure channel) with a domain controller.

The secure channel's password is stored along with the computer account on the primary domain controller (PDC), and is replicated to all backup domain controllers (BDCs). The password is also in LSA secret $MACHINE.ACC of the workstation. Each workstation owns such secret data.

Every seven days, the workstation sends a secure channel password change and the computer account password is updated. Computer account password changes are marked as "Announce Immediate" so that each time a computer account password is modified, a replication takes place immediately.

A new Netlogon parameter is available as a hotfix so that the 7-day period may be extended up to 1,000,000 days.

MORE INFORMATION

For example, if a domain has 1,000 workstations, a computer account password change will occur every: 

   1 week / 1000 = 7 x 24 x 60 / 1000 minutes = 10 minutes
Therefore, a SAM replication takes place every 10 minutes regardless of the replication interval defined on the PDC (for example, with the Pulse and PulseMaximum registry settings).

If all domain controllers are on the same LAN, the behavior described above only leads to PDC overload. But, if there are many BDCs split into different subnets interconnected by routers, each replication may cost a lot of money. For example, with 100 BDCs connected to a central site with ISDN lines, each replication leads at least to 100 ISDN communications.

In such a configuration, changing computer accounts cost per month: 

   (30 days / 10 minutes) * 100 BDCs = (30 x 24 x 60 / 10) * 100

   = 432 000 ISDN connections

RESOLUTION

WARNING: Using Registry Editor incorrectly can cause serious problems that may require you to reinstall Windows. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.

For information about how to edit the registry, view the "Changing Keys And Values" online Help topic in Registry Editor (Regedit.exe) or the "Add and Delete Information in the Registry" and "Edit Registry Data" online Help topics in Regedt32.exe. Note that you should back up the registry before you edit it.

There are three workarounds for this issue.

Method One

The first workaround consists in adding the following registry parameter on all Windows NT workstations: 

   Key     = HLM\SYSTEM\CurrentControlSet\Services\NetLogon\Parameters
   Value   = DisablePasswordChange REG_DWORD 1
   Default = 0
This will prevent workstations from changing passwords. This registry value could be added after having joined the domain (and restarted) so that the computer account password would have at least been changed once with a random value only known by the system.

Method Two

A second workaround consists of refusing passwords changed at domain controllers levels. On all domain controllers, add the following registry value: 

   Key     = HLM\SYSTEM\CurrentControlSet\Services\NetLogon\Parameters
   Value   = RefusePasswordChange REG_DWORD 1
   Default = 0
For additional information, please see the following article(s) in the Microsoft Knowledge Base: 

   ARTICLE-ID: Q154501
   TITLE     : How to Disable Automatic Machine Account Password Changes

Method Three

A new parameter has been added as a hotfix in order to change the frequency at which workstations change secure channel password. It can be added on all workstations and also on all BDCs. 

   Key     = HLM\SYSTEM\CurrentControlSet\Services\NetLogon\Parameters
   Value   = MaximumPasswordAge REG_DWORD
   Default = 7
   Range   = 1 to 1,000,000 (in days)
The above parameter is specified in days. The default value is seven and the minimum value is one.

STATUS

Microsoft has confirmed this to be a problem in Windows NT version 4.0. A supported fix is now available, but has not been fully regression tested and should be applied only to systems experiencing this specific problem. Unless you are severely impacted by this specific problem, Microsoft recommends that you wait for the next Service Pack that contains this fix. Contact Microsoft Technical Support for more information.

Additional query words: registry regedit regedt32
Keywords : kbbug4.00 kbfix4.00 ntdomain NTSrvWkst
Version : WinNT:4.0
Platform : winnt
Hardware : x86
Issue type : kbbug
Solution Type : kbfix

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

Last reviewed: March 17, 1998
© 1998 Microsoft Corporation. All rights reserved. Terms of Use.