The information in this article applies to:
IMPORTANT: This article contains information about editing the registry. Before you edit the registry, make sure you understand how to restore it if a problem occurs. For information about how to do this, view the "Restoring the Registry" Help topic in Regedit.exe or the "Restoring a Registry Key" Help topic in Regedt32.exe. SUMMARYBy default, when a machine account password or user password is changed, or a domain controller receives a client authentication request using an incorrect password, the Windows 2000 domain controller acting as the primary domain controller (PDC) Flexible Single Master Operation (FSMO) role owner for the Windows 2000 domain is contacted. This article describes a new registry value that can be used by the administrator to control when the PDC is contacted, which can help reduce communication costs between sites. MORE INFORMATIONWARNING: Using Registry Editor incorrectly can cause serious problems that
may require you to reinstall your operating system. Microsoft cannot
guarantee that problems resulting from the incorrect use of Registry Editor
can be solved. Use Registry Editor at your own risk. HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters Password Change NotificationBy default, machine account password and user password changes are sent immediately to the PDC FSMO. In a mixed-mode domain, if a Microsoft Windows NT 4.0 domain controller receives the request, the client is sent to the PDC FSMO role owner (which must be a Windows 2000-based computer) to make the password change. This change is then replicated to other Windows 2000 domain controllers using Active Directory replication, and to down-level domain controllers through the down-level replication process. If a Windows 2000 domain controller receives the request (either in mixed or native mode), the password change is made locally, sent immediately to the PDC FSMO role owner using the Netlogon service in the form of a Remote Procedure Call (RPC), and the password change is then replicated to its partners using the Active Directory replication process. Down-level domain controllers replicate the change directly from the PDC FSMO role owner.If the AvoidPdcOnWan value is set to TRUE and the PDC FSMO is located at another site, the password change is not sent immediately to the PDC. However, it is notified of the change through normal Active Directory replication, which in turn replicates it to down-level domain controllers (if the domain is in mixed mode). If the PDC FSMO is at the same site, the AvoidPdcOnWan value is disregarded and the password change is immediately communicated to the PDC. Password Conflict ResolutionBy default, Windows NT 4.0 and Windows 2000 domain controllers query the PDC FSMO role owner if a client is attempting to authenticate using a password that is incorrect according to its local database. If the password sent by the client is found to be correct on the PDC, the client is allowed access and the domain controller replicates the password change.The AvoidPdcOnWan value can be used by administrators to control when Windows 2000 domain controllers attempt to use the Windows 2000 PDC FSMO role owner to resolve password conflicts. If the AvoidPdcOnWan value is set to TRUE and the PDC FSMO role owner is located at another site, the domain controller does not try to authenticate a client against password information stored on the PDC FSMO. Note, however, that this results in denying access to the client. Additional query words:
Keywords : kbenv ntsecurity |
|
Last Reviewed: December 29, 1999 © 2000 Microsoft Corporation. All rights reserved. Terms of Use. |