Microsoft KB Archive/268518

= A Windows 2000 Client Authenticates with the Primary Domain Controller Operations Master After a Password Change =

Article ID: 268518

Article Last Modified on 1/27/2007

-

APPLIES TO


 * Microsoft Windows 2000 Service Pack 1
 * Microsoft Windows 2000 Service Pack 2
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Service Pack 1
 * Microsoft Windows 2000 Service Pack 2

-



This article was previously published under Q268518



SYMPTOMS
In typical operations, a Windows 2000-based domain user should be authenticated by the &quot;closest&quot; domain controller in the domain. This is usually a domain controller that is located in the same site as the client. The mechanism that controls this behavior is described in the Windows 2000 Distributed System Guide. However, in some cases, the authentication takes place with the primary domain controller operations master (also known as flexible single-master operations or FSMO) for the domain, even if it is in a site that is physically remote from the client.

Specifically, this behavior occurs if a user attempts to log on and is prompted to change his or her domain password. After the password change, the subsequent logon authentication takes place between the client and the primary domain controller operations master. If the primary domain controller operations master is located in another physical location, there might be a delay in the logon processing (depending on bandwidth restrictions). Subsequent logon attempts from that client within 10 minutes are also authenticated by the primary domain controller operations master.

This problem can result in longer logon times and slow processing of logon scripts and other processes that are triggered by logging on.



CAUSE
This problem occurs because the Windows 2000-based client caches a Kerberos binding to the primary domain controller operations master during the process before the password change. Cached bindings are used to help optimize the Kerberos authentication process. In this case, the checks that typically ensure that the domain controller with which authentication takes place is the closest are bypassed. Cached bindings for remote domain controllers have nominal lifetime of 600 seconds.



RESOLUTION
To resolve this problem, obtain the latest service pack for Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

260910 How to Obtain the Latest Windows 2000 Service Pack

The English version of this fix should have the following file attributes or later:   Date         Time   Version        Size     File name 21-Jun-2001 03:23  5.0.2195.3737  355,088  Advapi32.dll 21-Jun-2001 03:23  5.0.2195.3738  142,608  Kdcsvc.dll 13-Jun-2001 20:43  5.0.2195.3738  209,008  Kerberos.dll 29-May-2001 12:26  5.0.2195.3739   69,456  Ksecdd.sys 13-Jun-2001 20:32  5.0.2195.3738  501,520  Lsasrv.dll (128-bit) 13-Jun-2001 20:32  5.0.2195.3738  501,520  Lsasrv.dll (56-bit) 13-Jun-2001 08:32  5.0.2195.3738   33,552  Lsass.exe 21-Jun-2001 03:23  5.0.2195.3758  909,072  Ntdsa.dll 21-Jun-2001 03:23  5.0.2195.3762  382,224  Samsrv.dll 29-May-2001 12:53  5.0.2195.3649  128,784  Scecli.dll 30-May-2001 05:19  5.0.2195.3649  299,792  Scesrv.dll



STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article. This problem was first corrected in Windows 2000 Service Pack 3.



MORE INFORMATION
For additional information about how to install Windows 2000 and Windows 2000 hotfixes at the same time, click the article number below to view the article in the Microsoft Knowledge Base:

249149 Installing Microsoft Windows 2000 and Windows 2000 Hotfixes

For information about a problem with similar symptoms, see the following Microsoft Knowledge Base article:

306131 Kerberos Negative Caching Causes Logon to Not Be Retried on PDC

Additional query words:

Keywords: kbbug kbfix kbwin2000presp3fix kbwin2000presp2fix kbqfe kbwin2000sp3fix kbsecurity kbhotfixserver KB268518

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.