Microsoft KB Archive/317178

= A Windows NT 4.0 Domain May Update the Trust Account Password on a Non-Primary Domain Controller =

Article ID: 317178

Article Last Modified on 3/2/2007

-

APPLIES TO


 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows NT Server 4.0 Standard Edition

-



This article was previously published under Q317178



SUMMARY
If a Windows NT 4.0-based domain trusts a Windows 2000-based domain, the trust password is changed every seven days by default. When the primary domain controller (PDC) for the Windows NT 4.0-based domain tries to change the password for the trust, the password change is sent to the domain controller with which it has already established a secure channel in the trusted domain. The domain controller in the trusted domain to which the password change is sent to may not hold the PDC operations master role.



MORE INFORMATION
Because all Windows 2000-based domain controllers contain a writeable copy of Active Directory, the domain controller to which the password change is sent accepts the password change and updates the trust account. If you view the attribute metadata for the trust account, the ntPwdHistory and PwdLastSet attributes are shown as being updated on the domain controller to which the password change is sent, instead of on the PDC operations master.

You can view the attribute metadata for the trust account by running the following command. Note that you must modify this command to be appropriate for your domain:

repadmin /showmeta cn= $,cn=users,dc= ,dc= 

Note that if the trusted domain is a Windows NT 4.0-based domain, and if the password-change request is sent to a backup domain controller (BDC), the BDC forwards the request to its PDC on behalf of the trusting domain.

Keywords: kbinfo kbnetwork KB317178

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.