Microsoft KB Archive/272065

= Bad Password Attempts Are Repeatedly Forwarded from Domain Controllers to the PDC Operations Master =

Article ID: 272065

Article Last Modified on 3/1/2007

-

APPLIES TO


 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Professional Edition

-



This article was previously published under Q272065



SYMPTOMS
When Netlogon processes an authentication request on a domain controller and the request does not work because there is a &quot;bad&quot; password, the request is repeated on the primary domain controller (PDC) operations master.



CAUSE
The request for authentication is repeated on the PDC operations master to verify that the password is correct on the operations master and to update the account lockout information.



RESOLUTION
To resolve this problem, obtain the latest service pack for Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

260910 How to Obtain the Latest Windows 2000 Service Pack

The English-language version of this fix should have the following file attributes or later:   Date        Time       Version        Size           File name

-  8/23/2000   3:15:08PM  5.0.2195.2103  348,944 bytes  Netlogon.dll



STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article. This problem was first corrected in Windows 2000 Service Pack 2.



MORE INFORMATION
Programs that are not authorized on a network can repeatedly retry a bad password which causes excessive load on the operations master.

A change in this behavior causes Netlogon on the domain controllers to maintain a negative cache of logons that recently did not work because of a &quot;bad&quot; password. Based on that cache, Netlogon on the domain controller does not forward those requests to the operations master. Fifty negative cache entries are maintained to prevent denial of service on the domain controller based on memory consumption.

The negative cache becomes active only after a particular user has already sent 10 recent requests to the operations master. This occurs so that a user can log on, have their password not work, and then change their password without being affected by the negative cache.

If the domain supports account lockout, the operations master indicates that it has locked out an account before the negative cache becomes active.

One request is sent on demand to the operations master every five minutes even if there is an active, negative cache entry. This is done to ensure that the user becomes aware of a new password on the operations master even if the negative cache is active.

For additional information about how to install Windows 2000 and Windows 2000 hotfixes at the same time, click the article number below to view the article in the Microsoft Knowledge Base:

249149 Installing Microsoft Windows 2000 and Windows 2000 Hotfixes

Additional query words: fsmo dc

Keywords: kbhotfixserver kbqfe kbbug kbfix kbfsmo kbnetwork kbwin2000presp2fix KB272065

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.