Microsoft KB Archive/225511

= New Password Change and Conflict Resolution Functionality in Windows =

Article ID: 225511

Article Last Modified on 2/25/2007

-

APPLIES TO


 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Professional Edition
 * Microsoft Windows 2000 Datacenter Server

-



This article was previously published under Q225511



IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry



SUMMARY
By default, when a machine account password or user password is changed, or a domain controller receives a client authentication request using an incorrect password, the Windows domain controller acting as the primary domain controller (PDC) Flexible Single Master Operation (FSMO) role owner for the Windows domain is contacted. This article describes a new registry value that can be used by the administrator to control when the PDC is contacted, which can help reduce communication costs between sites.



MORE INFORMATION
WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

The following registry value can be modified to control Password Notification and Password Conflict Resolution as described below:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters

Registry value: AvoidPdcOnWan

Registry type: REG_DWORD

Registry value data: 0 (or value not present) or 1

0 or value not present = FALSE (to disable)

1 = TRUE (to enable)

Default: (value is not present)

Platform: Only Windows 2000 domain controllers

Password Change Notification
By default, machine account password and user password changes are sent immediately to the PDC FSMO. In a mixed-mode domain, if a Microsoft Windows NT 4.0 domain controller receives the request, the client is sent to the PDC FSMO role owner (which must be a Windows 2000-based computer) to make the password change. This change is then replicated to other Windows 2000 domain controllers using Active Directory replication, and to down-level domain controllers through the down-level replication process. If a Windows 2000 domain controller receives the request (either in mixed or native mode), the password change is made locally, sent immediately to the PDC FSMO role owner using the Netlogon service in the form of a Remote Procedure Call (RPC), and the password change is then replicated to its partners using the Active Directory replication process. Down-level domain controllers replicate the change directly from the PDC FSMO role owner.

If the AvoidPdcOnWan value is set to TRUE and the PDC FSMO is located at another site, the password change is not sent immediately to the PDC. However, it is notified of the change through normal Active Directory replication, which in turn replicates it to down-level domain controllers (if the domain is in mixed mode). If the PDC FSMO is at the same site, the AvoidPdcOnWan value is disregarded and the password change is immediately communicated to the PDC.

Password Conflict Resolution
By default, Windows domain controllers query the PDC FSMO role owner if a client is attempting to authenticate using a password that is incorrect according to its local database. If the password sent by the client is found to be correct on the PDC, the client is allowed access and the domain controller replicates the password change.

The AvoidPdcOnWan value can be used by administrators to control when Windows 2000 domain controllers attempt to use the Windows 2000 PDC FSMO role owner to resolve password conflicts.

If the AvoidPdcOnWan value is set to TRUE and the PDC FSMO role owner is located at another site, the domain controller does not try to authenticate a client against password information stored on the PDC FSMO. Note, however, that this results in denying access to the client.

Keywords: kbenv kbinfo KB225511

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.