MORE INFORMATION

Account Lockout

Each BDC maintains a bad logon counter, and, when reached, this information is sent to the PDC. After replicated to the remaining BDCs, the account is locked out on the whole domain.

In theory, this may potentially give a user a window of bad logon attempts that may exceed the account lockout counter. This theoretical limit is ((number of bad logon attempts) x (number of domain controllers)). In actuality, this is very unlikely. Domain validation is usually handled by the nearest domain controller, and it is also this domain controller that would continue to respond to the bad logon requests. Also, this theoretical window is the amount of time between normal domain synchronization, which, by default, is five minutes.

Trust Account Password Changes

Every seven days, the PDC of the trusting domain changes the password used for pass-through authentication with the trusted domain. This password change is sent to the domain controller in the trusted domain that has a secure channel established with the PDC in the trusting domain. The trusting PDC sends an I_NetServerPasswordSet RPC call to the DC of the trusted domain asking it to change the password. If this DC is not the PDC, the BDC sends the password change to its PDC. At the next replication interval, all domain controllers in the trusted domain will have the new password. If there are many BDCs in the trusted domain, and the PDC of the trusting domain is closer to these than it is to the PDC in the trusted domain, it is more likely that the secure channel will be between the PDC in the trusting domain and a BDC in the trusted domain.