A Windows NT 4.0 Domain May Update the Trust Account Password on a Non-Primary Domain Controller

If a Windows NT 4.0-based domain trusts a Windows 2000-based domain, the trust password is changed every seven days by default. When the primary domain controller (PDC) for the Windows NT 4.0-based domain tries to change the password for the trust, the password change is sent to the domain controller with which it has already established a secure channel in the trusted domain. The domain controller in the trusted domain to which the password change is sent to may not hold the PDC operations master role.

Because all Windows 2000-based domain controllers contain a writeable copy of Active Directory, the domain controller to which the password change is sent accepts the password change and updates the trust account. If you view the attribute metadata for the trust account, the ntPwdHistory and PwdLastSet attributes are shown as being updated on the domain controller to which the password change is sent, instead of on the PDC operations master.

You can view the attribute metadata for the trust account by running the following command. Note that you must modify this command to be appropriate for your domain: Note that if the trusted domain is a Windows NT 4.0-based domain, and if the password-change request is sent to a backup domain controller (BDC), the BDC forwards the request to its PDC on behalf of the trusting domain.