Article ID: 272065 - View products that this article applies to.
This article was previously published under Q272065
This article has been archived. It is offered "as is" and will no longer be updated.
When Netlogon processes an authentication request on a domain controller and the request does not work because there is a "bad" password, the request is repeated on the primary domain controller (PDC) operations master.
The request for authentication is repeated on the PDC operations master to verify that the password is correct on the operations master and to update the account lockout information.
To resolve this problem, obtain the latest service pack for Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
260910The English-language version of this fix should have the following file attributes or later:
(http://support.microsoft.com/kb/260910/EN-US/ )How to Obtain the Latest Windows 2000 Service Pack
Date Time Version Size File name ----------------------------------------------------------------- 8/23/2000 3:15:08PM 5.0.2195.2103 348,944 bytes Netlogon.dll
Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article. This problem was first corrected in Windows 2000 Service Pack 2.
Programs that are not authorized on a network can repeatedly retry a bad password which causes excessive load on the operations master.
A change in this behavior causes Netlogon on the domain controllers to maintain a negative cache of logons that recently did not work because of a "bad" password. Based on that cache, Netlogon on the domain controller does not forward those requests to the operations master. Fifty negative cache entries are maintained to prevent denial of service on the domain controller based on memory consumption.
The negative cache becomes active only after a particular user has already sent 10 recent requests to the operations master. This occurs so that a user can log on, have their password not work, and then change their password without being affected by the negative cache.
If the domain supports account lockout, the operations master indicates that it has locked out an account before the negative cache becomes active.
One request is sent on demand to the operations master every five minutes even if there is an active, negative cache entry. This is done to ensure that the user becomes aware of a new password on the operations master even if the negative cache is active.
For additional information about how to install Windows 2000 and Windows 2000 hotfixes at the same time, click the article number below to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/249149/EN-US/ )Installing Microsoft Windows 2000 and Windows 2000 Hotfixes
Article ID: 272065 - Last Review: October 21, 2013 - Revision: 3.3