The following registry value can be modified to control Password Notification and Password Conflict Resolution as described below:
Registry value: AvoidPdcOnWan
Registry type: REG_DWORD
Registry value data: 0 (or value not present) or 1
0 or value not present = FALSE (to disable)
1 = TRUE (to enable)
Default: (value is not present)
Platform: Only Windows 2000 domain controllers
Password Change NotificationBy default, machine account password and user password changes are sent immediately to the PDC FSMO. In a mixed-mode domain, if a Microsoft Windows NT 4.0 domain controller receives the request, the client is sent to the PDC FSMO role owner (which must be a Windows 2000-based computer) to make the password change. This change is then replicated to other Windows 2000 domain controllers using Active Directory replication, and to down-level domain controllers through the down-level replication process. If a Windows 2000 domain controller receives the request (either in mixed or native mode), the password change is made locally, sent immediately to the PDC FSMO role owner using the Netlogon service in the form of a Remote Procedure Call (RPC), and the password change is then replicated to its partners using the Active Directory replication process. Down-level domain controllers replicate the change directly from the PDC FSMO role owner.
If the AvoidPdcOnWan value is set to TRUE and the PDC FSMO is located at another site, the password change is not sent immediately to the PDC. However, it is notified of the change through normal Active Directory replication, which in turn replicates it to down-level domain controllers (if the domain is in mixed mode). If the PDC FSMO is at the same site, the AvoidPdcOnWan value is disregarded and the password change is immediately communicated to the PDC.
An updated password may not be sent to the PDC emulator even if AvoidPdcOnWan is FALSE or not set, if there are Problems sending the request to the PDC, for example a Network outage. There is no error logged in this Case. The update is then distributed using normal AD replication.
Password Conflict ResolutionBy default, Windows domain controllers query the PDC FSMO role owner if a client is attempting to authenticate using a password that is incorrect according to its local database. If the password sent by the client is found to be correct on the PDC, the client is allowed access and the domain controller replicates the password change.
The AvoidPdcOnWan value can be used by administrators to control when Active Directory domain controllers attempt to use the PDC FSMO role owner to resolve password conflicts.
If the AvoidPdcOnWan value is set to TRUE and the PDC FSMO role owner is located at another site, the domain controller does not try to authenticate a client against password information stored on the PDC FSMO. Note, however, that this results in denying access to the client.
An incorrect password may not be tried at the PDC emulator even if AvoidPdcOnWan is FALSE or not set, if there are Problems sending the request to the PDC, for example a Network outage. There is no error logged in this Case. The logon attempt is denied in this case.
Article ID: 225511 - Last Review: Jan 7, 2017 - Revision: 1