JSI Tip 2631. How do I prevent the PDC FSMO role owner from being contacted when a client uses an incorrect password??

When a user / machine account password is changed, or a DC receives a client authentication request using a bad password, the PDC FSMO role owner is contacted. If it is a password change, replication begins immediately.

This can cause unwanted WAN traffic.

You can alter this behavior by using Regedt32 on each DC to navigate to:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters

On the Edit menu, Add Value name AvoidPdcOnWan as a REG_DWORD data type. Setting the data value to 1 causes the DC to not contact the PDC FSMO role owner at a remote site to avoid password conflicts and to delay password change replication until the next replication cycle.

NOTE: This can result in the client being denied access until the next replication cycle.


Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish