A. When a domain controller (DC) carries out a password change, the change is forwarded to the PDC Flexible Single-Master Operation (FSMO) role holder for the domain. This change isn't an urgent replication but instead is a separate communication that notifies the PDC FSMO outside of regular replication connections. When a client uses an incorrect password to initiate an authentication request, before failing the authentication, the DC that received the authentication request asks the PDC FSMO to verify the password and confirm whether a new password is in use. If so, the FSMO communicates the password to the DC outside of normal replication cycles (out of band). This communication for verifying incorrect passwords is for any DC in the domain, not just those within a local site. If you don't see this behavior, it's possible that someone has turned off the password-change PDC communication for DCs in sites not local to the PDC emulator. The process for doing so is described in the FAQ "How can I stop password changes from being pushed to the PDC FSMO over WAN links?" ( http://www.windowsitpro.com/articles/index.cfm?articleid=21788 ). Firewall restrictions can also block the password-verification default behavior.