How can I stop password changes from being pushed to the PDC FSMO over WAN links?

A. By default, when someone changes a password, the change occurs on the local domain controller (DC), but Windows also pushes the change to the PDC Flexible Single-Master Operation (FSMO) role holder because such changes take time to replicate around the domain. If the change wasn't pushed to the FSMO role holder and someone tried to log on with the new password that wasn't replicated, the logon would fail. To avoid this kind of failure, Windows attempts to authenticate on the PDC FSMO role holder.

To prevent the system from pushing password changes over slow WAN links, make the following change on the relevant DCs:

  1. Start regedit.exe.
  2. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters.
  3. From the Edit menu, select New, DWORD value.
  4. Enter a name of AvoidPdcOnWan, and press Enter.
  5. Double-click AvoidPdcOnWan, and set it to 1.
  6. Click OK.
  7. Close regedit.
TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.