A. By default, when someone changes a password, the change occurs on the local domain controller (DC), but Windows also pushes the change to the PDC Flexible Single-Master Operation (FSMO) role holder because such changes take time to replicate around the domain. If the change wasn't pushed to the FSMO role holder and someone tried to log on with the new password that wasn't replicated, the logon would fail. To avoid this kind of failure, Windows attempts to authenticate on the PDC FSMO role holder.
To prevent the system from pushing password changes over slow WAN links, make the following change on the relevant DCs:
- Start regedit.exe.
- Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters.
- From the Edit menu, select New, DWORD value.
- Enter a name of AvoidPdcOnWan, and press Enter.
- Double-click AvoidPdcOnWan, and set it to 1.
- Click OK.
- Close regedit.