User password change synchronization in W2K AD

[Andy Jiang]

HI Everyone

Each time our users change password at their Win98 PC's
domain login window, they cannot log on to Citrix server
immediately afterwards until 10 minutes later as PC logon
is using different DC as citrix server's DC. DCs take
about 10 minutes to synchronize with each other.

Our domain is NT4 compatible not native W2K domain. Wa
have 3 DCs. One of them is emulate PDC. Citrix server and
PCs are in the same domain.

This is not good for users. They are not happy to wait 10
minutes in the morning for Citrix login. Any solution?

Thank in advance.

Regards

Andy Jiang

 

[Jody Flett [MSFT]]

Hi Andy

In this situation your users should be able to logon. When a password change
is made with a 9x client (unless using ADCient) it is changed on the PDCe
role holder. If a user then tries to logon validation at a DC that does not
yet have this change the local DC queries the PDCe to make sure that the
password has not been changed etc. If the password is found to be correct on
the PDCe the user should be allowed to log on.

A registry setting that prevents this default behaviour is AvoidPDCOnWan,
see http://support.microsoft.com/default.aspx?scid=kb;en-us;225511 for
futher information on this and how Windows resolves password conflicts.

I would check the functionality with a standard client to see if the
expected behaviour happens, if not look at the avoidpdconwan registry
setting on all DC's. This behaviour is best efforts so if the network is
down between DC and PDCe and the referral fails it will not try again, so
network issues can also have a bearing on this...... you can use netlogon
logging to make sure that the referral is occuring if you set "nltest.exe
/dbflag:0x2080ffff" on the PDCe look in the debug directory for the
netlogon.log, in there look for bad password events and successful logons
(6A and 0x0) use "findstr /i "6A" netlogon.log" to fliter the log - you
should see a referral from the local DC.

HTH

Jody