DOCUMENT:Q185952 09-AUG-2001 [winnt] TITLE :Information from BDC Sent to PDC, and Then Replicated to Domain PRODUCT :Microsoft Windows NT PROD/VER:WinNT:3.5,3.51,4.0 OPER/SYS: KEYWORDS: ====================================================================== ------------------------------------------------------------------------------- The information in this article applies to: - Microsoft Windows NT Server versions 3.5, 3.51, 4.0 ------------------------------------------------------------------------------- SUMMARY ======= Traditionally, all user account database changes are made on the primary domain controller (PDC), and then replicated to each of the backup domain controllers (BDC). There are a few instances when the flow of information is reversed. A few domain activities are actually triggered by a BDC that sends the change to the PDC. After the PDC has the new information, usual Netlogon replication distributes the change to each of the BDCs at an interval specified by the Netlogon Pulse parameter. The default is five minutes. Below are some of these examples. MORE INFORMATION ================ Account Lockout --------------- Each BDC maintains a bad logon counter, and, when reached, this information is sent to the PDC. After replicated to the remaining BDCs, the account is locked out on the whole domain. In theory, this may potentially give a user a window of bad logon attempts that may exceed the account lockout counter. This theoretical limit is ((number of bad logon attempts) x (number of domain controllers)). In actuality, this is very unlikely. Domain validation is usually handled by the nearest domain controller, and it is also this domain controller that would continue to respond to the bad logon requests. Also, this theoretical window is the amount of time between normal domain synchronization, which, by default, is five minutes. Trust Account Password Changes ------------------------------ Every seven days, the PDC of the trusting domain changes the password used for pass-through authentication with the trusted domain. This password change is sent to the domain controller in the trusted domain that has a secure channel established with the PDC in the trusting domain. The trusting PDC sends an I_NetServerPasswordSet RPC call to the DC of the trusted domain asking it to change the password. If this DC is not the PDC, the BDC sends the password change to its PDC. At the next replication interval, all domain controllers in the trusted domain will have the new password. If there are many BDCs in the trusted domain, and the PDC of the trusting domain is closer to these than it is to the PDC in the trusted domain, it is more likely that the secure channel will be between the PDC in the trusting domain and a BDC in the trusted domain. ====================================================================== Keywords : Technology : kbWinNTsearch kbWinNT351search kbWinNT350search kbWinNT400search kbWinNTSsearch kbWinNTS400search kbWinNTS400 kbWinNTS351 kbWinNTS350 kbWinNTS351search kbWinNTS350search Version : WinNT:3.5,3.51,4.0 Issue type : kbinfo ============================================================================= THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. Copyright Microsoft Corporation 2001.