Running in Mixed Mode: NT4 PDC does not sync user password changes.....


We recently completed our shift to Windows 2000 from an NT4 environment.  Everything is working like a champ, except for one thing.  When we change a password for a user account in Active Directory, the change occurs successfully in AD.  However, when we attempt to access a shared file or directory on the NT4 box (which was the PDC previously), we are prompted for authentication.  The user's new password in this case does not work, and the NT4 box will only accept their "old" password.

For instance some of our login scripts map a network drive to users machine from the NT4 server.  When the script reaches that point, it pauses and requests the user to enter a password.   Again, their new password is not accepted, but the "old" password works.

This is very strange.  I have tried going to the NT4 PDC and explicitly changing their password in "User Manager for Domains".  It still does not work.  The NT4 PDC is replicating other changes.  For example, if we create a new user account in A.D., the account eventually shows up on the User Manager on the NT4 PDC.

I'm confused.  Need help.  Thanks!
ericmaloneAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

tstaddonCommented:
Right...

This is what that wonderful Microsoft term "multi-master replication" is all about. You don't have ONLY ONE writeable domain controller in an Active Directory. All DCs within a domain are writeable.

NT4 only allows one writeable DC (the PDC), so W2K by default provides a service in your domain called PDC emulator. The server running this service is, in effect, your PDC.

So, if you have a mixed NT4 and 2000 domain, you need to have one master DC (Active Directory's PDC emulator) and your NT4 DCs need to be BDCs.

If your NT box thinks it's a PDC it won't bother to ask ANY other domain controller for passwords. Because as far as it knows, the ONLY server in your domain that is capable of changing a password, is itself.

Demote your NT4 server to a BDC, and it will happily recognise password changes by synchronising with the PDC emulator.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ericmaloneAuthor Commented:
This sounds harder than it looks.  Promoting BDC to PDC is simple, but how do you demote PDC to BDC?

I am assuming (as is the answer for every other ms windows issue) that there is a registry hack.......?

eric
0
tstaddonCommented:
I did find this...

http://www.nthelp.com/40/pdc2bdc1.htm

Which offers possible solutions.
0
ericmaloneAuthor Commented:
I will look into this further, thank you for this insight....

em
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 2000

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.