Solved

Running in Mixed Mode: NT4 PDC does not sync user password changes.....

Posted on 2003-12-10
4
167 Views
Last Modified: 2010-04-14

We recently completed our shift to Windows 2000 from an NT4 environment.  Everything is working like a champ, except for one thing.  When we change a password for a user account in Active Directory, the change occurs successfully in AD.  However, when we attempt to access a shared file or directory on the NT4 box (which was the PDC previously), we are prompted for authentication.  The user's new password in this case does not work, and the NT4 box will only accept their "old" password.

For instance some of our login scripts map a network drive to users machine from the NT4 server.  When the script reaches that point, it pauses and requests the user to enter a password.   Again, their new password is not accepted, but the "old" password works.

This is very strange.  I have tried going to the NT4 PDC and explicitly changing their password in "User Manager for Domains".  It still does not work.  The NT4 PDC is replicating other changes.  For example, if we create a new user account in A.D., the account eventually shows up on the User Manager on the NT4 PDC.

I'm confused.  Need help.  Thanks!
0
Comment
Question by:ericmalone
  • 2
  • 2
4 Comments
 
LVL 5

Accepted Solution

by:
tstaddon earned 250 total points
ID: 9919129
Right...

This is what that wonderful Microsoft term "multi-master replication" is all about. You don't have ONLY ONE writeable domain controller in an Active Directory. All DCs within a domain are writeable.

NT4 only allows one writeable DC (the PDC), so W2K by default provides a service in your domain called PDC emulator. The server running this service is, in effect, your PDC.

So, if you have a mixed NT4 and 2000 domain, you need to have one master DC (Active Directory's PDC emulator) and your NT4 DCs need to be BDCs.

If your NT box thinks it's a PDC it won't bother to ask ANY other domain controller for passwords. Because as far as it knows, the ONLY server in your domain that is capable of changing a password, is itself.

Demote your NT4 server to a BDC, and it will happily recognise password changes by synchronising with the PDC emulator.
0
 

Author Comment

by:ericmalone
ID: 9924527
This sounds harder than it looks.  Promoting BDC to PDC is simple, but how do you demote PDC to BDC?

I am assuming (as is the answer for every other ms windows issue) that there is a registry hack.......?

eric
0
 
LVL 5

Expert Comment

by:tstaddon
ID: 9926610
I did find this...

http://www.nthelp.com/40/pdc2bdc1.htm

Which offers possible solutions.
0
 

Author Comment

by:ericmalone
ID: 10050364
I will look into this further, thank you for this insight....

em
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
This article explains the steps required to use the default Photos screensaver to display branding/corporate images
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question