password change PDC

Hello a

I am running in a windows 2003 FFL and DFL. I currently have two domains in
the forest. All user accounts live in the parent domain (parentdomain.com) I
also have 3 separate AD sites, all sites have at least on DC/GC. If the PDC
is located in AD siteA and a user who is located in AD siteB changes there
password, then what DC\GC is the one who actually updates or allows the
password to be changed?

This is how I think it works.

The user in AD siteB changes there password, the password change
notification gets sent to the DC\GC in AD siteB, the DC\GC in AD siteB then
send the password change update to the PDC located in AD siteA. The password
is then changed on the PDC, and the change is replicated back to the DC in
AD siteB?

is this correct?

Howdie!

sawyer schrieb:
> This is how I think it works.
>
> The user in AD siteB changes there password, the password change
> notification gets sent to the DC\GC in AD siteB, the DC\GC in AD siteB
> then send the password change update to the PDC located in AD siteA. The
> password is then changed on the PDC, and the change is replicated back
> to the DC in AD siteB?

Yeah, you're almost correct. I've outlined the behavior in one of my
articles:
http://www.frickelsoft.net/blog/?p=199

Cheers,
Florian
--
Microsoft MVP - Group Policy
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
ANY advice you get on the Newsgroups should be tested thoroughly in your
lab.

Howdie!

sawyer schrieb:
> The user in AD siteB changes there password, the password change
> notification gets sent to the DC\GC in AD siteB, the DC\GC in AD siteB
> then send the password change update to the PDC located in AD siteA. The
> password is then changed on the PDC, and the change is replicated back
> to the DC in AD siteB?

To answer your question directly: siteB-DC will update the password in
its local database and will notify the PDC of its domain via a special
out-of-band call about the password. It's a push, not a normal rep
notification. The push only works if those DCs can reach each other.
Otherwise the password is spread via normal rep.

Cheers,
Florian
--
Microsoft MVP - Group Policy
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
ANY advice you get on the Newsgroups should be tested thoroughly in your
lab.

thank you!

"Florian Frommherz [MVP]" <> wrote in
message news:e#...
> Howdie!
>
> sawyer schrieb:
>> The user in AD siteB changes there password, the password change
>> notification gets sent to the DC\GC in AD siteB, the DC\GC in AD siteB
>> then send the password change update to the PDC located in AD siteA. The
>> password is then changed on the PDC, and the change is replicated back to
>> the DC in AD siteB?
>
> To answer your question directly: siteB-DC will update the password in its
> local database and will notify the PDC of its domain via a special
> out-of-band call about the password. It's a push, not a normal rep
> notification. The push only works if those DCs can reach each other.
> Otherwise the password is spread via normal rep.
>
> Cheers,
> Florian
> --
> Microsoft MVP - Group Policy
> eMail: prename [at] frickelsoft [dot] net.
> blog: http://www.frickelsoft.net/blog.
> ANY advice you get on the Newsgroups should be tested thoroughly in your
> lab.