A Windows NT 4.0 Domain May Update the Trust Account Password on a Non-Primary Domain Controller (317178)


The information in this article applies to:

  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows NT Server 4.0
This article was previously published under Q317178

SUMMARY

If a Windows NT 4.0-based domain trusts a Windows 2000-based domain, the trust password is changed every seven days by default. When the primary domain controller (PDC) for the Windows NT 4.0-based domain tries to change the password for the trust, the password change is sent to the domain controller with which it has already established a secure channel in the trusted domain. The domain controller in the trusted domain to which the password change is sent to may not hold the PDC operations master role.

MORE INFORMATION

Because all Windows 2000-based domain controllers contain a writeable copy of Active Directory, the domain controller to which the password change is sent accepts the password change and updates the trust account. If you view the attribute metadata for the trust account, the ntPwdHistory and PwdLastSet attributes are shown as being updated on the domain controller to which the password change is sent, instead of on the PDC operations master.

You can view the attribute metadata for the trust account by running the following command. Note that you must modify this command to be appropriate for your domain:

repadmin /showmeta cn=trustingdomain$,cn=users,dc=domain,dc=com

Note that if the trusted domain is a Windows NT 4.0-based domain, and if the password-change request is sent to a backup domain controller (BDC), the BDC forwards the request to its PDC on behalf of the trusting domain.
Modification Type:MajorLast Reviewed:10/11/2002
Keywords:kbinfo kbnetwork KB317178
©2002 Microsoft Corporation. All rights reserved.