A Windows 2000 Client Authenticates with the Primary Domain Controller Operations Master After a Password Change (268518)
The information in this article applies to:
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP2
This article was previously published under Q268518 SYMPTOMS
In typical operations, a Windows 2000-based domain user should be authenticated by the "closest" domain controller in the domain. This is usually a domain controller that is located in the same site as the client. The mechanism that controls this behavior is described in the Windows 2000 Distributed System Guide. However, in some cases, the authentication takes place with the primary domain controller operations master (also known as flexible single-master operations or FSMO) for the domain, even if it is in a site that is physically remote from the client.
Specifically, this behavior occurs if a user attempts to log on and is prompted to change his or her domain password. After the password change, the subsequent logon authentication takes place between the client and the primary domain controller operations master. If the primary domain controller operations master is located in another physical location, there might be a delay in the logon processing (depending on bandwidth restrictions). Subsequent logon attempts from that client within 10 minutes are also authenticated by the primary domain controller operations master.
This problem can result in longer logon times and slow processing of logon scripts and other processes that are triggered by logging on.
CAUSE
This problem occurs because the Windows 2000-based client caches a Kerberos binding to the primary domain controller operations master during the process before the password change. Cached bindings are used to help optimize the Kerberos authentication process. In this case, the checks that typically ensure that the domain controller with which authentication takes place is the closest are bypassed. Cached bindings for remote domain controllers have nominal lifetime of 600 seconds.
RESOLUTIONTo resolve this problem, obtain the latest service pack for Windows 2000. For additional information, click the following article number to view the article in the
Microsoft Knowledge Base:
260910 How to Obtain the Latest Windows 2000 Service Pack
The English version of this fix should have the following file attributes or later:
Date Time Version Size File name
----------------------------------------------------------------
21-Jun-2001 03:23 5.0.2195.3737 355,088 Advapi32.dll
21-Jun-2001 03:23 5.0.2195.3738 142,608 Kdcsvc.dll
13-Jun-2001 20:43 5.0.2195.3738 209,008 Kerberos.dll
29-May-2001 12:26 5.0.2195.3739 69,456 Ksecdd.sys
13-Jun-2001 20:32 5.0.2195.3738 501,520 Lsasrv.dll (128-bit)
13-Jun-2001 20:32 5.0.2195.3738 501,520 Lsasrv.dll (56-bit)
13-Jun-2001 08:32 5.0.2195.3738 33,552 Lsass.exe
21-Jun-2001 03:23 5.0.2195.3758 909,072 Ntdsa.dll
21-Jun-2001 03:23 5.0.2195.3762 382,224 Samsrv.dll
29-May-2001 12:53 5.0.2195.3649 128,784 Scecli.dll
30-May-2001 05:19 5.0.2195.3649 299,792 Scesrv.dll
STATUSMicrosoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article. This problem was first corrected in Windows 2000 Service Pack 3.
| Modification Type: | Minor | Last Reviewed: | 9/26/2005 |
|---|
| Keywords: | kbHotfixServer kbQFE kbbug kbfix kbSecurity kbWin2000PreSP2Fix kbWin2000PreSP3Fix kbWin2000sp3fix KB268518 |
|---|
|