Bad Password Attempts Are Repeatedly Forwarded from Domain Controllers to the PDC Operations Master (272065)


The information in this article applies to:

  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Professional
This article was previously published under Q272065

SYMPTOMS

When Netlogon processes an authentication request on a domain controller and the request does not work because there is a "bad" password, the request is repeated on the primary domain controller (PDC) operations master.

CAUSE

The request for authentication is repeated on the PDC operations master to verify that the password is correct on the operations master and to update the account lockout information.

RESOLUTION

To resolve this problem, obtain the latest service pack for Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

260910 How to Obtain the Latest Windows 2000 Service Pack

The English-language version of this fix should have the following file attributes or later: 
   Date        Time       Version        Size           File name

   -----------------------------------------------------------------
   8/23/2000   3:15:08PM  5.0.2195.2103  348,944 bytes  Netlogon.dll

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article. This problem was first corrected in Windows 2000 Service Pack 2.

MORE INFORMATION

Programs that are not authorized on a network can repeatedly retry a bad password which causes excessive load on the operations master.

A change in this behavior causes Netlogon on the domain controllers to maintain a negative cache of logons that recently did not work because of a "bad" password. Based on that cache, Netlogon on the domain controller does not forward those requests to the operations master. Fifty negative cache entries are maintained to prevent denial of service on the domain controller based on memory consumption.

The negative cache becomes active only after a particular user has already sent 10 recent requests to the operations master. This occurs so that a user can log on, have their password not work, and then change their password without being affected by the negative cache.

If the domain supports account lockout, the operations master indicates that it has locked out an account before the negative cache becomes active.

One request is sent on demand to the operations master every five minutes even if there is an active, negative cache entry. This is done to ensure that the user becomes aware of a new password on the operations master even if the negative cache is active.

For additional information about how to install Windows 2000 and Windows 2000 hotfixes at the same time, click the article number below to view the article in the Microsoft Knowledge Base:

249149 Installing Microsoft Windows 2000 and Windows 2000 Hotfixes

Modification Type:MinorLast Reviewed:9/26/2005
Keywords:kbHotfixServer kbQFE kbbug kbfix kbFSMO kbnetwork kbWin2000PreSP2Fix KB272065
©2004 Microsoft Corporation. All rights reserved.