Need some help on authentication. Noticed in the our logs that user1 has a ton of Kerberos pre-auth failures. User1 has a bad password. However when I look at the logs more closely, I'm a little confused on the events.
User1 is authenticating against DC2. I see a second authentication attempt from DC2 against DC1 for User1. DC1 and DC2 belong to the Kerb Realm. Why is auth going from DC2 to DC1? Why isnt the auth happening on DC2?
Presumably DC1 is the domain controller which holds the PDCemulator FSMO role. Accordingly, on every bad password attempt, the authenticating Domain Controller checks with the PDCe before failing the logon.
The reason this is so is because when a password is changed by a user, a special replication is triggered. The DC which handles the password change notifies the PDCe that the password has changed outside of the normal notification/replication cycle. The DC then proceeds with replicating the password to all of its partners following the normal replication cycle.
So, because the PDCe is almost always notified (near immediately) that there is a password change, in the event a user submits a bad password, a Domain Controller nearly always checks with the PDCe in the event the DC has an out of date password hash.
