Hello Hugh,
This sounds like the issue listed in the article below, please dial
1-800-936-4900 and ask for this fix for your winxp machine:
324141 Changing the Password on a Locked-Out Account Generates a "Domain Not
http://support.microsoft.com/?id=324141
This could also be W2K is unable to resolve 1B entry.
- For W2K; we need to ensure W2K can get the 1B name resolution via one of
the
three methods.
- - Broadcasts, LMHosts, WINS.
Background information:
========================
If we are using Windows 2000
- W2K ping the server (as defined in the one line) with a UDP/Direct
Group/ msg to the 1c of the lmhost
- - W2K tries to find a 1b via broadcasts (reason: A 1c does not mean
you can change password, it means you have a DC (ReadOnly) not the PDC
(Read&Write))
- If there is no 1B resolution, W2K will not change password.
If we are using Windows NT 4
- Without the 1B, NT start a broadcast request on the wire for the
machines that are 1B and 1C (even though NT has preloaded 1C)
- - This happens 3 times.
- Then NT send a "Query for Primary DC" or LOGON_PRIMARY_QUERY to any DC
it knows on that domain via UDP/Direct Group
- DC will send back the name of the PDC
- Then NT repeats everything (broadcast, query, response) again 2 more
times (total 3)
- Finally, NT do a /samr connection to the PDC and change the password.
This is by design. To change password in a down-level domain, we must know
the 1B, no matter what. In windows 2000, we stopped using the
LOGON_PRIMARY_QUERY as much to decrease unwanted and uncontrollable netlogon
traffic in W2K & later OS.
So, in Windows 2000 and above, the 3 ways to load the 1B are: lmhosts,
braodcast or wins. In NT4, the 4 ways to load the 1b are: lmhosts,
broadcast, wins or (in our case) asking another DC via the netlogon function
LOGON_PRIMARY_QUERY.
Thank You.
