Hi,
We have 3 domains in a forest, and users of one of those domains have been complaining that it's taking too long to change their passwords (5 minutes each change), and this is amplified by the fact we have a GPO for complex passwords and if they make a password
change which doesn't abide by the rules set in our password policy it takes 5 minutes to come back saying to try again. Some users have therefore been taking 30 minutes to change their password! I have setup a test account on a spare workstation
and confirmed this for myself.
They have a single domain controller at that office, and there's a secondary domain controller for that domain in another site. The DC in their office has the PDC emulator role, and the other 2 domain roles. The forest root DC is in another office, but don't think that makes any difference.
Things I've tried:
Reboot the DC
Reboot the workstation
SFC /scannow
DCDIAG
Forced replication using repadmin to ensure it was working ok - it was quite fast
Pinged the DC from the workstation <1ms
Browsed fileshares on the DC - all working correctly and fast
Checked the event logs, none are found which suggest anything is working incorrectly, and the security logs say kerberos is working correctly so we shouldn't be falling back to NTLM
DNS settings on client machines are good, same for the DC
DNS SRV records points to the correct local DC server in that site
nslookup reports DNS is working correctly too
I am stumped, oh, i've also done the usual and searched google for any answers but couldn't find any.
Please help!
Thanks
Jodey
Oh I should also say that this server is pretty fast, and there's only 8 people in that office, so it's not overloaded.