When a user / machine account password is changed, or a DC receives a client authentication request using a bad password, the PDC FSMO role owner is contacted. If it is a password change, replication begins immediately.
This can cause unwanted WAN traffic.
You can alter this behavior by using Regedt32 on each DC to navigate to:
On the Edit menu, Add Value name AvoidPdcOnWan as a REG_DWORD data type. Setting the data value to 1 causes the DC to not contact the PDC FSMO role owner at a remote site to avoid password conflicts and to delay password change replication until the next replication cycle.
NOTE: This can result in the client being denied access until the next replication cycle.