When a user / machine account password is changed, or a DC receives a client authentication request using a bad password, the PDC FSMO role owner is contacted. If it is a password change, replication begins immediately.

This can cause unwanted WAN traffic.

You can alter this behavior by using Regedt32 on each DC to navigate to:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters

On the Edit menu, Add Value name AvoidPdcOnWan as a REG_DWORD data type. Setting the data value to 1 causes the DC to not contact the PDC FSMO role owner at a remote site to avoid password conflicts and to delay password change replication until the next replication cycle.

NOTE: This can result in the client being denied access until the next replication cycle.