Windows 2000 domain controllers use machine accounts to facilitate communications among themselves and to other computers on the network. These accounts are in the form of ComputerName$ and are not manageable by administrators.

When a machine account password changes, it is possible for domain controllers to use the incorrect password enough times to lockout the machine account. Once this happens, replication will fail.

There is no function in the Windows 2000 set of interfaces to enable the locked out machine account.

In Windows NT 4.0, the machine account is only used for the secure channel and no lockout ever occurs. In Windows 2000, the computers use Kerberos logons for the machine account, and lockouts can occur.

Until Microsoft addresses this issue, you might want to consider using DisablePasswordChange on domain controllers, or RefusePasswordChange on the PDC emulator, or BOTH.