You know in ADFS on Windows Server 2012 R2, when you enable the “Extranet Lockout” feature for Web Application Proxies and a user’s password is verified, the PDC emulator for the authoritative domain is contacted, to verify it?
Lu Zhao blogged about this in her blog: https://blogs.msdn.microsoft.com/luzhao1/2015/06/24/demystify-extranet-lockout-feature-in-ad-fs-3-0/
In essence, in order to determine whether to extranet-lockout a user, the badPwdCount attribute for the user is determined – by asking the PDC for the value, as the authoritative source. In case ADFS can’t connect to the PDC (firewalls, routing are in the way), ADFS fails and user authentication is not completed.
Lu promised they are looking at changing that feature, to allow for a “local DC” fallback, in case the PDC isn’t available.
It looks like Microsoft delivered on their promise – at least judging from what we can see in ADFS in Windows Server 2016 TP4. My friend Thomas (http://setspn.blogspot.de/) did some investigations – and it looks like there’s a new property that one can set in ADFS 2016: