When a user changes their password, the password change is directed to the user's LOGON SERVER on the Domain controller. This is denoted by the %LOGONSERVER% environment variable.
If the user's Logon Server changes to a domain controller that does not have the Password synchronisation agent installed, then password requests cannot be intercepted and directed to Provisioning. This can happen if the Password sync agent is installed on the production domain controllers but not the backup/disaster recovery domains controllers.
Applicable to the Windows Password Synchronization Agent on all windows platforms.