If you look at a modern AD driver, Driver Configuration, you will see
two settings (Under Access Options section), which the docs explain as
(Section A.1.5 (Driver Parameters):

Password Sync Timeout (minutes): Specify the number of minutes for the
driver to attempt to synchronize a given password. The driver does not
try to synchronize the password after this interval has been exceeded.

The recommended value is at least three times the value of the polling
interval. For example, if the Driver Polling Interval is set to 10
minutes, set the Password Sync Timeout to 30 minutes.

If this value is set to 0, password synchronization is disabled for this

If this value is set to -1, passwords never expire. It can reach a
maximum value of 2147483647 minutes.

The default value is 5 minutes.

DC Passwords TimeToLive (minutes): Specify the time limit in minutes for
the passwords to be stored in the Domain Controller registry.

This allows the passwords that are stored in the Domain Controller
registry to time out if the password does not synchronize to the driver
within the specified time.

If this value is set to -1, passwords will never be deleted from the

The default value is -1.

So the question is about the interactions between the value of:
DC Passwords TimeToLive
Password Sync Timeout

The part I am unclear on is the DC Password setting. A password change
is caught by the filter on the specific DC it is set on. Then it is
written to that DC's registry (Cache, to ensure it is not dropped), then
it is forwarded to the Remote Loader instance, where it is written to
THAT registry and removed from this DC's registry.

This otherwise excellent TID,
https://www.netiq.com/support/kb/doc.php?id=3614450 does not address
this issue.

So the concern is, a DC goes down, with tons of local password changes
recorded, then comes back up later (network drops for 2 hours say) and
replays the old, possibly outdated now password changes. That is
probably more likely the RL on a DC case, since a password change
usually only happens on one DC.

So in order to minimize that you want to set the two settings properly.

1) Am I reading this correctly?

DC Password TTL is about how long any given DC will cache it local
before cleaning it up? So if set to 5 minutes, it will try to send it
to the RL/driver instance for 5 minutes, then drop the event?

And Password Sync Timeout starts from the driver level, where once the
password is on the Driver/RL instance, it will try for 5 minutes before
giving up and dropping the event?

2) If you run the RL on a DC, how do the settings interact?