Passwords may only be changed on the primary server. As long as users can reach the primary server (either via AppleTalk or TCP/IP), they will be able to change their password there, despite whether they have access to any files on the primary server.
Until the user, on the secondary server, reaches its scheduled expiration time, users may continue to use their old passwords on the secondary server. If a user enters a new password on a secondary server before the current password expires, the login attempt will fail once. This will cause the secondary server to clear its cached entry for that user, and download a fresh one from the primary server. Therefore, when the user tries a second time with their new password, they will be able to log in with it.