Account lockout in multiple sites

[Allison]

I have a Win2000 domain and multiple domain controllers at 2 seperate sites
within Active Directory. When an account gets locked out, I can see the
lockout at one site and not the other. I thought that 'account lockouts'
and 'password resets' were replicated immediately to the other sites. The
link between both sites is equivalent to five T-1 lines so I know that
bandwidth is not an issue.

Can anyone help me on this?

Thanks

 

[Richard Moreno]

Hi Allison-

I would be concerned about your replication topology. How does your AD Sites
& Svcs config look? Anything in your event logs? Also, may I suggest using
REPLMON to ensure all replications are up to date.

--
Thanks,
Richard Moreno
MCSE NT4\2000, MCSA 2000

This posting is provided "AS IS" with no warranties, and confers no
rights.

 

[Allison]

REPLMON shows no replication errors. Event logs look clean, no warning or
critical alerts. I have two DCs in one site and one DC in the other.
Replication takes place every 15 minutes. 'Account lockouts' and 'password
issues' eventually will replicate to the other site, but I always thought
these parameters took affect immediately so as to avoid the problems that we
are experiencing now.

 

[Richard Moreno]

So is the user who is getting locked out located in Site 2 (with only 1 DC)?
Also is your site link configured for IP replication (default AD
parameters)?

--
Thanks,
Richard Moreno
MCSE NT4\2000, MCSA 2000

This posting is provided "AS IS" with no warranties, and confers no
rights.

 

[Allison]

Yes, IP is used. Replication is set to take place at 15 minute intervals. I
am just saying, in general, that when a user is 'locked out' on a DC at one
site, the user will not show 'locked out' on the DC at the other site until
10 or minutes have past. Even when you unlock the account, the other site
will not show it unlocked until 10 or more minutes later. I am just curious
if these parameters should take affect immediately at all sites or I have to
wait for the replication time to take place.

thanks

 

[Richard Moreno]

Hi Allison-

My apologies I thought you were getting a feel for what the solution is
however, you are correct. Account lockouts fall under the urgent replication
protocols in AD. Please see below:

http://support.microsoft.com/default.aspx?scid=kb;en-us;232690
http://support.microsoft.com/default.aspx?scid=kb;EN-US;306133

--
Thanks,
Richard Moreno
MCSE NT4\2000, MCSA 2000

This posting is provided "AS IS" with no warranties, and confers no
rights.

 

[Allison]

Thanks that helped. I wish there was an option to allow these settings to
be replicated immediately to the other site.

 

[Bob Qin [MSFT]]

Hi Allison,

Thanks for your posting here.

By default, urgent replication does not occur across site boundaries. You
need to use replmon to force immediate replication across site boundaries.
You can obtain the replmon tool from the Windows 2000 Support Tools on the
Windows 2000 CD-ROM.

Fore more information, please refer to the following article.

Initiating Replication Between Active Directory Direct Replication
http://support.microsoft.com/?id=232072

Have a nice day!

Regards,
Bob Qin
Product Support Services
Microsoft Corporation

Get Secure! - www.microsoft.com/security

====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Allison]

Well, I ended up merging all DCs at both sites into one site within ADSS. I
have equivalent to 5 T-1 lines between both remote locations. I figured
that with the high bandwidth that it would be ok to still have only one
site.

What do you think?

 

[Richard Moreno]

I would agree. Nice job

--
Thanks,
Richard Moreno
MCSE NT4\2000, MCSA 2000

*This posting is provided "AS IS" with no warranties, and confers no
rights.

 

[Todd Myrick]

One thing to keep in mind is that it can take up to 15 minutes + for each
site you hop between. That is why it is probably a good idea to use hub and
spoke designs and make sure the bridgehead servers are selected... to be
more deterministic.

--
Todd Myrick
Microsoft MVP
http://www.toddm.org/adog AD BLOG
http://www.activedir.org AD List

http://www.microsoft.com/windows2000/community/centers/directoryservices/default.mspx
MS AD Community
http://www.microsoft.com/windows2000/community/default.mspx MS Server
Community
http://www.aelita.com AD Management tools I use
http://www.netpro.com AD Monitoring Tools I use