Change Field Replication Priority

[Stephen Becker]

We use an in-house built application for managing password changing. It
uses the "Smart card is required for interactive logon" flag in AD to
lockout accounts which are out of compliance.



Our problem is this: delays in DC replication cause users to be delayed
15-30 minutes between having their account unlocked and them being able to
login.



I know that passwords, account lockout and disabled status replicates
immediately. Is there a way to configure our AD environment to replicate
this Smart card field immediately so users do not have to wait for normal
replication?



We are still running the Windows 2000 level of Active Directory.



Stephen Becker

 

[Joe Richards [MVP]]

Actually those other things don't replicate immediately. Accounts that
are locked out (not unlocked) will fire an urgent replication request
which means that within a single site, a change notification will go out
immediately to QUEUE up a normal priority replication request. Depending
on how busy the environment is, specifically the replication queues, the
change will get replicated out.

All the urgent replication does is avoid the holdback timers that
normally exist for change notification which only works within a single
site or on any site links in which you have enabled change notification.
So with Windows Server 2003... you probably saved 15-60 seconds within
a site depending on number of DCs in the site. With Windows 2000 you
were saving anywhere from 5-15 minutes within a site, again dependent on
the number of DCs in that site.

Urgent replication does nothing across site links again unless change
notification is enabled which means you aren't using scheduled
replication. if you aren't using change notification across sites (not a
normal thing for most places) then it follows the normal replication
schedule which could be minutes to weeks depending on the replication
topology.

Passwords and the disable flag are not even queued urgently. Passwords
seem to be replicated immediately due to a feature called PDC chaining,
if you try to use a password in a site and it fails, the local DC will
contact the PDC and ask if the password is ok. If it is, the PDC will ok
the authentication and alert the local DC it should allow the user on
and then a replicate single object for that user ID will occur on the
local DC which will pull the changes down to the local DC from the PDC.

You have two programmatic options (besides not using the smart card flag)

1. When you change the status of the account, the program changes it on
all DCs at the same time. I.E. You don't wait for replication, you just
set it everywhere at once. This is a common strategy for apps that
unlock accounts.

2. You make the change on the PDC and fire a replicate single object
call against every DC in the forest to the PDC for that object. You
could make the change on any DC and fire that request to hit that DC but
if you have to home in on a machine but you might as well use the PDC
since it already needs to be available and should have the most up to
date password of all machines.

joe


--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm