Denay replication in AD

M

mostarx

Hello

I need advice. I have Active directory with four domain controller on
win 2003 in diferent sites. Problem is that I want that new user and
other settings can be changed only on first DC which is create when I
was create domain. Is there some way that I denay any changes on other
DC or that I denay replicaion in two way so replication can go only
from first DC to other DC-s, not from others DC to first DC.

Thank you
 
H

Harj

Hi,

Well this can be done but like Jorge asks, is why?

To disable outbound replication for a particuar DC, use the following
command:
repadmin /options <dc name> +DISABLE_OUTBOUND_REPL

To re-enable outbound replication, run:
repadmin /options <dc name> -DISABLE_OUTBOUND_REPL

To disable inbound replication for a particular DC, use the following
command:
repadmin /options <dc name> +DISABLE_INBOUND_REPL

To enable inbound replication, run:
repadmin /options <dc name> -DISABLE_INBOUND_REPL

Good luck

Harj Singh
Power your Active Directory
www.specopssoft.com
 
H

Harj

Hi again,

This will stop replication, but you will have to make sure that when
creating the users, you must be sure it is being created on the domain
controller that you do not wish to replicate.
This could cause issues as now EVERYTIME you make a change you must
make sure you are connecting to the one, and only DC you wish to have
this information.

Your taking out a big chunk out of Active Directory if you have 4 DC's
but only what one to replicate
 
M

mostarx

Because I do not want that admin on branch office can any change on AD.
Is thare way that i make AD on specific DC unwritable, so that nobady
can make any user or any changes.

Thank you

Harj je napisao/la:
 
J

Jorge de Almeida Pinto [MVP - DS]

J

Jorge de Almeida Pinto [MVP - DS]

if the person is an ADMIN on ANY DC, you CANNOT prevent that person from
changing anything in AD.

It is that simple.... Longhorn server will provide a read-only DC which will
help you in what you want --> admin on a DC and to manage all kinds of
things, BUT not change ANYTHING in AD

if you want to prevent that person from changing anything in AD, either
remove his permissions or remove his domain admin membership....

can you explain what that person needs to do within the branch office?

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
 
J

Joe Richards [MVP]

This is a short term solution, there are pieces of data that need to
replicate between DCs that have nothing to do with users. Block it long
enough and replication will just stop working period.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm
 
P

Paul Bergson [MVP-DS]

This won't stop changes, it will only stop replication, which will create
problems far beyond anything you are trying to prevent. If you can;t trust
someone remove their admin privleges.

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

AD REPLICATION FAILURE. HELP!!! 3
Slow Logons and Can't open files 0
AD Replication Errors 6
AD replication problem with removed DC 1
Active Directory Replication Problem... 0
AD Replication issues 2
logging on domain 2
AD Replication failure - repost 3

Top