password replication

[rav]

hi,

Can someone please tell me if in a windows 2003 / xp environment is password
replication seen as "urgent replication".

I have read 3 doc's from microsoft KB232690, KB306133, and best of all
"Account passwords and policies" which states that "The default frequency
for replication between sites is to replicate every 15 seconds with a
3-second offset to stagger the replication interval", now this is as wrong
as it can get, whoever wrote this should have said "within sites". This
document also states "By default, urgent replication does not occur across
site boundaries" but if it not the defualt then how it is changed?

All i want to know is if i change a guys password on a dc in site 1 can a
user then logon ok to a dc in site 2.

Dear microsoft, please spend some of your trillions on decent technical
authors and maybe a few proof readers.

Thanks

 

[Chriss3]

Rav. A Password Change is classified as an "Important change" and are
replicated immediately beside the 15 minutes interval.

 

[Andrew Mitchell]

Rav. A Password Change is classified as an "Important change" and are
replicated immediately beside the 15 minutes interval.

IIRC, the DC to DC synch does not have to happen immediately, but the DC to
PDC Emulator is given preferential priority.
If a user tries to access a resource and the DC has a different
username/password pair, the first thing it does (before rejecting the
request) is to perform a check against the PDC emulator, so DC to DC
synchronization of passwords is not critical to the correct operation of the
network.

Andy.

 

[Dean Wells [MVP]]

Rav. A Password Change is classified as an "Important change" and are
replicated immediately beside the 15 minutes interval.

I'm afraid that's not quite true. Password changes are indeed treated
with special attention by the directory service but they are not
urgently replicated. When a password is altered, it is pushed (not
replicated) by the DC receiving the originating update to the domain's
PDC FSMO where the change is also committed (the push is handled by
NETLOGON if memory serves). Other DCs receive the password update
through normal replication. In order to ensure that the new password is
available for near immediate use; when DCs process a failed
authentication attempt for a valid user, they resubmit the attempt to
the domain's PDC FSMO in order to verify that they are not in possession
of a stale password. If the PDC deems the authentication attempt
successful, the original authenticating DC allows the logon to proceed.

This behavior can be altered should the authenticating DC and the PDC
FSMO exist in separate sites by modifying the following registry value -

HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\AvoidPdcOnWan

A value of 0 (the default) exhibits the behavior outlined above while a
value of 1 prevents the authenticating DC from performing both the
password push and the secondary PDC password verification if and only if
the PDC exists in a foreign site.

Dean

 

[rav]

Thanks for your replies all. Dean, The reg key is not in a 2003 DC by
default, maybe its for 2000, so, should this key be created on a 2003 DC?

I have actually tested this out and when I changed a users password in site
1 he could still log on after a matter of seconds with the new password from
a DC in a different site.

My conclusion can only be that by default passwords are propogated back to
the DC in all sites. The reason I say this is that by running the "set l"
command the logon server was the remote site DC.

Regards
Rav

Rav. A Password Change is classified as an "Important change" and are
replicated immediately beside the 15 minutes interval.

I'm afraid that's not quite true. Password changes are indeed treated
with special attention by the directory service but they are not
urgently replicated. When a password is altered, it is pushed (not
replicated) by the DC receiving the originating update to the domain's
PDC FSMO where the change is also committed (the push is handled by
NETLOGON if memory serves). Other DCs receive the password update
through normal replication. In order to ensure that the new password is
available for near immediate use; when DCs process a failed
authentication attempt for a valid user, they resubmit the attempt to
the domain's PDC FSMO in order to verify that they are not in possession
of a stale password. If the PDC deems the authentication attempt
successful, the original authenticating DC allows the logon to proceed.

This behavior can be altered should the authenticating DC and the PDC
FSMO exist in separate sites by modifying the following registry value -

HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\AvoidPdcOnWan

A value of 0 (the default) exhibits the behavior outlined above while a
value of 1 prevents the authenticating DC from performing both the
password push and the secondary PDC password verification if and only if
the PDC exists in a foreign site.

Dean

--
Dean Wells [MVP / Windows platform]
MSEtechnology
[[ Please respond to the Newsgroup only regarding posts ]]
R e m o v e t h e m a s k t o s e n d e m a i l

 

[Matjaz Ladava [MVP]]

Password change is not an urgent replication and thus it is not replicated
urgently. If user changes password at one DC, the password is "pushed" to
server acting as PDC emulator. If the user then immediately tries to logon
at another DC, the DC fails to authenticate the user and asks PDC emulator
if the password is right. As password is always current on PDC emulator the
server finally authenticates the user.

From Q232690
When passwords are changed in Windows 2000 they are not replicated urgently.
However, when a password is changed, it is "pushed" to the primary domain
controller (PDC). "Pushed" means that the password is sent over NETLOGON's
secure channel to the PDC. Specifically, the backup domain controller (BDC)
makes a remote procedure call (RPC) to the PDC, which indicates the user and
the users new password. The PDC then sets this value locally. This push
mechanism is independent of Windows 2000 replication.For additional
information about urgent replication, click the article number below to view
the article in the Microsoft Knowledge Base:
--

Regards

Matjaz Ladava, MCSA, MCSE, MCT, MVP
Microsoft MVP Windows Server - Active Directory
(e-mail address removed), (e-mail address removed)