Sync between two DC

  • Thread starter Thread starter Nicolas Macarez
  • Start date Start date
N

Nicolas Macarez

Hi
I have a Win2K domain and two Win2K Server machines acting as DCs (Domain
Controller) of the same single domain.
From time to time, when a user changes his or her password, and then tries
to test this brand new password imediately after, he or she can't log on the
domain.
I think this is because the password has been changed on one DC server but
not yet on the other one - and this is precisely this last one he or she is
trying to authenticate against.
My question is: is there a way to speed up the sync process between the two
DCs (I guess it's the sync of the SAM files we are speaking of).
Help appreciated.
Nicolas
 
Actually, the DCs use PDC Chaining for passwords, what it meas is that it
will use Urgent replication for password changes and lockout (lockout =
badPasswordCount will increase by one until it hits the max number specified
in the Account Policy). I would suggest that you read the Account Lockout
Best Practices White Paper for details and how to troubleshoot it.

http://www.microsoft.com/downloads/...90-a13b-4977-a4fc-3e2b67e3748e&displaylang=en

Regards,
/Jimmy
 
Thanks Jimmy for this great resource I downloaded.
However, since it occured with the good new password (denial of
authentication, and then lock out after 5 atempts), and that I'm sure I was
not typing a bad spelling or whatever, I am wondering if I may not have a
problem with this "Urgent replication". How can I be sure this process
really takes place (Event viewer?).
Regards
 
From the Win 2000 ResKit at:
http://www.microsoft.com/resources/...server/reskit/en-us/distrib/dsbh_rep_hnvb.asp

<snip>
Managing Urgent Replication
The following guidelines can be useful when deciding whether to enable
change notification between sites relative to achieving urgent replication.
If you want urgent replication everywhere, put all domain controllers for
the specific domain in a single site (this option might not be realistic).
If you want urgent replication everywhere but still want the benefits of
site affinity, use multiple sites and enable change notification on all site
links.
By default, a user lockout prompts urgent replication at the site that
contains the domain controller that handled the authentication and the site
that contains the PDC emulator role owner.
<snip>

AD Diagnostics, Troubleshooting and Recovery:
http://www.microsoft.com/resources/...server/reskit/en-us/distrib/dsbi_add_VOST.asp

Regards,
/Jimmy
--
Jimmy Andersson, Q Advice AB
Microsoft MVP - Directory Services
---------- www.qadvice.com ----------
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Domain Controller Issues - Urgent Help 1
Error with Kerbos Key Distribution Center on DC 2
Migration questions 1
trouble after DC restore 1
upgrade w2k3 1
Moving DC to remote site 1
secure a DC in a remote locatoin 1
Turn of DC time sync 1

Back
Top