It's strictly a judgment call. You decide how important it
is to have password changes replicate *now* and then weigh that against the
costs of having very low replication latency. Costs might include available
bandwidth, other applications using the same network, etc...
In general, I'd stay away from letting this be the driving
factor in determining your replication schedule. Change the password in the
user's site, and 99% of the time the user should be fine within 15 minutes
(default intrasite maximum replication period if you have 5 or more DCs in the
site) or less.
From: Rimmerman, Russ [mailto:[EMAIL PROTECTED]
Sent: Tuesday, April 27, 2004 7:40 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Replication issues
What does changing the replication schedules explicitly for
password resets entail, and is it recommended?
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter
Sent: Tuesday, April 27, 2004 8:25 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Replication issues
Unless you want to start changing your replication
schedules explicitly for password resets, you're doing the right thing. Change
the password on a DC in the user's site. If you're at SP4 (I think, could have
been SP3) then the password change will also get sent on to the PDC emulator
immediately. Anytime a user enters an incorrect password, the local DC will pass
on the request to the PDCE in case the password had changed on a different
DC.
The Account Lockout Status tool is probably the best
utility for checking on password replication. Among other things, it will show
the timestamp for password last set on each domain controller, so you can have a
good idea of the replication state on the change. http://www.microsoft.com/downloads/details.aspx?FamilyID=d1a5ed1d-cd55-4829-a189-99515b0e90f7&DisplayLang=en (watch
for URL wrap)
Hunter
From: Rimmerman, Russ [mailto:[EMAIL PROTECTED]
Sent: Tuesday, April 27, 2004 7:07 AM
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] Replication issues
We have always been
having weird issues with replication. We have about 30 AD sites all over
the world. When we change or reset a password here for a user at a remote
site, it takes quite a long time (30-60 minutes or more) to replicate to the
users site. So, we are having to connect to their local domain contoller
and reset the password there. What is the best practice for setting up and
tuning replication and resetting passwords, and what tools are recommended
(replmon?) for "testing" it, and how long should it take?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
