Did you ever get verification from PSS on your
theory.
I would back your theory. I've seen similar and had the
same theory. It can also be a pain if FRS is broken on one or two DCs. As you
will ping-pong forever until FRS is fixed. I have always thought having domain
policy that replicates both through FRS and AD replication is rather
unintelligent. If they wanted it to replicate through FRS, they should have made
the attributes non-replicating in AD. Of course then you have the ability to
make a DC have a different policy than the rest of the DCs by purposely breaking
FRS... So maybe these shouldn't be replicated in FRS...
joe
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, David A
Sent: Wednesday, October 13, 2004 12:00 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Replication - urgent triggers confirmation
That's
all correct, with one addition: if an account is locked out at a DC other than
the PDCE, it uses 'immediate replication' to tell the PDCE about it. This
does not wait for any schedule; it just happens. There's a webcast
transcript out there that details the various kinds of replication wrt password
changes, lockouts, etc: http://support.microsoft.com/?scid=http%3a%2f%2fsupport.microsoft.com%2fservicedesks%2fwebcasts%2fen%2fwc022703%2fwct022703.asp
Regarding 'side effects', I believe youre talking about Site Link
Notification. If Notification is enabled on a site link, notifications of
changes are sent over that site link after the holdback period (5 min on Win2K,
15 sec on W2K3), just like they're sent to intrasite replication partners.
That definitely speeds up replication, but you lose any benefit of scheduled
replication. This may or may not be a big deal for you - depends on your
available WAN bandwidth, change activity, etc.
We had
a situation that forced us into enabling notification on our site links (single
forest/single domain, hub/spoke topology) soon after we began deploying
AD. It's a long story. Anyhow, we left it that way because we have
no problems with it, and any changes to directory objects replicate everywhere
very quickly. We've had it that way over three years now.
Interestingly, we had MS come in and do a 'AD Health Check' this summer, and
before they even looked at anything they said "we can speed up your AD
replication convergence from hours to minutes!" When I asked what they had in
mind, they started telling me about notification. I told them we'd already
been that way for 3 years, and they looked kind of disappointed - apparently
that revelation has been a big Wow for many other accounts they've
visited. They have a tool that measures convergence time of AD changes to
all DCs, and they like to show people how it goes from hours to minutes after
they do their magic.
Anyhow, through all that we did learn of one negative side effect.
We had left the Site Link Interval at the default 180 minutes on all site links,
figuring that it was moot with notification enabled. As it turns out, FRS
still obeys that interval, so changes to the SYSVOL can still take hours to get
everywhere. This was no big deal until we modified something in the
Account Policies of the Default Domain Controllers Policy. Some of the
settings there (Max Password Age for example) set values for attributes on the
Domain object. When we changed this, we saw that value 'ping-pong' between
the old and new values on many DCs for hours. I theorized what was
happening was that the new value on the domain object replicated to all DCs
quickly (due to notification), but many DCs had the old value in their copy of
the Default Domain Controllers Policy GPT in the sysvol. When they
reapplied their security policy, the value was set back, triggering another
attribute value replication. Eventually, once the sysvol on all DCs was up
to date, the 'ping-ponging' damped out and all DCs had the correct
value.
We're
still working with PSS to validate this. I can tell you, though, that I
was able to reproduce it at will, until I set the replication interval on all
site links down to the minimum (15 min). After that, I can no longer make
it 'ping-pong'.
If anyone else on the list has similar experiences, or can tell me
that I'm all wrong (and why), I'd love to hear about it.
Dave
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of PAUL MAYES
Sent: Wednesday, October 13, 2004 4:24 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Replication - urgent triggers confirmationI keep wading through lots of news group posts that keep citing the same 2 MS KB articles. I need a bit of confirmation....# Account lockout is an urgent rep trigger, but this only means intra-site.# For inter-site the lockout reps as per the schedule.# To get lockout to rep urgently inter-site you need to make some changes to the site link, however this has side effects. (Everything gets replicated when changes rather than per schedule?).So if I lock my account out on a default site link set up it's going to take up to 3 hours to hit the other site. (Assuming everything is configured with out of the box schedules.).I'm guessing that there's no way to make lockouts rep inter-site as urgent without any side effects. (If someone could fill me in on the side effects that'd be great as my eyes are starting to represent the google logo.).Thanks,Paul.
