I have
not gotten an official verification, but my testing certainly bears it
out. I'm going to ping them again on it.
I
agree 100% with your assessment of the brilliance of having those things
replicate via both AD and FRS.
This
original problem led us down a long and not-so-merry chase with PSS, during
which one of the 'tests' they had us perform had some pretty nasty consequences
that I don't want to discuss on-list right now...suffice it to say we have
things pretty much put back together now. They finally admitted that they
were able to repro that issue, after telling us for a week that it couldn't
possibly have caused the havoc that it did. I'm hoping to get them to
document it.
Dave
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, October 29, 2004 11:17 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Replication - urgent triggers confirmation
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, October 29, 2004 11:17 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Replication - urgent triggers confirmation
�Did you ever get verification from PSS on your theory.I would back your theory. I've seen similar and had the same theory. It can also be a pain if FRS is broken on one or two DCs. As you will ping-pong forever until FRS is fixed. I have always thought having domain policy that replicates both through FRS and AD replication is rather unintelligent. If they wanted it to replicate through FRS, they should have made the attributes non-replicating in AD. Of course then you have the ability to make a DC have a different policy than the rest of the DCs by purposely breaking FRS... So maybe these shouldn't be replicated in FRS...joe
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, David A
Sent: Wednesday, October 13, 2004 12:00 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Replication - urgent triggers confirmationThat's all correct, with one addition: if an account is locked out at a DC other than the PDCE, it uses 'immediate replication' to tell the PDCE about it. This does not wait for any schedule; it just happens. There's a webcast transcript out there that details the various kinds of replication wrt password changes, lockouts, etc: http://support.microsoft.com/?scid=http%3a%2f%2fsupport.microsoft.com%2fservicedesks%2fwebcasts%2fen%2fwc022703%2fwct022703.aspRegarding 'side effects', I believe youre talking about Site Link Notification. If Notification is enabled on a site link, notifications of changes are sent over that site link after the holdback period (5 min on Win2K, 15 sec on W2K3), just like they're sent to intrasite replication partners. That definitely speeds up replication, but you lose any benefit of scheduled replication. This may or may not be a big deal for you - depends on your available WAN bandwidth, change activity, etc.We had a situation that forced us into enabling notification on our site links (single forest/single domain, hub/spoke topology) soon after we began deploying AD. It's a long story. Anyhow, we left it that way because we have no problems with it, and any changes to directory objects replicate everywhere very quickly. We've had it that way over three years now. Interestingly, we had MS come in and do a 'AD Health Check' this summer, and before they even looked at anything they said "we can speed up your AD replication convergence from hours to minutes!" When I asked what they had in mind, they started telling me about notification. I told them we'd already been that way for 3 years, and they looked kind of disappointed - apparently that revelation has been a big Wow for many other accounts they've visited. They have a tool that measures convergence time of AD changes to all DCs, and they like to show people how it goes from hours to minutes after they do their magic.Anyhow, through all that we did learn of one negative side effect. We had left the Site Link Interval at the default 180 minutes on all site links, figuring that it was moot with notification enabled. As it turns out, FRS still obeys that interval, so changes to the SYSVOL can still take hours to get everywhere. This was no big deal until we modified something in the Account Policies of the Default Domain Controllers Policy. Some of the settings there (Max Password Age for example) set values for attributes on the Domain object. When we changed this, we saw that value 'ping-pong' between the old and new values on many DCs for hours. I theorized what was happening was that the new value on the domain object replicated to all DCs quickly (due to notification), but many DCs had the old value in their copy of the Default Domain Controllers Policy GPT in the sysvol. When they reapplied their security policy, the value was set back, triggering another attribute value replication. Eventually, once the sysvol on all DCs was up to date, the 'ping-ponging' damped out and all DCs had the correct value.We're still working with PSS to validate this. I can tell you, though, that I was able to reproduce it at will, until I set the replication interval on all site links down to the minimum (15 min). After that, I can no longer make it 'ping-pong'.If anyone else on the list has similar experiences, or can tell me that I'm all wrong (and why), I'd love to hear about it.Dave-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of PAUL MAYES
Sent: Wednesday, October 13, 2004 4:24 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Replication - urgent triggers confirmationI keep wading through lots of news group posts that keep citing the same 2 MS KB articles. I need a bit of confirmation....# Account lockout is an urgent rep trigger, but this only means intra-site.# For inter-site the lockout reps as per the schedule.# To get lockout to rep urgently inter-site you need to make some changes to the site link, however this has side effects. (Everything gets replicated when changes rather than per schedule?).So if I lock my account out on a default site link set up it's going to take up to 3 hours to hit the other site. (Assuming everything is configured with out of the box schedules.).I'm guessing that there's no way to make lockouts rep inter-site as urgent without any side effects. (If someone could fill me in on the side effects that'd be great as my eyes are starting to represent the google logo.).Thanks,Paul.
