Thanks Bob and Michael. I forgot about Change Notification. I actually had it in the notes that I put together for this.
*From:* [email protected] [mailto: [email protected]] *On Behalf Of *Free Jr., Bob *Sent:* Friday, September 11, 2015 5:18 PM *To:* [email protected] *Subject:* RE: [NTSysADM] DCs as DHCP Clients > you can turn on Change Notification to get quicker replication. I enabled Change Notification 10 years ago, it was a wonderful thing to see convergence pull in like that. It was also worth tweaking intra-site back then but no much anymore.[1] Recommended Reading for those who are interested How the Active Directory Replication Model Works - Domain Controller Notification of Changes https://technet.microsoft.com/en-us/library/Cc772726(v=WS.10).aspx#w2k3tr_repup_how_wrys Enable Change Notification on a Site Link https://technet.microsoft.com/en-us/library/bb727062.aspx#E0PC0AA Keep in mind one of the elements of the “you are not smarter than the KCC” paradigm is that even if you enable change notification globally, manually created connections are not covered. This bites people frequently. http://blogs.technet.com/b/askds/archive/2013/01/21/configuring-change-notification-on-a-manually-created-replication-partner.aspx [1] Intra-site notification was 5 mins with 30 sec pause in W2K and changed to 15 sec / 3 sec in W2K3, I don’t recall seeing that being changed subsequently. Brian probably knows https://support.microsoft.com/en-us/kb/214678 Cliff’s notes for urgent replication *Certain important events trigger replication immediately, overriding existing change notification. Urgent replication is implemented immediately by using RPC/IP to notify replication partners that changes have occurred on a source domain controller. Urgent replication uses regular change notification between destination and source domain controller pairs that otherwise use change notification, but notification is sent immediately in response to urgent events instead of waiting the default period of 15 seconds.* - *Assigning an account lockout, which a domain controller performs to prohibit a user from logging on after a certain number of failed attempts.* - *Changing a Local Security Authority (LSA) secret, which is a secure form in which private data is stored by the LSA (for example, the password for a trust relationship).* - *Changing the password on a domain controller computer account.* - *Changing the relative identifier (known as a “RID”) master role owner, which is the single domain controller in a domain that assigns relative identifiers to all domain controllers in that domain.* - *Changing the account lockout policy.* - *Changing the domain password policy.* *From:* [email protected] [ mailto:[email protected] <[email protected]>] *On Behalf Of *Michael B. Smith *Sent:* Friday, September 11, 2015 1:08 PM *To:* [email protected] *Subject:* RE: [NTSysADM] DCs as DHCP Clients It’s called “urgent replication” not “emergency replication”. And you can turn on Change Notification to get quicker replication. Here is a source: http://blogs.technet.com/b/kenstcyr/archive/2008/07/05/understanding-urgent-replication.aspx <https://urldefense.proofpoint.com/v2/url?u=http-3A__blogs.technet.com_b_kenstcyr_archive_2008_07_05_understanding-2Durgent-2Dreplication.aspx&d=BQMGaQ&c=hLS_V_MyRCwXDjNCFvC1XhVzdhW2dOtrP9xQj43rEYI&r=TA_mjBT8bS0r8rLrnubGjA&m=btAuFoggS5HpkSj2DFaEnNR8lA2ELW7HImbbZ9tZ_tY&s=Bi3I0hJBgT58S7XZn5vAKU-HHf55HnKCGsch3dcerOc&e=> *From:* [email protected] [ mailto:[email protected] <[email protected]>] *On Behalf Of *Michael B. Smith *Sent:* Friday, September 11, 2015 3:51 PM *To:* [email protected] *Subject:* RE: [NTSysADM] DCs as DHCP Clients Brian Desmond is on this list, so he can say with authority… But as I remember, within a site, replication is very quick. Outside of a site, except in cases of “emergency replication” (e.g., password changes) the minimum is still 15 minutes. There are no issues other than the IP address change for DCs. That affects DNS and indirectly, clients trying to locate DCs. *From:* [email protected] [ mailto:[email protected] <[email protected]>] *On Behalf Of *Charles F Sullivan *Sent:* Friday, September 11, 2015 3:36 PM *To:* [email protected] *Subject:* RE: [NTSysADM] DCs as DHCP Clients Interesting. So even in Azure that’s the default. I just set up the first DC at AWS a few minutes ago and got the warning that the non-static configuration could cause problems for DNS, but I suppose that could be for the obvious problem of the IP address changing. It isn’t that I’m worried about the IP address changing, since there is a reservation in DHCP for the DCs, but I thought it may cause problems other than an IP address change. Not to hijack my own thread, but while setting this up, I found that the lowest inter-site replication interval is still 15 minutes. These are Windows 2012 R2 DCs in domain/forest 2012 R2 functional mode. For some reason I thought it was possible to lower that to 5 minutes now. Thanks. *From:* [email protected] [mailto: [email protected]] *On Behalf Of *Michael B. Smith *Sent:* Friday, September 11, 2015 2:38 PM *To:* [email protected] *Subject:* RE: [NTSysADM] DCs as DHCP Clients I can’t speak to AWS but I do it in Azure. In Azure an IP address isn’t ever released/reassigned until you “Force Stop” a VM which causes the IP, memory and vProcs to be deallocated from the VM. (Azure also has other options – this is just the default.) *From:* [email protected] [ mailto:[email protected] <[email protected]>] *On Behalf Of *Charles F Sullivan *Sent:* Friday, September 11, 2015 2:33 PM *To:* [email protected] *Subject:* [NTSysADM] DCs as DHCP Clients Has anyone had to run domain controllers as DHCP clients? Someone from another one of our IT groups has provisioned some servers at AWS for Citrix and the proposal is to add a couple of DCs there. He says “All AWS instance should always be DHCP clients”. I think of this as a bad practice, but I would think that if it’s the standard at AWS, then lots of others are doing the same. So even better would be if I could hear from someone who does have DCs at AWS. I have cloned DCs in an isolated test network, which we regularly use for testing. I’ll be connecting those to the DCs I’m building at AWS for testing before even attempting this in production. Even if I have no problems in testing, I am leery to do this in prod. Charlie Sullivan Sr. Windows Systems Administrator
