In Windows Server 2003 Active Directory domains, there is a concept of immediate and urgent replication. Certain types of information gets replicated immediately, rather than waiting for the standard Active Directory replication. One such example is user account lockout. If an administrator locks a user account, the information is replicated to the PDC emulator immediately. Microsoft recommends that you define account lockout and password policies in only one Group Policy object (GPO) for every domain (in the Default Domain policy settings).
Microsoft explains the concepts of immediate and urgent replications in this TechNet article:
Account lockout relies on the replication of lockout information between domain controllers to ensure that all domain controllers are notified of an accounts status. In addition, password changes must be communicated to all domain controllers to ensure that a user’s new password is not considered incorrect. This data replication is accomplished by the various replication features of Active Directory and is also discussed in this section.
When you change a password, it is sent over Netlogon’s secure channel to the PDC operations master. Specifically, the domain controller makes a remote procedure call (RPC) to the PDC operations master that includes the user name and new password information. The PDC operations master then locally stores this value.
Immediate replication between Windows 2000 domain controllers is caused by the following events:
- Lockout of an account
- Modification of a Local Security Authority (LSA) secret
- State changes of the Relative ID (RID) Manager
Active Directory replication occurs between domain controllers when directory data is updated on one domain controller and that update is replicated to all other domain controllers. When a change in directory data occurs, the source domain controller sends out a notice that its directory store now contains updated data. The domain controller’s replication partners then send a request to the source domain controller to receive those updates. Typically, the source domain controller sends out a change notification after a delay. This delay is governed by a notification delay. (The Windows 2000 default notification delay is 5 minutes; the Windows Server 2003 default notification delay is 15 minutes.) However, any delay in replication can result in a security risk for certain types of changes. Urgent replication ensures that critical directory changes are immediately replicated, including account lockouts, changes in the account lockout policy, changes in the domain password policy, and changes to the password on a domain controller account. With urgent replication, an update notification is sent out immediately, regardless of the notification delay. This design allows other domain controllers to immediately request and receive the critical updates. Note, however, that the only difference between urgent replication and typical replication is the lack of a delay before the transmission of the change notification. If this does not occur, urgent replication is identical to standard replication. When replication partners request and subsequently receive the urgent changes, they receive, in addition, all pending directory updates from the source domain controller, and not only the urgent updates.
When either an administrator or a delegated user unlocks an account, manually sets password expiration on a user account by clicking User Must Change Password At Next Logon, or resets the password on an account, the modified attributes are immediately replicated to the PDC emulator operations master, and then they are urgently replicated to other domain controllers that are in the same site as the PDC emulator. By default, urgent replication does not occur across site boundaries. Because of this, administrators should make manual password changes and account resets on a domain controller that is in that user’s site.
The following events are not urgent replications in Windows 2000 domains:
- Changing the account lockout policy
- Changing the domain password policy
- Changing the password on a computer account
- Domain trust passwords
Note: There is an error in TechNet’s article quoted above. The default notification delay for Windows Server 2003 listed under Urgent Replication should be 15 seconds, not 15 minutes, as pointed out by Rickard Nobel. The KB article 214678 confirms that the default notification period is 15 seconds in Windows Server 2003.
Copyright ©2002-2013 Zubair Alexander. All rights reserved.
|« Jun||Aug »|
26 queries. 0.487 seconds