Urgent Replication Triggers in Windows 2000

ID: Q232690

The information in this article applies to:
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Datacenter Server
  • Microsoft Windows 2000 Server
IMPORTANT: This article contains information about editing the registry. Before you edit the registry, make sure you understand how to restore it if a problem occurs. For information about how to do this, view the "Restoring the Registry" Help topic in Regedit.exe or the "Restoring a Registry Key" Help topic in Regedt32.exe.

SUMMARY

The majority of Active Directory replication in Windows 2000 takes place at predefined intervals. However, select changes to objects in Active Directory must take place immediately to allow for proper administration of a domain. This article describes Urgent Replication events as they pertain to Windows 2000 domains, Windows 2000 and Microsoft Windows NT 4.0 mixed-domain environments, and password changes.


MORE INFORMATION

WARNING: Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.

For information about how to edit the registry, view the "Changing Keys and Values" Help topic in Registry Editor (Regedit.exe) or the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe. Note that you should back up the registry before you edit it. If you are running Windows NT, you should also update your Emergency Repair Disk (ERD).

Urgent Replication Events

Urgent Replication in Windows 2000 Beta 3

Urgent Replication events are replicated amongst domain controllers in the same site in Windows 2000 Beta 3. Urgent Replication is implemented by immediately notifying replication partners to collect changes. Change notifications are not propagated across inter-site connections (site-links) in Beta 3, so urgent replication is intra-site only.

Urgent Replication in Windows 2000 (Release Version)

Windows 2000 (release version) allows for change notifications to propagate across inter-site connections. This is administratively configured on each site-link. Enabling change notifications across site-links propagates all change notifications. This allows urgent changes and all other replication events to propagate to a remote site with the same frequency as within the source site.

Windows 2000 Domains Only

Immediate replication between Windows 2000 domain controllers consists of the following events:
  • Replicating a newly locked-out account
  • Changing an LSA secret
  • RID Manager state changes
The following events are not urgent replications in Windows 2000 domains:
  • Changing the account lockout policy
  • Changing the domain password policy
  • Changing the password on a machine account
  • Inter-domain trust passwords (trusts between domain A and B)

Windows 2000 and Windows NT 4.0 Mixed-Domain Environment

Windows NT 4.0 backup domain controllers interoperate with Windows 2000 domain controllers in mixed mode (more specifically, with the PDC FSMO role owner). The following events are replicated immediately from the Windows 2000 primary domain controller (PDC) Flexible Single Master Operation (FSMO) to the Windows NT 4.0 backup domain controllers (BDCs):
  • Replicating a newly locked out account
  • Changing an LSA secret
  • Inter-domain trust passwords (trusts between domain A and B)
The following events are considered to be urgent replication changes in Windows NT 4.0 domains only. These events are included for completeness.
  • Replicating a newly locked out account
  • Changing an LSA secret
  • Changing the account lockout policy
  • Changing the domain password policy
  • Changing the password on a machine account

Password Replication in Windows 2000

Changes to account passwords can be made at any domain controller because all full replicas of a given domain are writable. This differs from Windows NT 4.0 and earlier versions, in which password changes were made at the PDC for the domain. This is the only writable replica of the Security Account Manager (SAM) in Windows NT 4.0. This can lead to unexpected behavior when a password is changed by a user at domain controller "A" who then attempts to log on with authentication by domain controller "B." If the password has not been replicated from "A" to "B," the logon attempt does not succeed. In Windows NT 4.0, if authentication does not succeed at the BDC, the authentication is remoted to the PDC. Windows 2000 exhibits similar behavior, as follows:
  • A password change by a Directory Service-aware client at a domain controller is "pushed" by that domain controller to the PDC FSMO role owner on a best-effort basis. This push of the password to the PDC can be disabled on WAN links with the following registry key:
    HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

    Registry value : AvoidPdcOnWan
    Registry type : REG_DWORD
    Registry value data : 0 (or value not present) or 1
    FALSE = 0 or value not present (to disable)
    TRUE = 1 (to enable)
    Default : (value is not present)
    Platform : Only Windows 2000 Domain Controllers

  • The password change is propagated to other domain controllers in the domain using normal replication values.
  • When authentication does not succeed at a domain controller other than the PDC FSMO role owner, the request is retried at the PDC FSMO role owner.
  • Down-level clients attempt to contact the PDC to make a password change as they do in Windows NT 4.0.

Additional query words:

Keywords : kbenv kbnetwork
Version : WINDOWS:2000
Platform : WINDOWS
Issue type : kbinfo


Last Reviewed: December 30, 1999
© 2000 Microsoft Corporation. All rights reserved. Terms of Use.