Announcement

Collapse
No announcement yet.

Is selective replication possible?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Is selective replication possible?

    We're planning a nation-wide password change soon. We intend to implement complex passwords as well as new Min & Max expiry values.

    I have two questions which I hope you can help me with:

    Q1.. We have systems in HO (which use AD to authorise user logons via LDAP) which are used by all users around the country. If a user is in, say CityA, when he changes his password on next logon, his credentials will be replicated thru one gateway replicator server in CityB which will then replicate to Head Office in CityC.

    The replication b/w cities is set to around 60 minutes, so the replication of the user's password change will take around 120 minutes to get to HO. Thus, when the user logs on in CityA, he will not be able to access the systems in CityC for 120 minutes.

    Is there a solution to this problem?

    Q2.. A few of our workstations, mainly those in the warehouses around the country, have autologon enabled using a location-specific AD username. If we set these usernames to change password on next logon, the workstations are going to stop auto logging on.

    Is there a way around this remembering that we are required to change all username passwords?

    Thanks
    |
    +-- JDMils
    |
    +-- Regional Systems Engineer, DotNet programmer & Jack of all trades
    |

  • #2
    Re: Is selective replication possible?

    Password changes are subject to immediate replication to the PDC emulator of the domain via NETLOGON secure channel. In addition the change is replicated using "urgent replication" to all the DCs in the site in which the password change was initiated. The rest of the replication is achieved using the standard replication cycle.

    In addition, when the DC you are trying to authenticate to notices that the password is not correct (the change has not yet replicated to this DC), it consults the PDCE FSMO (and the password change is already there), so in your case there is not much you should do - the AD will take care of the described scenario.

    The process of consulting the PDCE is called PDC chaining. Google a bit and you will find a ton of information about it.
    Guy Teverovsky
    "Smith & Wesson - the original point and click interface"

    Comment


    • #3
      Re: Is selective replication possible?

      GuyT,

      the change is replicated using "urgent replication" to all the DCs in the site in which the password change was initiated
      This indicates to me that the immediate replication will only ocurr within the same site. In my case, the various cities are within seperate sites, so would it still take like 120 minutes for a password change to replicate from SiteA to SiteB then to HO in SiteC?
      |
      +-- JDMils
      |
      +-- Regional Systems Engineer, DotNet programmer & Jack of all trades
      |

      Comment


      • #4
        Re: Is selective replication possible?

        Originally posted by JDMils View Post
        This indicates to me that the immediate replication will only ocurr within the same site.
        There is a difference between immediate and urgent replication.
        Consider the following:
        DCSITEA1 - the DC the password is changed on
        DCSITEA2 - additional DC in the site the password is changed at
        DCSITEB1 - DC in another branch site
        PDCHQ1 - PDC emulator in HQ

        DCSITEA1<->PDCHQ1 - immediate replication
        DCSITEA1<->DCSITEA2 - urgent replication
        PDCHQ1<->DCSITEB1 - regular scheduled replication

        What you are missing is the PDC chaining. The password does not have to be replicated to DCSITEB1 in order to be able to logon at SITEB with the new password. If DCSITEB1 *thinks* that the password is not correct, it asks PDC emulator (to which the password change was replicated immediately)
        Guy Teverovsky
        "Smith & Wesson - the original point and click interface"

        Comment


        • #5
          Re: Is selective replication possible?

          Thanks Guy,

          Exactly what I needed to know.
          |
          +-- JDMils
          |
          +-- Regional Systems Engineer, DotNet programmer & Jack of all trades
          |

          Comment

          Working...
          X