Urgent replication triggers in Windows 2000 (232690)


The information in this article applies to:

  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Datacenter Server
This article was previously published under Q232690
Important This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry

SUMMARY

The majority of Active Directory replication in Windows 2000 takes place at predefined intervals. However, select changes to objects in Active Directory must take place immediately to allow for proper administration of a domain. This article describes urgent replication events as they pertain to Windows 2000 domains, Windows 2000 and Microsoft Windows NT 4.0 mixed-domain environments, and password changes.

MORE INFORMATION

Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

Urgent replication events

Urgent replication in Windows 2000 (release version)

Windows 2000 (release version) enables change notifications to propagate across inter-site connections. This is administratively configured on each site-link. Enabling change notifications across site-links propagates all change notifications. This enables urgent changes and all other replication events to propagate to a remote site with the same frequency as within the source site.
  1. Urgent replication is a replication mechanism.
  2. The default behavior for urgent replication is to not cross site boundaries due to the scope of replication.
  3. Inter-site urgent replication occurs when change notifications are enabled on site links (already discussed in this article).
New Scenario: Cover password resets reset passwords for users and computer accounts in the Users and Computers snap-in.

When passwords are changed in Windows 2000 they are not replicated urgently. However, when a password is changed, it is "pushed" to the primary domain controller (PDC). "Pushed" means that the password is sent over NETLOGON's secure channel to the PDC. Specifically, the backup domain controller (BDC) makes a remote procedure call (RPC) to the PDC, which indicates the user and the users new password. The PDC then sets this value locally. This push mechanism is independent of Windows 2000 replication. For additional information about urgent replication, click the following article number to view the article in the Microsoft Knowledge Base:

306133 Account unlocks and manual password expirations are not replicated urgently

Windows 2000 domains only

Urgent replication between Windows 2000 domain controllers consists of the following events:
  • Replicating a newly locked-out account
  • Changing an LSA secret
  • RID Manager state changes
The following events are not urgent replications in Windows 2000 domains:
  • Changing the account lockout policy
  • Changing the domain password policy
  • Changing the password on a machine account
  • Inter-domain trust passwords (trusts between domain A and B)

Windows 2000 and Windows NT 4.0 mixed-domain environment

Windows NT 4.0 backup domain controllers interoperate with Windows 2000 domain controllers in mixed mode (more specifically, with the PDC FSMO role owner). The following events are replicated immediately from the Windows 2000 PDC Flexible Single Master Operation (FSMO) to the Windows NT 4.0 BDCs:
  • Replicating a newly locked out account
  • Changing an LSA secret
  • Inter-domain trust passwords (trusts between domain A and B)
The following events are considered to be urgent replication changes in Windows NT 4.0 domains only. These events are included for completeness.
  • Replicating a newly locked out account
  • Changing an LSA secret
  • Changing the account lockout policy
  • Changing the domain password policy
  • Changing the password on a machine account

Password replication in Windows 2000

Changes to account passwords can be made at any domain controller because all full replicas of a given domain are writable. This differs from Windows NT 4.0 and earlier versions, in which password changes were made at the PDC for the domain. This is the only writable replica of the Security Account Manager (SAM) in Windows NT 4.0. This can lead to unexpected behavior when a password is changed by a user at domain controller "A" who then attempts to log on with authentication by domain controller "B." If the password has not been replicated from "A" to "B," the logon attempt does not succeed. In Windows NT 4.0, if authentication does not succeed at the BDC, the authentication is remoted to the PDC. Windows 2000 exhibits similar behavior, as follows:
  • A password change by a Directory Service-aware client at a domain controller is "pushed" by that domain controller to the PDC FSMO role owner on a best-effort basis. This push of the password to the PDC can be disabled on WAN links with the following registry key:

    HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters Registry value : AvoidPdcOnWan
    Registry type : REG_DWORD
    Registry value data : 0 (or value not present) or 1
    FALSE = 0 or value not present (to disable)
    TRUE = 1 (to enable)
    Default : (value is not present)
    Platform : Only Windows 2000 Domain Controllers

  • The password change is propagated to other domain controllers in the domain using normal replication values.
  • When authentication does not succeed at a domain controller other than the PDC FSMO role owner, the request is retried at the PDC FSMO role owner.
  • Down-level clients attempt to contact the PDC to make a password change as they do in Windows NT 4.0.
Modification Type:MajorLast Reviewed:12/20/2004
Keywords:kbenv kbinfo kbnetwork KB232690
©2004 Microsoft Corporation. All rights reserved.