Microsoft KB Archive/272476

= Users and Group Replication Is Not in Synchronization with LSA Changes =

Article ID: 272476

Article Last Modified on 2/28/2007

-

APPLIES TO


 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server

-



This article was previously published under Q272476



SYMPTOMS
When you revise users and group rights and set user rights assignments, and then replicate these changes, if you look at a different domain controller, the group policy updates are not registered at the target server even though the users and group rights changes have arrived at the target server.

You can check for this issue by using the Replmon.exe tool in Windows 2000 Support Tools:


 * 1) Add the replication target server to the watch list.
 * 2) Right-click the server name and click Show Group Policy Object Status.



CAUSE
A program uses Windows NT 4.0 APIs to manipulate user and group accounts and to communicate to the Link State Algorithm (LSA) of a domain to set user rights assignments against the primary domain controller (PDC) emulator in Windows 2000.

Because Windows NT 4.0 replicates both types of changes using the same replication engine, the changes arrive at backup domain controllers (BDC) at the same time. In Windows 2000, LSA security changes that are made on the domain controller are stored in the default domain controller group policy object, which is a separate store and replication engine.

Windows 2000 directory changes are replicated by using remote procedure call (RPC) between domain controllers and following the replication topology and schedule that is stored in the configuration naming context. You can view this context by using the Active Directory Sites and Services snap-in.

File Replication service (FRS) uses the same information to replicate the group policy information. However, differences between Active Directory and FRS replication cause group policy changes to arrive at the target server later.



MORE INFORMATION
The following differences exist between Active Directory and FRS replication:


 * Active Directory only replicates the attributes that are changed. Therefore, the changes are usually small and take little time to transfer. However, FRS works with file granularity and usually has larger sections of data to handle.
 * When you make a change in Active Directory, Active Directory receives an Update Sequence Number (USN). When two domain controllers replicate, all the attributes that were changed since the last replication cycle are sent to the target server. If an attribute has been changed several times, only the most recent version is sent. However, FRS picks up the latest copy of a file immediately after the modified file has been closed. If a file has been modified and closed more than once between replication cycles, the file is sent to the target server several times.
 * During a replication cycle, the Active Directory replication engine compresses data for intersite replication if the data exceeds a certain size. FRS currently does not compress file data when it is transferred.

As a result of the preceding differences, FRS replication is more vulnerable to networking problems which may also delay replication.

