Microsoft KB Archive/232690

= Urgent replication triggers in Windows 2000 =

Article ID: 232690

Article Last Modified on 10/11/2007

-

APPLIES TO


 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Datacenter Server
 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition
 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
 * Microsoft Windows Server 2003, Standard x64 Edition
 * Microsoft Windows Server 2003, Enterprise x64 Edition
 * Microsoft Windows Server 2003, Datacenter x64 Edition

-



This article was previously published under Q232690



Important This article contains information about how to modify the registry. Make sure that you back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows registry



SUMMARY
The majority of Active Directory replication in Windows 2000 takes place at predefined intervals. However, select changes to objects in Active Directory must take place immediately to allow for proper administration of a domain. This article describes urgent replication events as they pertain to Windows 2000 domains, Windows 2000 and Microsoft Windows NT 4.0 mixed-domain environments, and password changes.



MORE INFORMATION
Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

Urgent replication in Windows 2000 (release version)
Windows 2000 (release version) enables change notifications to propagate across inter-site connections. This is administratively configured on each site-link. Enabling change notifications across site-links propagates all change notifications. This enables urgent changes and all other replication events to propagate to a remote site with the same frequency as within the source site.
 * 1) Urgent replication is a replication mechanism.
 * 2) The default behavior for urgent replication is to not cross site boundaries due to the scope of replication.
 * 3) Inter-site urgent replication occurs when change notifications are enabled on site links (already discussed in this article).

New Scenario: Cover password resets reset passwords for users and computer accounts in the Users and Computers snap-in.

When passwords are changed in Windows 2000 they are not replicated urgently. However, when a password is changed, it is "pushed" to the primary domain controller (PDC). "Pushed" means that the password is sent over NETLOGON's secure channel to the PDC. Specifically, the backup domain controller (BDC) makes a remote procedure call (RPC) to the PDC, which indicates the user and the users new password. The PDC then sets this value locally. This push mechanism is independent of Windows 2000 replication. For more information about urgent replication, click the following article number to view the article in the Microsoft Knowledge Base:

306133 Account unlocks and manual password expirations are not replicated urgently

Windows 2000 domains only
Urgent replication between Windows 2000 domain controllers consists of the following events:
 * Replicating a newly locked-out account
 * Changing an LSA secret
 * RID Manager state changes

The following events are not urgent replications in Windows 2000 domains:
 * Changing the account lockout policy
 * Changing the domain password policy
 * Changing the password on a machine account
 * Inter-domain trust passwords (trusts between domain A and B)

Windows 2000 and Windows NT 4.0 mixed-domain environment
Windows NT 4.0 backup domain controllers interoperate with Windows 2000 domain controllers in mixed mode (more specifically, with the PDC FSMO role owner). The following events are replicated immediately from the Windows 2000 PDC Flexible Single Master Operation (FSMO) to the Windows NT 4.0 BDCs:
 * Replicating a newly locked out account
 * Changing an LSA secret
 * Inter-domain trust passwords (trusts between domain A and B)

The following events are considered to be urgent replication changes in Windows NT 4.0 domains only. These events are included for completeness.
 * Replicating a newly locked out account
 * Changing an LSA secret
 * Changing the account lockout policy
 * Changing the domain password policy
 * Changing the password on a machine account

Password replication in Windows 2000
Changes to account passwords can be made at any domain controller because all full replicas of a given domain are writable. This differs from Windows NT 4.0 and earlier versions, in which password changes were made at the PDC for the domain. This is the only writable replica of the Security Account Manager (SAM) in Windows NT 4.0. This can lead to unexpected behavior when a password is changed by a user at domain controller "A" who then attempts to log on with authentication by domain controller "B." If the password has not been replicated from "A" to "B," the logon attempt does not succeed. In Windows NT 4.0, if authentication does not succeed at the BDC, the authentication is remoted to the PDC. Windows 2000 exhibits similar behavior, as follows:  A password change by a Directory Service-aware client at a domain controller is "pushed" by that domain controller to the PDC FSMO role owner on a best-effort basis. This push of the password to the PDC can be disabled on WAN links with the following registry key:

HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters Registry value : AvoidPdcOnWan

Registry type : REG_DWORD

Registry value data : 0 (or value not present) or 1

FALSE = 0 or value not present (to disable)

TRUE = 1 (to enable)

Default : (value is not present)

Platform : Only Windows 2000 Domain Controllers

 The password change is propagated to other domain controllers in the domain using normal replication values. When authentication does not succeed at a domain controller other than the PDC FSMO role owner, the request is retried at the PDC FSMO role owner. Down-level clients attempt to contact the PDC to make a password change as they do in Windows NT 4.0.

Keywords: kbinfo kbenv kbnetwork KB232690

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.