Making Active Directory changes atomicReset an AD trust password without domain admin rights at both endsFind name of Active Directory domain controllerAllowing XP Home Clients To Access Active Directory PrintersHow to add an alias for a mailbox that was just purged from Exchange 2003Monitor active directory changesGPO refresh error - Policy Refresh has not completed in the expected time. ExitingVPN to a customer's site locking out my local AD accountCustom attributes in Active Directory - determining usage/function and possible removal options?Can Active Directory notify my on changes?When does an ACCOUNTDISABLE value in userAccountControl *not* correspond to a disabled mailbox?
Can anyone give me examples of the relative-determinative 'which'?
Given 0s on Assignments with suspected and dismissed cheating?
My bread in my bread maker rises and then falls down just after cooking starts
Why when I add jam to my tea it stops producing thin "membrane" on top?
Single word that parallels "Recent" when discussing the near future
What metal is most suitable for a ladder submerged in an underground water tank?
How to not get blinded by an attack at dawn
Why do galaxies collide?
Will consteval functions allow template parameters dependent on function arguments?
What color to choose as "danger" if the main color of my app is red
How to describe a building set which is like LEGO without using the "LEGO" word?
Holding rent money for my friend which amounts to over $10k?
Do people who work at research institutes consider themselves "academics"?
Aligning group plot titles horizontally
When did game consoles begin including FPUs?
Can my American children re-enter the USA by International flight with a passport card? Being that their passport book has expired
Which creature is depicted in this Xanathar's Guide illustration of a war mage?
How to handle professionally if colleagues has referred his relative and asking to take easy while taking interview
Did any "washouts" of the Mercury program eventually become astronauts?
Is there an academic word that means "to split hairs over"?
Why are goodwill impairments on the statement of cash-flows of GE?
How to continually let my readers know what time it is in my story, in an organic way?
What do the "optional" resistor and capacitor do in this circuit?
Will there be more tax deductions if I put the house completely under my name, versus doing a joint ownership?
Making Active Directory changes atomic
Reset an AD trust password without domain admin rights at both endsFind name of Active Directory domain controllerAllowing XP Home Clients To Access Active Directory PrintersHow to add an alias for a mailbox that was just purged from Exchange 2003Monitor active directory changesGPO refresh error - Policy Refresh has not completed in the expected time. ExitingVPN to a customer's site locking out my local AD accountCustom attributes in Active Directory - determining usage/function and possible removal options?Can Active Directory notify my on changes?When does an ACCOUNTDISABLE value in userAccountControl *not* correspond to a disabled mailbox?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;
I've got a Windows 2003 Active Directory infrastructure, and there are times (such as when terminating an employee) that I want instantaneous propagation across both of my AD servers. Currently, I make the change in both places, which I suspect is unhealthy, but it's the only way I know to make sure that the account is disabled to every machine.
Is there a better way? Do I have to wait for the normal propagation time for convergence, or is there a way to "force" it?
active-directory replication windows-server-2003
edited Apr 6 '10 at 16:31
Ryan Fisher
2,0631213
asked Aug 12 '09 at 15:08
Matt SimmonsMatt Simmons
18k761114
add a comment |
I've got a Windows 2003 Active Directory infrastructure, and there are times (such as when terminating an employee) that I want instantaneous propagation across both of my AD servers. Currently, I make the change in both places, which I suspect is unhealthy, but it's the only way I know to make sure that the account is disabled to every machine.
Is there a better way? Do I have to wait for the normal propagation time for convergence, or is there a way to "force" it?
active-directory replication windows-server-2003
edited Apr 6 '10 at 16:31
Ryan Fisher
2,0631213
asked Aug 12 '09 at 15:08
Matt SimmonsMatt Simmons
18k761114
add a comment |
I've got a Windows 2003 Active Directory infrastructure, and there are times (such as when terminating an employee) that I want instantaneous propagation across both of my AD servers. Currently, I make the change in both places, which I suspect is unhealthy, but it's the only way I know to make sure that the account is disabled to every machine.
Is there a better way? Do I have to wait for the normal propagation time for convergence, or is there a way to "force" it?
active-directory replication windows-server-2003
edited Apr 6 '10 at 16:31
Ryan Fisher
2,0631213
asked Aug 12 '09 at 15:08
Matt SimmonsMatt Simmons
18k761114
I've got a Windows 2003 Active Directory infrastructure, and there are times (such as when terminating an employee) that I want instantaneous propagation across both of my AD servers. Currently, I make the change in both places, which I suspect is unhealthy, but it's the only way I know to make sure that the account is disabled to every machine.
Is there a better way? Do I have to wait for the normal propagation time for convergence, or is there a way to "force" it?
active-directory replication windows-server-2003
active-directory replication windows-server-2003
edited Apr 6 '10 at 16:31
Ryan Fisher
2,0631213
asked Aug 12 '09 at 15:08
Matt SimmonsMatt Simmons
18k761114
edited Apr 6 '10 at 16:31
Ryan Fisher
2,0631213
asked Aug 12 '09 at 15:08
Matt SimmonsMatt Simmons
18k761114
edited Apr 6 '10 at 16:31
Ryan Fisher
2,0631213
edited Apr 6 '10 at 16:31
Ryan Fisher
2,0631213
edited Apr 6 '10 at 16:31
Ryan Fisher
2,0631213
2,0631213
asked Aug 12 '09 at 15:08
Matt SimmonsMatt Simmons
18k761114
asked Aug 12 '09 at 15:08
Matt SimmonsMatt Simmons
18k761114
asked Aug 12 '09 at 15:08
Matt SimmonsMatt Simmons
18k761114
18k761114
add a comment |
add a comment |
6 Answers
6
active
oldest
votes
If you go into Active Directory Sites and Services, you can force replications. Open the Server object and click on the NTDS Settings. This will give you a list of their replication partners for GC data as well as regular DC-DC traffic. As I understand it, you can force replication by going to each of the connections, right-clicking on it, and choosing "Replicate Now".
(source: sysadmin1138.net)
edited May 4 at 14:26
Glorfindel
4521716
answered Aug 12 '09 at 15:24
sysadmin1138♦sysadmin1138
118k17146282
Bang on! Always make the first change on the users local DC will also help.
– Kip
Aug 12 '09 at 15:32
This initiates a "pull" of data, not a push. Try this instead: repadmin /syncall /P /e sourceDC1.domain.local
– Ryan Fisher
Apr 6 '10 at 16:32
add a comment |
There is an even easier change. Just reset the users password. That is one of the few instant replications that AD performs. No need to run site replication
EDIT:
Small edit. It's not completely instant. What is does is forward the change in an out-of-band update. (It doesn't wait for normal replication cycles)
however, it's probably about as close to instant that you can get with AD.
answered Aug 12 '09 at 15:48
Dayton BrownDayton Brown
1,32921222
Good thinking. I like this.
– phuzion
Aug 12 '09 at 15:52
Nice! that works for when my non techie staff need to do this
– Kip
Aug 12 '09 at 15:53
+1 This is the best option for the small one-offs such as when terminating an employee.
– squillman
Aug 12 '09 at 15:55
To pile-on, this is the best answer IMO. It also dovetails nicely with documenting the new password and giving it to the helpdesk or the person's boss, depending on your policies.
– mfinni
Apr 6 '10 at 17:33
add a comment |
Make the change to one domain controller. Then open up AD Sites and Services. Then drill down to each site, Servers, DC, NTDS Settings, then right-click each connection and choose Replicate Now.
Note: Each connection will tell you the From Server and To Server for the replication.
Note: Obviously, start the first replication From the DC you made the change on.
If you have a small domain, this shouldn't be too taxing a task. If you have a larger domain (more DCs) then you could script this.
To script, you need to use the CMD command called REPADMIN. For a full description of the command type REPADMIN /?. In short, you would use the command in a way similar to this:
REPADMIN /replicate DC1.yourdomain.loc DC2.yourdomain.loc dc=yourdomain,dc=loc /u:yourdomainyour_domain_admin_account
To find out the replication partnerships for a specific DC from the command line type the following:
REPADMIN /showrepl DC1.yourdomain.loc
Once you have figured out the right path/order to replicate to all your DCs, you can just dump all the commands into a batch file, and execute it when you need to replicate changes out quickly.
answered Aug 12 '09 at 15:25
IzzyIzzy
7,85522634
add a comment |
Here's a Technet article that outlines the AD replication model. Look at the Urgent Replication section for a discussion of what gets replicated immediately and doesn't require a forced replication. Mostly it's critical user security events (password changes, account lockouts) that are replicated immediately. There are configuration considerations to be made to make this happen site to site.
answered Aug 12 '09 at 16:03
squillmansquillman
35.3k980134
add a comment |
Remember when you play with forcing replication, all replication links are one-way, incoming. If you want to push changes outbound from a DC via the Sites & Services console, you have to go to each replica-partner and PULL from the source DC.
There is an easier way to force "outbound-full-replication" using the repadmin.exe tool from the Windows 2003 SP1 Support Tools kit:
repadmin /syncall /P /e sourceDC1.domain.local
This will push the changes via all replication links, outward from your source DC, for the default naming contaxt (which is where your user data is).
answered Apr 6 '10 at 16:30
Ryan FisherRyan Fisher
2,0631213
Hopefully Matt will come back and select a new answer. This is the best way to go (or at least, quickest).
– Doug Luxem
Apr 6 '10 at 16:38
add a comment |
There 's also the possibility to make this using repadmin.exe with the /sync switch or you can even script it using ReplicaSync wich is included in the IADsTools.
You might see this kb article wich discuss the availables options.
answered Aug 12 '09 at 15:32
MaxwellMaxwell
4,84812031
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f53242%2fmaking-active-directory-changes-atomic%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
6 Answers
6
active
oldest
votes
6 Answers
6
active
oldest
votes
active
oldest
votes
active
oldest
votes
If you go into Active Directory Sites and Services, you can force replications. Open the Server object and click on the NTDS Settings. This will give you a list of their replication partners for GC data as well as regular DC-DC traffic. As I understand it, you can force replication by going to each of the connections, right-clicking on it, and choosing "Replicate Now".
(source: sysadmin1138.net)
edited May 4 at 14:26
Glorfindel
4521716
answered Aug 12 '09 at 15:24
sysadmin1138♦sysadmin1138
118k17146282
Bang on! Always make the first change on the users local DC will also help.
– Kip
Aug 12 '09 at 15:32
This initiates a "pull" of data, not a push. Try this instead: repadmin /syncall /P /e sourceDC1.domain.local
– Ryan Fisher
Apr 6 '10 at 16:32
add a comment |
If you go into Active Directory Sites and Services, you can force replications. Open the Server object and click on the NTDS Settings. This will give you a list of their replication partners for GC data as well as regular DC-DC traffic. As I understand it, you can force replication by going to each of the connections, right-clicking on it, and choosing "Replicate Now".
(source: sysadmin1138.net)
edited May 4 at 14:26
Glorfindel
4521716
answered Aug 12 '09 at 15:24
sysadmin1138♦sysadmin1138
118k17146282
Bang on! Always make the first change on the users local DC will also help.
– Kip
Aug 12 '09 at 15:32
This initiates a "pull" of data, not a push. Try this instead: repadmin /syncall /P /e sourceDC1.domain.local
– Ryan Fisher
Apr 6 '10 at 16:32
add a comment |
If you go into Active Directory Sites and Services, you can force replications. Open the Server object and click on the NTDS Settings. This will give you a list of their replication partners for GC data as well as regular DC-DC traffic. As I understand it, you can force replication by going to each of the connections, right-clicking on it, and choosing "Replicate Now".
(source: sysadmin1138.net)
edited May 4 at 14:26
Glorfindel
4521716
answered Aug 12 '09 at 15:24
sysadmin1138♦sysadmin1138
118k17146282
If you go into Active Directory Sites and Services, you can force replications. Open the Server object and click on the NTDS Settings. This will give you a list of their replication partners for GC data as well as regular DC-DC traffic. As I understand it, you can force replication by going to each of the connections, right-clicking on it, and choosing "Replicate Now".
(source: sysadmin1138.net)
edited May 4 at 14:26
Glorfindel
4521716
answered Aug 12 '09 at 15:24
sysadmin1138♦sysadmin1138
118k17146282
edited May 4 at 14:26
Glorfindel
4521716
edited May 4 at 14:26
Glorfindel
4521716
edited May 4 at 14:26
Glorfindel
4521716
4521716
answered Aug 12 '09 at 15:24
sysadmin1138♦sysadmin1138
118k17146282
answered Aug 12 '09 at 15:24
sysadmin1138♦sysadmin1138
118k17146282
answered Aug 12 '09 at 15:24
sysadmin1138♦sysadmin1138
118k17146282
118k17146282
Bang on! Always make the first change on the users local DC will also help.
– Kip
Aug 12 '09 at 15:32
This initiates a "pull" of data, not a push. Try this instead: repadmin /syncall /P /e sourceDC1.domain.local
– Ryan Fisher
Apr 6 '10 at 16:32
add a comment |
Bang on! Always make the first change on the users local DC will also help.
– Kip
Aug 12 '09 at 15:32
This initiates a "pull" of data, not a push. Try this instead: repadmin /syncall /P /e sourceDC1.domain.local
– Ryan Fisher
Apr 6 '10 at 16:32
Bang on! Always make the first change on the users local DC will also help.
– Kip
Aug 12 '09 at 15:32
Bang on! Always make the first change on the users local DC will also help.
– Kip
Aug 12 '09 at 15:32
This initiates a "pull" of data, not a push. Try this instead: repadmin /syncall /P /e sourceDC1.domain.local
– Ryan Fisher
Apr 6 '10 at 16:32
This initiates a "pull" of data, not a push. Try this instead: repadmin /syncall /P /e sourceDC1.domain.local
– Ryan Fisher
Apr 6 '10 at 16:32
add a comment |
There is an even easier change. Just reset the users password. That is one of the few instant replications that AD performs. No need to run site replication
EDIT:
Small edit. It's not completely instant. What is does is forward the change in an out-of-band update. (It doesn't wait for normal replication cycles)
however, it's probably about as close to instant that you can get with AD.
answered Aug 12 '09 at 15:48
Dayton BrownDayton Brown
1,32921222
Good thinking. I like this.
– phuzion
Aug 12 '09 at 15:52
Nice! that works for when my non techie staff need to do this
– Kip
Aug 12 '09 at 15:53
+1 This is the best option for the small one-offs such as when terminating an employee.
– squillman
Aug 12 '09 at 15:55
To pile-on, this is the best answer IMO. It also dovetails nicely with documenting the new password and giving it to the helpdesk or the person's boss, depending on your policies.
– mfinni
Apr 6 '10 at 17:33
add a comment |
There is an even easier change. Just reset the users password. That is one of the few instant replications that AD performs. No need to run site replication
EDIT:
Small edit. It's not completely instant. What is does is forward the change in an out-of-band update. (It doesn't wait for normal replication cycles)
however, it's probably about as close to instant that you can get with AD.
answered Aug 12 '09 at 15:48
Dayton BrownDayton Brown
1,32921222
Good thinking. I like this.
– phuzion
Aug 12 '09 at 15:52
Nice! that works for when my non techie staff need to do this
– Kip
Aug 12 '09 at 15:53
+1 This is the best option for the small one-offs such as when terminating an employee.
– squillman
Aug 12 '09 at 15:55
To pile-on, this is the best answer IMO. It also dovetails nicely with documenting the new password and giving it to the helpdesk or the person's boss, depending on your policies.
– mfinni
Apr 6 '10 at 17:33
add a comment |
There is an even easier change. Just reset the users password. That is one of the few instant replications that AD performs. No need to run site replication
EDIT:
Small edit. It's not completely instant. What is does is forward the change in an out-of-band update. (It doesn't wait for normal replication cycles)
however, it's probably about as close to instant that you can get with AD.
answered Aug 12 '09 at 15:48
Dayton BrownDayton Brown
1,32921222
There is an even easier change. Just reset the users password. That is one of the few instant replications that AD performs. No need to run site replication
EDIT:
Small edit. It's not completely instant. What is does is forward the change in an out-of-band update. (It doesn't wait for normal replication cycles)
however, it's probably about as close to instant that you can get with AD.
answered Aug 12 '09 at 15:48
Dayton BrownDayton Brown
1,32921222
edited Aug 12 '09 at 16:13
answered Aug 12 '09 at 15:48
Dayton BrownDayton Brown
1,32921222
answered Aug 12 '09 at 15:48
Dayton BrownDayton Brown
1,32921222
answered Aug 12 '09 at 15:48
Dayton BrownDayton Brown
1,32921222
1,32921222
Good thinking. I like this.
– phuzion
Aug 12 '09 at 15:52
Nice! that works for when my non techie staff need to do this
– Kip
Aug 12 '09 at 15:53
+1 This is the best option for the small one-offs such as when terminating an employee.
– squillman
Aug 12 '09 at 15:55
To pile-on, this is the best answer IMO. It also dovetails nicely with documenting the new password and giving it to the helpdesk or the person's boss, depending on your policies.
– mfinni
Apr 6 '10 at 17:33
add a comment |
Good thinking. I like this.
– phuzion
Aug 12 '09 at 15:52
Nice! that works for when my non techie staff need to do this
– Kip
Aug 12 '09 at 15:53
+1 This is the best option for the small one-offs such as when terminating an employee.
– squillman
Aug 12 '09 at 15:55
To pile-on, this is the best answer IMO. It also dovetails nicely with documenting the new password and giving it to the helpdesk or the person's boss, depending on your policies.
– mfinni
Apr 6 '10 at 17:33
Good thinking. I like this.
– phuzion
Aug 12 '09 at 15:52
Good thinking. I like this.
– phuzion
Aug 12 '09 at 15:52
Nice! that works for when my non techie staff need to do this
– Kip
Aug 12 '09 at 15:53
Nice! that works for when my non techie staff need to do this
– Kip
Aug 12 '09 at 15:53
+1 This is the best option for the small one-offs such as when terminating an employee.
– squillman
Aug 12 '09 at 15:55
+1 This is the best option for the small one-offs such as when terminating an employee.
– squillman
Aug 12 '09 at 15:55
To pile-on, this is the best answer IMO. It also dovetails nicely with documenting the new password and giving it to the helpdesk or the person's boss, depending on your policies.
– mfinni
Apr 6 '10 at 17:33
To pile-on, this is the best answer IMO. It also dovetails nicely with documenting the new password and giving it to the helpdesk or the person's boss, depending on your policies.
– mfinni
Apr 6 '10 at 17:33
add a comment |
Make the change to one domain controller. Then open up AD Sites and Services. Then drill down to each site, Servers, DC, NTDS Settings, then right-click each connection and choose Replicate Now.
Note: Each connection will tell you the From Server and To Server for the replication.
Note: Obviously, start the first replication From the DC you made the change on.
If you have a small domain, this shouldn't be too taxing a task. If you have a larger domain (more DCs) then you could script this.
To script, you need to use the CMD command called REPADMIN. For a full description of the command type REPADMIN /?. In short, you would use the command in a way similar to this:
REPADMIN /replicate DC1.yourdomain.loc DC2.yourdomain.loc dc=yourdomain,dc=loc /u:yourdomainyour_domain_admin_account
To find out the replication partnerships for a specific DC from the command line type the following:
REPADMIN /showrepl DC1.yourdomain.loc
Once you have figured out the right path/order to replicate to all your DCs, you can just dump all the commands into a batch file, and execute it when you need to replicate changes out quickly.
answered Aug 12 '09 at 15:25
IzzyIzzy
7,85522634
add a comment |
Make the change to one domain controller. Then open up AD Sites and Services. Then drill down to each site, Servers, DC, NTDS Settings, then right-click each connection and choose Replicate Now.
Note: Each connection will tell you the From Server and To Server for the replication.
Note: Obviously, start the first replication From the DC you made the change on.
If you have a small domain, this shouldn't be too taxing a task. If you have a larger domain (more DCs) then you could script this.
To script, you need to use the CMD command called REPADMIN. For a full description of the command type REPADMIN /?. In short, you would use the command in a way similar to this:
REPADMIN /replicate DC1.yourdomain.loc DC2.yourdomain.loc dc=yourdomain,dc=loc /u:yourdomainyour_domain_admin_account
To find out the replication partnerships for a specific DC from the command line type the following:
REPADMIN /showrepl DC1.yourdomain.loc
Once you have figured out the right path/order to replicate to all your DCs, you can just dump all the commands into a batch file, and execute it when you need to replicate changes out quickly.
answered Aug 12 '09 at 15:25
IzzyIzzy
7,85522634
add a comment |
Make the change to one domain controller. Then open up AD Sites and Services. Then drill down to each site, Servers, DC, NTDS Settings, then right-click each connection and choose Replicate Now.
Note: Each connection will tell you the From Server and To Server for the replication.
Note: Obviously, start the first replication From the DC you made the change on.
If you have a small domain, this shouldn't be too taxing a task. If you have a larger domain (more DCs) then you could script this.
To script, you need to use the CMD command called REPADMIN. For a full description of the command type REPADMIN /?. In short, you would use the command in a way similar to this:
REPADMIN /replicate DC1.yourdomain.loc DC2.yourdomain.loc dc=yourdomain,dc=loc /u:yourdomainyour_domain_admin_account
To find out the replication partnerships for a specific DC from the command line type the following:
REPADMIN /showrepl DC1.yourdomain.loc
Once you have figured out the right path/order to replicate to all your DCs, you can just dump all the commands into a batch file, and execute it when you need to replicate changes out quickly.
answered Aug 12 '09 at 15:25
IzzyIzzy
7,85522634
Make the change to one domain controller. Then open up AD Sites and Services. Then drill down to each site, Servers, DC, NTDS Settings, then right-click each connection and choose Replicate Now.
Note: Each connection will tell you the From Server and To Server for the replication.
Note: Obviously, start the first replication From the DC you made the change on.
If you have a small domain, this shouldn't be too taxing a task. If you have a larger domain (more DCs) then you could script this.
To script, you need to use the CMD command called REPADMIN. For a full description of the command type REPADMIN /?. In short, you would use the command in a way similar to this:
REPADMIN /replicate DC1.yourdomain.loc DC2.yourdomain.loc dc=yourdomain,dc=loc /u:yourdomainyour_domain_admin_account
To find out the replication partnerships for a specific DC from the command line type the following:
REPADMIN /showrepl DC1.yourdomain.loc
Once you have figured out the right path/order to replicate to all your DCs, you can just dump all the commands into a batch file, and execute it when you need to replicate changes out quickly.
answered Aug 12 '09 at 15:25
IzzyIzzy
7,85522634
edited Aug 12 '09 at 15:38
answered Aug 12 '09 at 15:25
IzzyIzzy
7,85522634
answered Aug 12 '09 at 15:25
IzzyIzzy
7,85522634
answered Aug 12 '09 at 15:25
IzzyIzzy
7,85522634
7,85522634
add a comment |
add a comment |
Here's a Technet article that outlines the AD replication model. Look at the Urgent Replication section for a discussion of what gets replicated immediately and doesn't require a forced replication. Mostly it's critical user security events (password changes, account lockouts) that are replicated immediately. There are configuration considerations to be made to make this happen site to site.
answered Aug 12 '09 at 16:03
squillmansquillman
35.3k980134
add a comment |
Here's a Technet article that outlines the AD replication model. Look at the Urgent Replication section for a discussion of what gets replicated immediately and doesn't require a forced replication. Mostly it's critical user security events (password changes, account lockouts) that are replicated immediately. There are configuration considerations to be made to make this happen site to site.
answered Aug 12 '09 at 16:03
squillmansquillman
35.3k980134
add a comment |
Here's a Technet article that outlines the AD replication model. Look at the Urgent Replication section for a discussion of what gets replicated immediately and doesn't require a forced replication. Mostly it's critical user security events (password changes, account lockouts) that are replicated immediately. There are configuration considerations to be made to make this happen site to site.
answered Aug 12 '09 at 16:03
squillmansquillman
35.3k980134
Here's a Technet article that outlines the AD replication model. Look at the Urgent Replication section for a discussion of what gets replicated immediately and doesn't require a forced replication. Mostly it's critical user security events (password changes, account lockouts) that are replicated immediately. There are configuration considerations to be made to make this happen site to site.
answered Aug 12 '09 at 16:03
squillmansquillman
35.3k980134
answered Aug 12 '09 at 16:03
squillmansquillman
35.3k980134
answered Aug 12 '09 at 16:03
squillmansquillman
35.3k980134
answered Aug 12 '09 at 16:03
squillmansquillman
35.3k980134
35.3k980134
add a comment |
add a comment |
Remember when you play with forcing replication, all replication links are one-way, incoming. If you want to push changes outbound from a DC via the Sites & Services console, you have to go to each replica-partner and PULL from the source DC.
There is an easier way to force "outbound-full-replication" using the repadmin.exe tool from the Windows 2003 SP1 Support Tools kit:
repadmin /syncall /P /e sourceDC1.domain.local
This will push the changes via all replication links, outward from your source DC, for the default naming contaxt (which is where your user data is).
answered Apr 6 '10 at 16:30
Ryan FisherRyan Fisher
2,0631213
Hopefully Matt will come back and select a new answer. This is the best way to go (or at least, quickest).
– Doug Luxem
Apr 6 '10 at 16:38
add a comment |
Remember when you play with forcing replication, all replication links are one-way, incoming. If you want to push changes outbound from a DC via the Sites & Services console, you have to go to each replica-partner and PULL from the source DC.
There is an easier way to force "outbound-full-replication" using the repadmin.exe tool from the Windows 2003 SP1 Support Tools kit:
repadmin /syncall /P /e sourceDC1.domain.local
This will push the changes via all replication links, outward from your source DC, for the default naming contaxt (which is where your user data is).
answered Apr 6 '10 at 16:30
Ryan FisherRyan Fisher
2,0631213
Hopefully Matt will come back and select a new answer. This is the best way to go (or at least, quickest).
– Doug Luxem
Apr 6 '10 at 16:38
add a comment |
Remember when you play with forcing replication, all replication links are one-way, incoming. If you want to push changes outbound from a DC via the Sites & Services console, you have to go to each replica-partner and PULL from the source DC.
There is an easier way to force "outbound-full-replication" using the repadmin.exe tool from the Windows 2003 SP1 Support Tools kit:
repadmin /syncall /P /e sourceDC1.domain.local
This will push the changes via all replication links, outward from your source DC, for the default naming contaxt (which is where your user data is).
answered Apr 6 '10 at 16:30
Ryan FisherRyan Fisher
2,0631213
Remember when you play with forcing replication, all replication links are one-way, incoming. If you want to push changes outbound from a DC via the Sites & Services console, you have to go to each replica-partner and PULL from the source DC.
There is an easier way to force "outbound-full-replication" using the repadmin.exe tool from the Windows 2003 SP1 Support Tools kit:
repadmin /syncall /P /e sourceDC1.domain.local
This will push the changes via all replication links, outward from your source DC, for the default naming contaxt (which is where your user data is).
answered Apr 6 '10 at 16:30
Ryan FisherRyan Fisher
2,0631213
answered Apr 6 '10 at 16:30
Ryan FisherRyan Fisher
2,0631213
answered Apr 6 '10 at 16:30
Ryan FisherRyan Fisher
2,0631213
answered Apr 6 '10 at 16:30
Ryan FisherRyan Fisher
2,0631213
2,0631213
Hopefully Matt will come back and select a new answer. This is the best way to go (or at least, quickest).
– Doug Luxem
Apr 6 '10 at 16:38
add a comment |
Hopefully Matt will come back and select a new answer. This is the best way to go (or at least, quickest).
– Doug Luxem
Apr 6 '10 at 16:38
Hopefully Matt will come back and select a new answer. This is the best way to go (or at least, quickest).
– Doug Luxem
Apr 6 '10 at 16:38
Hopefully Matt will come back and select a new answer. This is the best way to go (or at least, quickest).
– Doug Luxem
Apr 6 '10 at 16:38
add a comment |
There 's also the possibility to make this using repadmin.exe with the /sync switch or you can even script it using ReplicaSync wich is included in the IADsTools.
You might see this kb article wich discuss the availables options.
answered Aug 12 '09 at 15:32
MaxwellMaxwell
4,84812031
add a comment |
There 's also the possibility to make this using repadmin.exe with the /sync switch or you can even script it using ReplicaSync wich is included in the IADsTools.
You might see this kb article wich discuss the availables options.
answered Aug 12 '09 at 15:32
MaxwellMaxwell
4,84812031
add a comment |
There 's also the possibility to make this using repadmin.exe with the /sync switch or you can even script it using ReplicaSync wich is included in the IADsTools.
You might see this kb article wich discuss the availables options.
answered Aug 12 '09 at 15:32
MaxwellMaxwell
4,84812031
There 's also the possibility to make this using repadmin.exe with the /sync switch or you can even script it using ReplicaSync wich is included in the IADsTools.
You might see this kb article wich discuss the availables options.
answered Aug 12 '09 at 15:32
MaxwellMaxwell
4,84812031
answered Aug 12 '09 at 15:32
MaxwellMaxwell
4,84812031
answered Aug 12 '09 at 15:32
MaxwellMaxwell
4,84812031
answered Aug 12 '09 at 15:32
MaxwellMaxwell
4,84812031
4,84812031
add a comment |
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f53242%2fmaking-active-directory-changes-atomic%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
