Hello, I have 20 sites with windows 2003. I will disable account on one DC and propagate this information to another DC as soon as possible. Questions: 1) What should I set to disable accout in other site as soon as possible ? ( set notification between site, lock account instead disable ?) 2) Is disable account triger urgent replication ? 3) What are replicated if urgent replications are trigered ? ( all changes that occurs on DC or only that which triger target replication ? ) 4) How to shorten urgent replication time ? Best regards, ArturXentri

Howdie! Am 16.12.2010 20:04, schrieb Xentri: > I have 20 sites with windows 2003. I will disable account on one DC and > propagate this information to another DC as soon as possible. Questions: How are they setup? Is that a hub and spoke configuration? One hub to which all other sites are connected to? > 1) What should I set to disable accout in other site as soon as possible > ? ( set notification between site, lock account instead disable ?) Just disable it. The disable change is carried out through normal replication to all DCs through "normal" replication means. > 2) Is disable account triger urgent replication ? As far as I know, it doesn't. An account lockout would trigger it -- not an account disable. > 3) What are replicated if urgent replications are trigered ? ( all > changes that occurs on DC or only that which triger target replication ? ) What's called "urgent replication" is a set of specific action that are carried out aside from "normal" replication resulting in immediate replication between DCs -- but then again, it stops at site borders. > 4) How to shorten urgent replication time ? You can't shorten it -- and to be honest, I don't see why you are trying to change this behavior. Have you checked what replication latency in your environment looks like? How long do changes take to carry out to all DCs? Specifically: what is the risk you are trying to protect yourself from? If the links between the sites are well equipped, you might think about turning on inter-site change notification. That'll speed up replication across site boundaries. Cheers, Florian The views and opinions expressed in my postings do NOT correlate with the ones of my friends, family or my employer.

Hello, Florian thanks for answer. I have hub configuration. So I have third party application that will be used to trace user login/logoff, lock and unlock user account. This applications have connect to only one DC. So imagine that with normal replication in site A (HQ ) disabled account will appear after 3 hours in site B ( branch office ). So I try to find way how to shorten this time without modifying schedule intersite replication. Q1) How long will take intrer-site replication if I turn on inter-site change notification ? ( will it take 15 sec ( as intrasite replication) or more ? Q2) I will clarify. Are inter-site change notification and urgent different in case of how it works? Inter-site notification just notify another DC that changes occurs and target DC pull changes. Urgent replication push changes to all DC within site. Q3) Even If I turn on inter-site change notification urgent replication doesn't cross site borders ? Q4) Do you see how to lock user (prevent logon) in branch office if I do action on DC in HQ ? ( I think about disable account and fast replication and exceed number of faild logon in HQ for that user - this replicate urgently) ad 3) I will clarify "specyfic actions" are: " Modifying the account lockout policy for the domain Modifying the domain password policies Moving the relative identifier (RID) master to a new domain controller Changing a Local Security Authority (LSA) secret, such as when the domain controller machine password is modified Locking out a user account when a user attempts to log on too many times using an incorrect password" Best regards, XentriXentri