Account lockout not replicating to PDC Emulator
-
Monday, March 12, 2012 6:38 AM
Hi,
Account lockouts (event 4740) are not always replicating to the PDC Emulator.
According to the documentation it should though.
We need this for a specific application and we're running Windows 2008 R2 Active Directory.
Thanks!
All Replies
-
Monday, March 12, 2012 7:00 AM
Check for any events on your Domain controllers and post them here.
Also I suggest to run Dcdiag /q on your DC and look for your AD health. If there are some falied messages , post them here.
Account lock outs and password related things will replicate instantly. check out the below link to understand this.
http://blog.meigh.eu/2010/08/12/active-directory-replication-triggers.aspx
http://technet.microsoft.com/en-us/library/cc961826.aspx
Check the below thread.
Regards,
_Prashant_
MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights.
- Proposed As Answer by netengineer.kamal Monday, March 12, 2012 9:05 AM
-
Monday, March 12, 2012 9:02 AM
Hi,
The PDC emulator should receive urgent replication of account lockouts. If it is not always replicating to PDC, it seems the connectivity or replication problem between the DCs.
Ensure the DNS pointing is correct on each DC.
http://abhijitw.wordpress.com/2012/03/03/best-practices-for-dns-client-settings-on-domain-controller/Check the required ports are open on firewall.
http://social.technet.microsoft.com/wiki/contents/articles/active-directory-replication-over-firewalls.aspxCheck PDC owner is acting as an Authorative Time server.
http://support.microsoft.com/kb/816042Run dcdiag and repadmin /replsum command on DC for any error.
Understanding Urgent Replication.
http://blogs.technet.com/b/kenstcyr/archive/2008/07/05/understanding-urgent-replication.aspxHow the Active Directory Replication Model Works
http://technet.microsoft.com/en-us/library/cc772726(v=ws.10).aspx#w2k3tr_repup_how_ethi
Best Regards,
Abhijit Waikar.
MCSA 2003 | MCSA:Messaging | MCTS | MCITP:Server Administrator | Microsoft Community Contributor | My Blog
Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
- Edited by Abhijit WaikarMicrosoft Community Contributor Monday, March 12, 2012 9:02 AM
- Edited by Abhijit WaikarMicrosoft Community Contributor Monday, March 12, 2012 9:03 AM
- Proposed As Answer by netengineer.kamal Monday, March 12, 2012 9:05 AM
- Edited by Abhijit WaikarMicrosoft Community Contributor Monday, March 12, 2012 9:41 AM
- Edited by Abhijit WaikarMicrosoft Community Contributor Monday, March 12, 2012 9:41 AM
-
Monday, March 12, 2012 11:55 AMModerator
Could you provide addiditonal details? Why do you state not always replicating?
Are there some dc's where it works from and others it doesn't? Accounts lockouts use immediate replication to the PDCe.
http://blogs.dirteam.com/blogs/paulbergson/archive/2011/04/06/active-directory-replication-types.aspx--
Paul Bergson
MVP - Directory Services
MCITP: Enterprise Administrator
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, Vista, 2003, 2000 (Early Achiever), NT4
http://www.pbbergs.com Twitter @pbbergs
http://blogs.dirteam.com/blogs/paulbergsonPlease no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights.
-
Monday, March 12, 2012 12:28 PMModerator
Is it happening for the intra-site or inter-site? If its inter-site, is change notification is been enabled and configured? Take a look at below references.
http://www.activedir.org/Articles/tabid/54/articleType/ArticleView/articleId/40/Default.aspx
Awinish Vishwakarma - MVP-DS
My Blog: awinish.wordpress.com Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights. -
Monday, March 12, 2012 3:52 PM
Hi,
how do you check the account status for these accounts?
Like the others wrote the account lockout status should be replicated to the PDCE role holding DC immediately. This is performed with the immediate replication like Paul already wrote.
You find more information about this here:
http://technet.microsoft.com/en-us/library/cc775412(v=ws.10).aspx
Regards, Martin Forch
-
Monday, March 12, 2012 9:12 PMHowdie!On 12.03.2012 07:38, Jaap2011 wrote:> Account lockouts (event 4740) are not always replicating to the PDC> Emulator.>> According to the documentation it should though.That is best-effort approach here. If the call works, we're fine. If not(due to network, bandwidth, firewalling), then we're fine too and we'llcarry the change via normal rep away.> We need this for a specific application and we're running Windows 2008> R2 Active Directory.Need what? PDC chaining? Or the lockout to be replicated to the PDC? Thelatter will eventually happen through normal replication (sooner or later).If that's not sufficient - what is the requirement _exactly_? What areyou trying to achieve?Florian
The views and opinions expressed in my postings do NOT necessarily correlate with the ones of my friends, family or my employer. If anyone should be allowed to mark a response as an "answer", it should be the thread creator. No one else. -
Monday, March 12, 2012 11:18 PM
Password reset,account lockout events are replicated immediately between the DC's.
The reason is that if an administrator resets a password for a user who has forgotten their password, the change is immediately replicated back to the PDCe(same for account lockout). This isn’t a situation where the PDCe is notified about the change but instead the change is immediately pushed to it. The reason this is so important is that if a user attempts to logon and the password they attempt to use fails, the DC will send the hash from the password (Password itself is never sent over the wire) back to the PDCe to check to see if the password is correct, since there is latency in replication.
I would recommend first check the health of DC.This could be due to replication issue between the DC(due dns misconfig,necessary port not open for AD replication,etc).
Run dcdiag /q and repadmin /replsum to check the health of DC.
I there is no issue between the DC you can configure Change Notification.
Change Notification Within a Site and between site refer below link
Refer below link more on urgent replication.
http://technet.microsoft.com/en-us/library/cc961787.aspx
http://support.microsoft.com/kb/232690
http://blogs.technet.com/b/kenstcyr/archive/2008/07/05/understanding-urgent-replication.aspxPassword Replication Policy for RODC.
http://technet.microsoft.com/en-us/library/cc730883(WS.10).aspx
Hope this helpsBest Regards,
Sandesh Dubey.
MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog
Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
.png)
