RODC Replication and Timeout RRS feed

  • Question

  • Hello community

    I've a question about the replication topology. I know that every read only dc needs a writable dc which has WS2008 installed. 1) Can someone explain me, what happens if the WAN link is not available? Sure, all populated user passwords will work for log on. But how long can this link be gone? And 2) What happens if the connectivity is available after x hours?

    3) I also would like to know if the RODC in such a situation also will update the last-logon attribute in ad. What is the exact way of this update process?

    Thanks a lot for the information on this.

    Wednesday, February 18, 2009 5:38 PM





    The results that occur for directory operations by a client computer in a branch site that includes only an RODC, when the WAN is offline:

    ·         Authentication fails if the account password is not cached and the user attempts to authenticate to the RODC. Offline authentication succeeds if the account password is cached and if the RODC is a global catalog server or the site with the RODC has the universal group membership caching feature enabled.

    ·         Password change fails. It is important to change your password while connectivity to a writable domain controller is available because if the password expires while the WAN is offline, although the RODC will prompt the user to change the expired password, the password change request and logon will fail because a writable domain controller cannot be contacted.

    ·         There is no way to manually unlock an account that is locked out by an RODC while the WAN is offline. If the WAN remains offline, the account can be unlocked only after the account lockout duration has elapsed.


    For more information:

    How Operations in a Branch Site with an RODC Are Affected When the WAN Is Not Available




    By default, the KCC reviews and makes modifications to the Active Directory replication topology every 15 minutes to ensure propagation of data, either directly or transitively, by creating and deleting connection objects as needed.


    For more information:


    How Active Directory Replication Topology Works


    • Proposed as answer by Brian D. Knight Friday, February 20, 2009 6:11 PM
    • Marked as answer by Joson Zhou Tuesday, February 24, 2009 2:14 AM
    Friday, February 20, 2009 10:12 AM