none
Inter-Site Change Notification Not Working RRS feed

  • Question

  • I made the change in ADSIEDIT to enable Inter-site change notification after adding a second AD site on our domain.

    The domain level and the old domain controllers in the main site are Server 2008 and the new domain controller for the new site is 2012 R2.

    I tested it by adding and deleting users on a domain controller and checking that the users were added or deleted on the domain controller at the other site.  It seemed to be working fine with that test. I could see the change within seconds.

    However, I noticed that group membership changes and account lockout status are not updating quickly between sites.

    I went back to ADSIEdit and saw that the "1" that I had entered in options a few days earlier was gone and it shows <not set> again.

    I put the 1 back in and then when to a different domain controller and it still shows not set there.

    What needs to be done to make sure that these changes stick and replicate between sites?

    Tuesday, April 7, 2015 11:26 PM

All replies

    1. Have you enabled change-notifications on the site link according to?
      http://www.ryanjadams.com/2010/05/turbo-charge-active-directory/#axzz2PaGkqbUu

    2. Account Lockout attributes such as PwdBadCount and BadPasswordTime are NONE replicated attributes and should contain unique values on each DC, so they might not be the best to verify change-notifications against, moreover not all group memberships are replicated to a DC if it's not GC in a multi-domain environment.
    3. Do you have any manual connection objects (e.g.) not managed by the KCC? If so those needs to be changed back to be managed by the KCC if the change-notification option should be automatically propagated down from the site link, or either you have to enable change-notifications manually as well on those connection objects, have a look at:
      http://www.ryanjadams.com/2010/05/turbo-charge-active-directory/#axzz2PaGkqbUu

      This script can help you find out if you do have manual connection objects:
    Get-ADReplicationConnection -Filter {AutoGenerated -eq $False} | 
    
    Select-Object Name,AutoGenerated,ReplicateToDirectoryServer,ReplicateFromDirectoryServer | 
    
    Out-GridView
    

    Enfo Zipper
    Christoffer Andersson – Principal Advisor
    http://blogs.chrisse.se - Directory Services Blog

    Wednesday, April 8, 2015 1:14 AM
  • It is a single domain with a second site recently added.  I have not customized anything to not use KCC.

    I noticed it wasn't replicating properly when a user said he was locked out and when I looked in ADUC it didn't show the account locked.  When I connected to the domain controller in the other site, I saw the account was locked.  I thought account lockouts  are supposed to replicate immediately even when you don't enable Inter-site change notifications.

    Wednesday, April 8, 2015 4:22 AM
  • It is a single domain with a second site recently added.  I have not customized anything to not use KCC.

    I noticed it wasn't replicating properly when a user said he was locked out and when I looked in ADUC it didn't show the account locked.  When I connected to the domain controller in the other site, I saw the account was locked.  I thought account lockouts  are supposed to replicate immediately even when you don't enable Inter-site change notifications.


    No urgent replication as account lockouts are still subject to if change notifications for inter-site replication, have a look at: http://blogs.technet.com/b/kenstcyr/archive/2008/07/05/understanding-urgent-replication.aspx

    Are the two sites only member of _one_ site link that you have enabled change notifications on? e.g. they are not also member of the default-first-sitelink? If you check the option attribute on the connection objects what value do you have there?

    Enfo Zipper
    Christoffer Andersson – Principal Advisor
    http://blogs.chrisse.se - Directory Services Blog

    Wednesday, April 8, 2015 4:47 AM
  • There is only one site link.  The default site link was renamed and used.  No additional site links were created.
    Wednesday, April 8, 2015 5:07 AM
  • There is only one site link.  The default site link was renamed and used.  No additional site links were created.

    So could you post the value of the 'options' attribute on the connection attributes then?

    Enfo Zipper
    Christoffer Andersson – Principal Advisor
    http://blogs.chrisse.se - Directory Services Blog

    Wednesday, April 8, 2015 5:14 AM
  • There is only one site link.  The default site link was renamed and used.  No additional site links were created.


    So could you post the value of the 'options' attribute on the connection attributes then?

    Enfo Zipper
    Christoffer Andersson – Principal Advisor
    http://blogs.chrisse.se - Directory Services Blog


    Wednesday, April 8, 2015 2:37 PM
  • What do you do if you have no "options" attribute to edit?
    Thursday, October 12, 2017 3:32 PM