Replication Frequency/DC authentication preference

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

We are running an application (Netloan) that requires the replication time
between DCs to be reduced to 15 seconds. Unfortunately this is still not
always low enough.

A few questions:
1. What is the minimum the replication can be reduced to (both DCs are on
the same network segment)
2. What are the implications of reducing this value.
3. Is it possible to make a PC choose a specific DC to authenticate against
during user logon.

Explanation:
We are running Netloan to allow booking of library PCs. Each PC within
Netloan has an NT user account assigned to it. Each Netloan user has a
Netloan account assigned to it. When a session begins the Netloan user
account (in effect) picks a DC and moves the machine related NT user account
to the correct OU and security group. The machine related NT account is then
passed to the NT logon process which picks a DC to authenticate against, this
may not be the same DC as Netloan chose so if replication does not take place
soon enough an incorrect group policy could be applied.

Thanks in advance.

Pete.
 
(1)
For Windows 2003
Determining when intrasite replication occurs
Directory updates made within a site are likely to have the most direct
impact on local clients, so intrasite replication is optimized for speed.
Replication within a site occurs automatically on the basis of change
notification. Intrasite replication begins when you make a directory update
on a domain controller. By default, the source domain controller waits 15
seconds and then sends an update notification to its closest replication
partner. If the source domain controller has more than one replication
partner, subsequent notifications go out by default at 3 second intervals to
each partner. After receiving notification of a change, a partner domain
controller sends a directory update request to the source domain controller.
The source domain controller responds to the request with a replication
operation. The 3 second notification interval prevents the source domain
controller from being overwhelmed with simultaneous update requests from its
replication partners.

For some directory updates in a site, the 15 second waiting time does not
apply and replication occurs immediately. Known as urgent replication, this
immediate replication applies to critical directory updates, including the
assigning of account lockouts and changes in the account lockout policy, the
domain password policy, or the password on a domain controller account.

For Windows 2000

the same applies except that the source DC waits for 5 min for the first
notification and subsequent notifications go out by default at 30 sec
intervals to each partner

Look at the following articles for more information

Change the Delay for Initial Notification of an Intrasite Replication
Partner

http://www.microsoft.com/technet/pr...maintain/opsguide/part2/adogdapb.mspx#E0OE0AA

How to Modify the Default Intra-Site Domain Controller Replication Interval
http://support.microsoft.com/?kbid=214678

Active Directory Replication Tools and Settings
http://www.microsoft.com/technet/pr...Ref/df20bd3e-9914-4a8d-bd5b-3b987c73a34d.mspx

(2) see documents above

(3) no
--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto #
BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
 
Jorge

Thanks for the response, very useful.

I'm going to reduce the replication value down from 15 to 10 and also
change the Priority for DNS SRV records, as there are not too many machines
in this domain it shouldn't cause a problem.

Pete.
 
Back
Top