By Tony Murray on Tuesday, December 18, 2007 4:37 PM
If you have more than one AD site you may find that account lockouts and unlocks take some time to replicate to the remote site(s). This article explains why this can happen and shows how to enable change notification on inter-site links to allow the urgent replication of account lockout status.
Let’s take a scenario in which we have a standard AD environment with two AD sites (North and South). The North site has the PDC Emulator role holder DC (DCN1) and two additional DCs (DCN2 and DCN3). The South site and has a single DC (DCS1). The two sites are connected by a site link (NorthSouth), which is configured to replicate every 15 minutes. Automatically generated connection objects are in place between DCN1 and DCS1.
A user in the North site (Dean North) is having trouble with his password and manages to lock his account out after 15 unsuccessful attempts (Dean is not the sharpest tool in the box). The lockout occurs on DCN2. The lockout event is immediately replicated to the PDCE (DCN1). DCN3 is updated with the lockout status through urgent intra-site replication.
At this point Dean North calls the Joe South who works on the IT Service Desk. Joe is located in the South site and his Active Directory Users and Computers session is connected to DCS1. Dean explains to Joe that his account is locked out and now, having found his password taped to the underside of his keyboard, asks Joe to unlock his account so that he can log in to the domain. Joe looks in Active Directory Users and Computers and sees that the account is not locked out. Dean and Joe start calling each other names and confusion reigns.
Joe South could not see the locked out account because his view of Dean’s account came from DCS1, which had not yet received the lockout status change via inter-site replication. If Joe had waited (up to 15 minutes) he would have seen the status change. Account lockouts are replicated urgently to intra-site replication partners, but not (by default) across site links to inter-site replication partners. To modify this behavior you need to enable change notification on the site link. This requires modifying the options attribute on the appropriate site link object.
Instructions on how to make the change using ADSIEdit are provided here (http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/
You can also write the attribute value with admod from www.joeware.net using the following syntax:
admod -b "CN=<SiteLinkName>,CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configurtion,DC=north,DC=com" options::1
Note that the options attribute value is a bitmask. The admod method used above blindly writes the value of 1.
You should check first to determine what (if any) value already exists and the write the correct value accordingly.
To find the current value you can use another tool from JoeWare called adfind, as follows:
adfind -config -rb "CN=<SiteLinkName>,CN=IP,CN=Inter-Site Transports,CN=Sites" options
Once change notification has been enabled, any changes in lockout status will be replicated urgently across the site link. In other words, the replication schedule will be ignored.
The following items are subject to urgent replication:
One thing to note about this is that password changes will always take effect immediately, irrespective of whether change notification is enabled on site links. For example, if you change your password the PDCE will be notified immediately by the DC on which you made the change. If you then try to log in at a different DC that has not yet received notification of the password change, that DC will detect an incorrect password, but will refer to the PDCE to check if a password change has been made.
For more information see the following links: