Password replication in AD LDS

  • Last Post 01 April 2016
minwar posted this 14 March 2016

Hi, looking for some advice as new to LDS.  There is no PDCe so how are password changes handled? Does LDS have urgent replication or are you left to allow standard change notification to occur? Thank in adavnce

minwar posted this 01 April 2016

I thought i would follow up on this in case it is of any use to someone further down the line...

LDS treats a password changes just as it would with any other attribute change. It has no concept of urgent replication.   So best case scenario if you are using single site (change notification) means that you are subject to usual 15s period whilst the change is notified to 1st replication partner and then subsequent 3s wait in between each additional replication partner being notified.  Account lockouts in AD LDS are not replicated at all on their own accord! That means that if you lock an account out on one LDS server then you can go and try multiple times on any other instance and get authenticated with correct credentials on any other LDS server. It will only ever replicate lockouts or badpwdcount if another unrelated change is made to force replication.  Or if you setup a scheduled task to do this.   Seems utterly bizare but MS claim its not a bug and is by design, This is true up to an including 2012 R2.