Re: AD intersite replication lag - security problem?

From: Joe Richards [MVP] (humorexpress@hotmail.com)
Date: 01/11/03 

From: "Joe Richards [MVP]" <humorexpress@hotmail.com>
Date: Sat, 11 Jan 2003 10:02:26 -0500

Kev, I hate this answer as much as anyone but the answer is "This is by
design". Consider a situation with a site that doesn't replicate except once
a day or once every couple of days.

Your solutions are to increase your replication frequency (i.e. decrease the
period between replications) or enable change notification on site links or
place all DC's in one site write a script that will loop through all DC's
disabling a user. The second answer is probably the better one.

Nothing will force an immediate replication across sites to normal DC's.
Some things will force changes to get back to the PDC immediately and there
is a password change functionality change coming in a hot fix soon that will
cause a quick replication for that user to a DC they are logging into if the
password they have is invalid on the local DC that they are logging into but
that is it. 

--
Joe Richards
www.joeware.net
---
"Kev" <this-doesnt-exist@any-mailserver.com> wrote in message
news:#NzoA0MuCHA.432@TK2MSFTNGP10...
> Yesterday I discovered something that worries me.  Here's the scenario:
>
> User JDOE was terminated from my company (let's say) ACME Corp.
> This user worked in one of ACME's offices overseas.  This office is part
of
> the Active Directory Site 'B'.
> JDOE's account was disabled on a domain controller that also resides in
Site
> 'B'.
> Site 'A' has a VPN Server, and a domain controller.  Site 'A' and Site 'B'
> use the DEFAULTIPSITELINK for replication.
> Now here's the kicker.  The disabled user was still able to log onto the
> network at Site 'A' using VPN and had normal access to everything for a
> period of 3 hours!
> I realize that the replication interval for DEFAULTIPSITELINK is 180
> minutes, but I assumed (wrongly)that an event such as disabling a user
would
> trigger a replication.
>
> Am I overlooking something?  I don't think that I should have to force
> replication between all of my sites after an employee is terminated.  I
also
> don't think that I should have to set the replication interval to such a
> small amount that it will possibly clog up the link.  Any insights on this
> will be appreciated.
>
> Thanks,
> Kev
>
>

Relevant Pages

  • Re: Site Links
    ... > You are correct in that replication will be every 30 min. ... > password changes and account disabling are immediate though. ... > immediate replication, you can put them into the same site and encaps ...
    (microsoft.public.win2000.active_directory)
  • Re: AD Replication Questions
    ... If you fire someone and you have multiple Sites then disabling the user ... account object will be subject to the Intrasite as well as Intersite ... Glad that you added a second DC in Dallas. ... > events would cause replication immediatly. ...
    (microsoft.public.windows.server.active_directory)
  • AD intersite replication lag - security problem?
    ... Site 'A' has a VPN Server, ... I realize that the replication interval for DEFAULTIPSITELINK is 180 ... but I assumed that an event such as disabling a user would ...
    (microsoft.public.win2000.security)
  • Re: Denay replication in AD
    ... disabling replication from those DCs to that particular DC is NOT the ... If replication does not occur within the tombstone lifetime you ... # Jorge de Almeida Pinto # MVP Windows Server - Directory Services ... BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx ...
    (microsoft.public.win2000.active_directory)
  • Re: Moving ADAM instances between sites
    ... site from the defaultipsitelink? ... To then limit replication you would need to create a siteLink ... the ADAM instance event logs on those servers). ...
    (microsoft.public.windows.server.active_directory)