Re: AD Replication Questions

From: Cary Shultz [A.D. MVP] (cwshultz_at_mvps.org)
Date: 08/15/04 

Date: Sun, 15 Aug 2004 17:49:36 -0400

Eric,

If you fire someone and you have multiple Sites then disabling the user
account object will be subject to the Intrasite as well as Intersite
Replication schedule.

However, please remember that you can install the Support Tools and use
replmon to start a synch. You can also do this with ADSS.

The risk is only what you let it be!

Glad that you added a second DC in Dallas.

Cary

<anonymous@discussions.microsoft.com> wrote in message
news:64c401c482bf$10d75b50$a501280a@phx.gbl...
> Cary,
>
> Thanks for the reply. We are adding another DC this
> morning for our Dallas office.
>
> We do have have seperate sites setup but the reason it is
> still only taking 15 minutes is because in the Inter-site
> transports we have 15 minutes setup rather than the
> default.
>
> I think where I was confused was that I thought certain
> events would cause replication immediatly. For example if
> an employee is fired and we disable his account in
> Houston; he could then feasibly login to a Dallas resource
> (Such as a RAS Server) until replication occurs. Doesn't
> this pose a considerable security risk for those 15
> minutes?
>
> Thanks again,
>
> Eric
> >-----Original Message-----
> >Eric,
> >
> >One thing that I left off my first post....
> >
> >Are you sure that you have set up two distinct Sites in
> the ADSS MMC? If
> >you have this fast of a connection between the two Sites
> ( you did not
> >actually mention the exact speed, just assuming that a
> fractional T3 would
> >be pretty quick ) then you *might* decide to have
> everything as one Site.
> >This sounds suspiciously like what is going on in that
> you state that it
> >takes up to 15 minutes for the new user to show up in the
> other Site. This
> >sounds like the regular intra-site replication period -
> unless someone
> >changed the inter-site parameters that I mentioned in my
> initial reply.
> >
> >HTH,
> >
> >Cary
> >
> >"Eric" <anonymous@discussions.microsoft.com> wrote in
> message
> >news:5f5d01c4823b$57f21220$a301280a@phx.gbl...
> >> We currently have 2 sites setup. One is labeled Houston
> >> and one is labeled Dallas. The Houston site has 3 DC's
> in
> >> it and the Dallas currently has 1 DC. We have a VPN
> >> between our Houston and Dallas offices that is
> currently a
> >> fractional T3.
> >>
> >> When we make a change on a Houston DC such as locking an
> >> account out, disabling an account, or adding a new
> account
> >> it replicates to the other Houston DC's almost
> immediately
> >> but it take a while to replicate to the Dallas DC.
> There
> >> is no latency over the VPN so I know it is not network
> >> related. It does eventually get there after about 15 -
> 20
> >> minutes.
> >>
> >> Are there any settings I can change to control this? Is
> >> this normal? I think I am confused about how long it
> >> should take to replicate.
> >>
> >> Any information would be greatly appreciated.
> >>
> >> Thanks,
> >>
> >>
> >> Eric
> >
> >
> >.
> >