Re: PDC EMU ?

1. With that flag enabled, the normal replication would take place. So if you had other DCs in the site, they would follow the normal intrasite mechanism and then once the password hit the bridgehead for the site it would pass across whatever sitelinks to whatever other bridgeheads it was currently talking to. Depending on your replication topology and timings this change could take minutes to weeks to replicate fully throughout your domain. It depends entirely on what the normal replication latency is for the domain.

2A. I do not believe this is impacted, only password chaining and out of band replication.

2B. This is normal.

2C. If the link is down, you don't need to set it because that is the way it will function anyway. The ONLY time you do this is if you absolutely do not want chaining and password forwarding when the link is up. You have to have extremely slow links IMO to want to configure this, it can be a massively painful thing to do. This is hugely painful if you run centralized applications that do their own auth like Exchange and Web based apps because if the user changes their password locally, then tries to use one of those centralized apps, most likely they will lock themselves out, certainly they won't be able to use the app until the password change gets replicated.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm


skhips wrote:
Cheers for both of your time, just to clarify two points,

1. With the avoidpdc set if user changes password in site 2, no message is sent to pdc em in ste 1 so the dc in site 3 isnt "immedialtely" told, but will site 3 be told next time replications happens ? When would the second DC in site 2 be told of the change immediately, next replication or never.

2. If this setting is applied are their any negatives apart from the above and would the below be correct.

a. Timing for sites would have to point to a local time source not pdc emu
b. GPO changes would not be imediately sent down but would they pass around all sites when replication happened.
c. If I decided not to have it always set is it something you could just apply if a link to the pdc emu was going to be down for a long time.

Cheers, and my first reply from a MVP, like speaking to royalty.




"Joe Richards [MVP]" wrote:

1. The bad attempt counts are maintained separately for all DCs whether they are able to talk to the PDC or not. So if the user is hitting the same DC over and over again, no, they will not get extra attempts.

2. All AvoidPDCOnWan does is tell the local DC not to contact the PDC in the event of password changes or authentication failures.

Normally if you change a password in Site2, the Site2 DC calls out to he PDC in Site1 and lets it know there was a password change, then if you try to logon to a Site3 DC and specify the new password, the Site3 DC will see the password is wrong but will doublecheck with the PDC. Enabling AvoidPDCOnWan shuts all of that off.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm


skhips wrote:
1. If the wan link is down to the PC Emulator does that mean as it records bad password attempts a user would be able to have more password attempt than configured in the doamin GPO.

2. If I use the AvoidPdcOnWan setting on W2K3 in W2K mode in a remote site will all of the tasks that the PDC Emulator is responsible for still function at the remote site or will it cause issues.

TIA
.

Relevant Pages

  • Re: PDC EMU ?
    ... With the avoidpdc set if user changes password in site 2, ... DC in site 2 be told of the change immediately, next replication or never. ... Timing for sites would have to point to a local time source not pdc emu ... Enabling AvoidPDCOnWan shuts all of that off. ...
    (microsoft.public.windows.server.active_directory)
  • Re: PDC EMU ?
    ... sent to pdc em in ste 1 so the dc in site 3 isnt "immedialtely" told, ... DC in site 2 be told of the change immediately, next replication or never. ... but Windows also pushes the change to the PDCe ... that the AvoidPDCOnWan setting change only affect the DC were you're ...
    (microsoft.public.windows.server.active_directory)
  • Re: Urgent replication not seeming to work
    ... even my enemies call me joe. ... There are two components to the whole PDC Chaining story. ... If the PDC is too busy or their is a network issue the password will not be forwarded onto the PDC, it will get there through normal AD replication eventually. ... There is really no such thing as urgent replication. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Urgent replication not seeming to work
    ... There are two components to the whole PDC Chaining story. ... normal AD replication eventually. ... really no such thing as urgent replication. ... Joe Richards Microsoft MVP Windows Server Directory Services ...
    (microsoft.public.windows.server.active_directory)
  • Re: Urgent replication not seeming to work
    ... even my enemies call me joe. ... There are two components to the whole PDC Chaining story. ... If the PDC is too busy or their is a network issue the password will not be forwarded onto the PDC, it will get there through normal AD replication eventually. ... There is really no such thing as urgent replication. ...
    (microsoft.public.windows.server.active_directory)