Re: Urgent replication not seeming to work

Thank you for the assistance Mr. Richards...
;)

--

I hope that the information above helps you.
Have a Nice day.
Jorge Silva
MCSE

"Joe Richards [MVP]" <humorexpress@xxxxxxxxxxx> wrote in message news:eUP6IOqOHHA.5104@xxxxxxxxxxxxxxxxxxxxxxx
Mr. Richards in the house.... (looking around for my dad)

LOL. Please no more Mr. Richards, even my enemies call me joe (just they say it with a snobbish all knowing sneer).


I wrote a lot of this up and presented it at DEC 2006 during the infamous Dean and joe show. Likely people were laughing too hard from Dean cracking jokes to listen closely to me. ;o) The slide deck though is here

http://www.jadonex.com/downloads/dec/dec2006.zip

(Note: For maximum benefit, watch it as a presentation, don't skim through the slides in preview, we have a lot of animation in there)


There are two components to the whole PDC Chaining story.

The first is that the PDC gets the current new password. This is handled by a direct RPC shot straight to the PDC from the DC where the change was mastered. This is impacted by the AvoidPDCOnWan configuration in that if that value is set, it won't make the call to the PDC to update the password. But also, the mechanism is not guaranteed. If the PDC is too busy or their is a network issue (or the PDC is just plain down) the password will not be forwarded onto the PDC, it will get there through normal AD replication eventually.

The second is the PDC Chaining request where the user tries a password that the local DC doesn't think is valid and the PDC is chained in to the request to validate. If the PDC thinks it is ok it sends back a response saying, yeah that password is cool and then (as of 2K SP4 and K3 Gold) initiates a new LDAP op that I fought long and hard with MSFT to get implemented back in like 2002 or so for this reason called Replicate Single Object. This will force the info on the PDC directly to the DC that tried and failed the authentication. Again these items are impacted by AvoidPDCOnWan and yet again, they are not guaranteed. If the network is cool, if the PDC is cool, they will work great. If not, they may or may not work.


Going back to the poster's original item... Urgent replication. There is really no such thing as urgent replication. There is only urgent queuing. Items that are urgently queued have the same replication priority in the queue of anything else that is of the same NC. Actually in the slide 40-50 range of that deck above, I talked about queue priorities and what the actual priorities are of different replication requests. Urgent queuing simply means that the normal holdback and dsa pause values are not adhered to for the queuing. As Paul indicated, this only works over change notification links so that is usually within a single site. You can enable change notification between sites on a site link however keep in mind that doesn't bring you into the site's replication ring, you still have a bridgehead and you still don't have the "urgently replicated" items being any more important than any other writeable domain NC that is being replicated so changes can easily get hung up on a bridgehead and sit for a while if it is busy. You will note that on one or more of the slides I very specifically pointed out that urgent requests do NOTHING to the priority of the queued items.



--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm


Paul Williams [MVP] wrote:
OK, I'll ping him next week and see what you're referring to.


.

Relevant Pages

  • Re: Urgent replication not seeming to work
    ... even my enemies call me joe. ... There are two components to the whole PDC Chaining story. ... If the PDC is too busy or their is a network issue the password will not be forwarded onto the PDC, it will get there through normal AD replication eventually. ... There is really no such thing as urgent replication. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Urgent replication not seeming to work
    ... There are two components to the whole PDC Chaining story. ... normal AD replication eventually. ... really no such thing as urgent replication. ... Joe Richards Microsoft MVP Windows Server Directory Services ...
    (microsoft.public.windows.server.active_directory)
  • Re: PDC EMU ?
    ... sent to pdc em in ste 1 so the dc in site 3 isnt "immedialtely" told, ... DC in site 2 be told of the change immediately, next replication or never. ... but Windows also pushes the change to the PDCe ... that the AvoidPDCOnWan setting change only affect the DC were you're ...
    (microsoft.public.windows.server.active_directory)
  • Re: Replication Failure - Access Denied
    ... PDC)-> this will be successful I believe ... This is because AD replication is pull replication and when a good DC is ... Are all DCs running DNS in this site? ... then point the PDC emulator to itself for preferred DNS and to any other DC ...
    (microsoft.public.win2000.active_directory)
  • Re: Copying Bitmap
    ... and MFC does not support a generic way to get a DC which could be either, ... CDC * pDC; ... pDC = new CWindowDC(wnd); ...
    (microsoft.public.vc.mfc)