Link to home
Create AccountLog in
Avatar of Bill H
Bill H

asked on

Account Lockout replication

If my AD account gets locked out, how quickly is this information replicated to other DC's in the forest?
ASKER CERTIFIED SOLUTION
Avatar of digitap
digitap
Flag of United States of America image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Avatar of James
Account lockouts or password resets trigger replication to occur to all Domain Controllers. PDC Emulator, one of the 5 FSMO Roles plays a key part in this. It would be noting which of your Domain Controllers holds these Roles.
SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Avatar of Bill H
Bill H

ASKER

What about the other DCs that are part of other sites?
If trusts are setup to sites or if all DC share the same Active Directory Name Space then changes will replicate to the DCs.
as long as the DCs are members of the same domain and are part of the replication policy they'll receive the account lockout updates.
Avatar of Bill H

ASKER

Child domains also?
child domains have their own password policies so the root domain would not affect them.  with 2008 AD you can have multiple password policies per domain.
Other domains that are part of a trust don't contain information about the account, so they won't receive the lockout updates. Only DCs that are part of the domain that contains the account will get account lockout updates.
Immediately .Since when there is a wrong password the domain master that holds the master schema is being informed. Every authentication is done by the master schema.
For example i am trying to connect on dc2 and i put a password.Then dc2  is asking the domain master if this is correct.
thx for the pts!