Alan Kinane
asked on
1 DC on premises, 1 DC in cloud. Password changes not replicating in timely manner.
Hi experts, I have a single on premises AD domain controller (Windows 2008R2) and in addition I have recently set up an Azure VM and connected this to my premises via site to site VPN. I have joined the Azure VM to the on premises domain and promoted this to a DC also. Everything is replicating fine and it's working as expected. However, recently we have forced users to reset their passwords on next log in and for some of them at least they have had problems authenticating to network shares etc for a short period. I believe the issue here is that they have authenticated against the Azure DC and have to wait (15 minutes?) for the two DCs to replicate the new password update. Upon performing a gpresult /r I can see that user group policy is being applied from the Azure DC which seems to confirm my thoughts.
My question is, can I force the client PCs to authenticate to the on premises DC first and only use the Azure DC as a backup (this is its sole purpose anyway)? Failing that, can I force user password changes to replicate between the DCs instantly?
I have approximately 30 PCs on premises and would prefer not to have to make configuration changes on each PC in order to achieve this.
Any other suggestions to avoid this issue are welcome. Thanks
My question is, can I force the client PCs to authenticate to the on premises DC first and only use the Azure DC as a backup (this is its sole purpose anyway)? Failing that, can I force user password changes to replicate between the DCs instantly?
I have approximately 30 PCs on premises and would prefer not to have to make configuration changes on each PC in order to achieve this.
Any other suggestions to avoid this issue are welcome. Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
gpresult is only for group policies. Event logs are a better indicator. But sites are active directory objects like any other, so they *are* replicated on a normal schedule and clients only update and check in at intervals for changes. You may not see the effects for 90 minutes (default) or more depending on your environment.
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
ASKER
Thanks for the reply. I initially hadn't defined these sites as you suggested but upon doing my own research I came across an article about this and have since made these changes.
Should this take effect immediately however as when I did a gpupdate /force and then a gpresult /r, it seems to still be receiving the group policy from the Azure DC. Now that I think of it I may not have even logged off. It does seem to be working at the moment although I temporarily disabled the VPN tunnel while troubleshooting.
What's the quickest way to confirm with which server is performing the authentication? Event logs or gpresult or other?
Thanks.