1 DC on premises, 1 DC in cloud. Password changes not replicating in timely manner.

Hi experts, I have a single on premises AD domain controller (Windows 2008R2) and in addition I have recently set up an Azure VM and connected this to my premises via site to site VPN.  I have joined the Azure VM to the on premises domain and promoted this to a DC also.  Everything is replicating fine and it's working as expected.  However, recently we have forced users to reset their passwords on next log in and for some of them at least they have had problems authenticating to network shares etc for a short period.  I believe the issue here is that they have authenticated against the Azure DC and have to wait (15 minutes?) for the two DCs to replicate the new password update.  Upon performing a gpresult /r I can see that user group policy is being applied from the Azure DC which seems to confirm my thoughts.

My question is, can I force the client PCs to authenticate to the on premises DC first and only use the Azure DC as a backup (this is its sole purpose anyway)?  Failing that, can I force user password changes to replicate between the DCs instantly?

I have approximately 30 PCs on premises and would prefer not to have to make configuration changes on each PC in order to achieve this.

Any other suggestions to avoid this issue are welcome.  Thanks
Alan KinaneAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Cliff GaliherCommented:
Define your sites in sites and services and call one site Azure. Make sure the subnets are different (as they should be already for site to site VPN to  work properly, and clients will always try to authenticate to domain controllers on their local site first. That is one of the primary purposes of defining multiple sites and was architected into Active Directory all the way back in 2000. Even back then, large enterprise multi-national corporations (such as Microsoft itself) didn't want London office machines trying to authenticate against Tokyo servers over unreliable WAN connections.  So this is a robust and tried solution; you just have to implement it.

As an aside, password changes are always attempted to sync immediately. They do not adhere to the normal replication delay. However slow links do affect this so you still have to plan accordingly. Defining sites is by far your best bet.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Alan KinaneAuthor Commented:
Hi Cliff,

Thanks for the reply.  I initially hadn't defined these sites as you suggested but upon doing my own research I came across an article about this and have since made these changes.  

Should this take effect immediately however as when I did a gpupdate /force and then a gpresult /r, it seems to still be receiving the group policy from the Azure DC.  Now that I think of it I may not have even logged off.  It does seem to be working at the moment although I temporarily disabled the VPN tunnel while troubleshooting.

What's the quickest  way to confirm with which server is performing the authentication?  Event logs or gpresult or other?

Cliff GaliherCommented:
gpresult is only for group policies. Event logs are a better indicator. But sites are active directory objects like any other, so they *are* replicated on a normal schedule and clients only update and check in at intervals for changes. You may not see the effects for 90 minutes (default) or more depending on your environment.
Seth SimmonsSr. Systems AdministratorCommented:
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.