Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

Urgent replication triggers in Windows 2000

View products that this article applies to.


The majority of Active Directory replication in Windows 2000 takes place at predefined intervals. However, select changes to objects in Active Directory must take place immediately to allow for proper administration of a domain. This article describes urgent replication events as they pertain to Windows 2000 domains, Windows 2000 and Microsoft Windows NT 4.0 mixed-domain environments, and password changes.

↑ Back to the top

More information

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

Urgent replication events

Urgent replication in Windows 2000 (release version)

Windows 2000 (release version) enables change notifications to propagate across inter-site connections. This is administratively configured on each site-link. Enabling change notifications across site-links propagates all change notifications. This enables urgent changes and all other replication events to propagate to a remote site with the same frequency as within the source site.
  1. Urgent replication is a replication mechanism.
  2. The default behavior for urgent replication is to not cross site boundaries due to the scope of replication.
  3. Inter-site urgent replication occurs when change notifications are enabled on site links (already discussed in this article).
New Scenario: Cover password resets reset passwords for users and computer accounts in the Users and Computers snap-in.

When passwords are changed in Windows 2000 they are not replicated urgently. However, when a password is changed, it is "pushed" to the primary domain controller (PDC). "Pushed" means that the password is sent over NETLOGON's secure channel to the PDC. Specifically, the backup domain controller (BDC) makes a remote procedure call (RPC) to the PDC, which indicates the user and the users new password. The PDC then sets this value locally. This push mechanism is independent of Windows 2000 replication. For more information about urgent replication, click the following article number to view the article in the Microsoft Knowledge Base:
306133 Account unlocks and manual password expirations are not replicated urgently

Windows 2000 domains only

Urgent replication between Windows 2000 domain controllers consists of the following events:
  • Replicating a newly locked-out account
  • Changing an LSA secret
  • RID Manager state changes
The following events are not urgent replications in Windows 2000 domains:
  • Changing the account lockout policy
  • Changing the domain password policy
  • Changing the password on a machine account
  • Inter-domain trust passwords (trusts between domain A and B)

Windows 2000 and Windows NT 4.0 mixed-domain environment

Windows NT 4.0 backup domain controllers interoperate with Windows 2000 domain controllers in mixed mode (more specifically, with the PDC FSMO role owner). The following events are replicated immediately from the Windows 2000 PDC Flexible Single Master Operation (FSMO) to the Windows NT 4.0 BDCs:
  • Replicating a newly locked out account
  • Changing an LSA secret
  • Inter-domain trust passwords (trusts between domain A and B)
The following events are considered to be urgent replication changes in Windows NT 4.0 domains only. These events are included for completeness.
  • Replicating a newly locked out account
  • Changing an LSA secret
  • Changing the account lockout policy
  • Changing the domain password policy
  • Changing the password on a machine account

Password replication in Windows 2000

Changes to account passwords can be made at any domain controller because all full replicas of a given domain are writable. This differs from Windows NT 4.0 and earlier versions, in which password changes were made at the PDC for the domain. This is the only writable replica of the Security Account Manager (SAM) in Windows NT 4.0. This can lead to unexpected behavior when a password is changed by a user at domain controller "A" who then attempts to log on with authentication by domain controller "B." If the password has not been replicated from "A" to "B," the logon attempt does not succeed. In Windows NT 4.0, if authentication does not succeed at the BDC, the authentication is remoted to the PDC. Windows 2000 exhibits similar behavior, as follows:
  • A password change by a Directory Service-aware client at a domain controller is "pushed" by that domain controller to the PDC FSMO role owner on a best-effort basis. This push of the password to the PDC can be disabled on WAN links with the following registry key:
    HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters Registry value : AvoidPdcOnWan
    Registry type : REG_DWORD
    Registry value data : 0 (or value not present) or 1
    FALSE = 0 or value not present (to disable)
    TRUE = 1 (to enable)
    Default : (value is not present)
    Platform : Only Windows 2000 Domain Controllers
  • The password change is propagated to other domain controllers in the domain using normal replication values.
  • When authentication does not succeed at a domain controller other than the PDC FSMO role owner, the request is retried at the PDC FSMO role owner.
  • Down-level clients attempt to contact the PDC to make a password change as they do in Windows NT 4.0.

↑ Back to the top

Keywords: KB232690, kbnetwork, kbinfo, kbenv

↑ Back to the top

Article Info
Article ID : 232690
Revision : 9
Created on : 10/11/2007
Published on : 10/11/2007
Exists online : False
Views : 638