Warning Serious problems might occur if you modify the registry
incorrectly by using Registry Editor or by using another method. These problems
might require that you reinstall the operating system. Microsoft cannot
guarantee that these problems can be solved. Modify the registry at your own
risk.
Urgent replication events
Urgent replication in Windows 2000 (release version)
Windows 2000 (release version) enables change notifications to
propagate across inter-site connections. This is administratively configured on
each site-link. Enabling change notifications across site-links propagates all
change notifications. This enables urgent changes and all other replication
events to propagate to a remote site with the same frequency as within the
source site.
- Urgent replication is a replication mechanism.
- The default behavior for urgent replication is to not cross
site boundaries due to the scope of replication.
- Inter-site urgent replication occurs when change
notifications are enabled on site links (already discussed in this
article).
New Scenario: Cover password resets reset passwords for users
and computer accounts in the Users and Computers snap-in.
When
passwords are changed in Windows 2000 they are not replicated urgently.
However, when a password is changed, it is "pushed" to the primary domain
controller (PDC). "Pushed" means that the password is sent over NETLOGON's
secure channel to the PDC. Specifically, the backup domain controller (BDC)
makes a remote procedure call (RPC) to the PDC, which indicates the user and
the users new password. The PDC then sets this value locally. This push
mechanism is independent of Windows 2000 replication. For more
information about urgent replication, click the following article number to
view the article in the Microsoft Knowledge Base:
306133
Account unlocks and manual password expirations are not replicated urgently
Windows 2000 domains only
Urgent replication between Windows 2000 domain controllers
consists of the following events:
- Replicating a newly locked-out account
- Changing an LSA secret
- RID Manager state changes
The following events are not urgent replications in Windows
2000 domains:
- Changing the account lockout policy
- Changing the domain password policy
- Changing the password on a machine account
- Inter-domain trust passwords (trusts between domain A and
B)
Windows 2000 and Windows NT 4.0 mixed-domain environment
Windows NT 4.0 backup domain controllers interoperate with
Windows 2000 domain controllers in mixed mode (more specifically, with the PDC
FSMO role owner). The following events are replicated immediately from the
Windows 2000 PDC Flexible Single Master Operation (FSMO) to the Windows NT 4.0
BDCs:
- Replicating a newly locked out account
- Changing an LSA secret
- Inter-domain trust passwords (trusts between domain A and
B)
The following events are considered to be urgent replication
changes in Windows NT 4.0 domains only. These events are included for
completeness.
- Replicating a newly locked out account
- Changing an LSA secret
- Changing the account lockout policy
- Changing the domain password policy
- Changing the password on a machine account
Password replication in Windows 2000
Changes to account passwords can be made at any domain controller
because all full replicas of a given domain are writable. This differs from
Windows NT 4.0 and earlier versions, in which password changes were made at the
PDC for the domain. This is the only writable replica of the Security Account
Manager (SAM) in Windows NT 4.0. This can lead to unexpected behavior when a
password is changed by a user at domain controller "A" who then attempts to log
on with authentication by domain controller "B." If the password has not been
replicated from "A" to "B," the logon attempt does not succeed. In Windows NT
4.0, if authentication does not succeed at the BDC, the authentication is
remoted to the PDC. Windows 2000 exhibits similar behavior, as follows: