AD replication behavior between sites

J Z 21 Reputation points

Hi I have a question about replication behavior between domain controllers in different sites, there is site IP links between main head office site and branches which is configured for 30 min replication and cost is 100. But there is some NTDS connection links between DC in sites that is configured to replicate only once per hour. How will be handled such operation as password change, which parameter will be used? 30 minutes or i case more than 30 minutes because of DC connection links is only configured for replication once per hour? In environment is 10 AD sites and 14 DCs. Head office has 4 DC and branches has 1 DC each.
Now we have problem with owa password change, when user change password it took almost 2-3 hours to became old password inactive.
I have also visio diagram of replication topology if someone intrested.

Windows Server Infrastructure
Windows Server Infrastructure
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Infrastructure: A Microsoft solution area focused on providing organizations with a cloud solution that supports their real-world needs and meets evolving regulatory requirements.
509 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Fan Fan 15,291 Reputation points Microsoft Vendor

    The replication for password change is a Immediate Replication.
    When you change a password for users or machines, password changes are sent immediately to the PDC FSMO. The PDC operations master then locally stores this value. And the password change is then replicated to its partners using the Active Directory replication process. Down-level domain controllers replicate the change directly from the PDC FSMO role owner.

    For the Active Directory replication inter-sites: it depends on the replication schedule you defined .Site-links, site costs and replication schedules are what we user to control the inter-site replication. It also effected by sites bandwidth, latency and ect.

    For the Active Directory replication intra- sites :By default, (according to Microsoft) any domain controller will aware of any directory update within 15 seconds. Within site despite the number of domain controllers, any directory update will be replicate in less than one minute.

    Best Regards,

    0 comments No comments

  2. Thameur-BOURBITA 32,496 Reputation points


    When a user change his password , the password will be sent immediately by the domain controller to PDC, then it will be replicated on all domain controllers.
    If the password change take 2or 3 hours , you should start by checking if the client able to contact the closest domain controller, if it use owa check if exchange server able to contact a closest domain controller. then you should check the bandwidth between R/W domain controllers and the PDC.

    Please don't forget to mark this reply as answer if it help you to fix your issue

    0 comments No comments