The Microsoft documentation on the following does not make these point clear (especially question 2). Therefore I wanted to ask the question here and hopefully a member of the MS AD team will pick it up to give a concise answer.
Imagine you have an AD forest with one domain and three sites
Site1, Site2 and Site3
Each site has two DCs and all FMSO roles are held by the DCs in Site1
Urgent replication verses immediate replication
Let’s start off with Immediate Replication (not Urgent)
I understand certain events need to be replicated ‘immediately’ e.g. account ‘lockout’ events. My understanding of immediately is a domain controller (DC04 for example) opens a direct RPC/IP connection to the PDC emulator to update the PDC emulator’s replicate of the account lockout, thereby overriding any site link schedules.
Question 1:
First question is does DC04 update PDCs replica (as it states on some MS documents), or does DC04 inform the PDC emulator it has some ‘immediate’ attributes to update, then PDC ‘requests’ said updates (high water mark) as with a normal replication notification and pull the changes (but it just does not wait for site link schedule)?
Question 2:
Also from what I have read ‘immediate’ replication only appears to happen between a DC and the PDC in other words when a DC need to replication sometime immediately to the PDC (e.g. DC01), meaning immediate replication never happens between say DC04 and DC03 (as neither are the PDC) is that correct?
Question 3:
Is it correct to say that both ‘account lockout’ and ‘account unlock’ are both replicated to the PDC as ‘immediate’ replication?
Now let’s deal with Urgent Replication
From what I have read ‘urgent’ replication does not override site link schedules. Therefore Urgent replication only has meaning within the site where urgent replication is triggered (or if change notification is enabled between sites).
If that last statement is correct I can see a situation whereby an account ‘locked out’ in site 2, which is then immediately replicated to the PDC. The PDC then uses urgent replication (within its site only e.g. Site 1) to replicate this account lockout. At the same time the DC in Site 2 that dealt with the account lockout also uses urgent replication (again within its site only) to replicate the account lockout. So at this point it is fair to say all DCs in site 1 and site 2 know about the account lockout very quickly. However site 3 which may have a site line schedule of 2 hours for example (non-default) therefore DCs in Site 3 would not know about the account lockout (as not been replicated yet) so looking at the MrSmith AD account it would not show as locked,
Question 4:
Is the above statement about MrSmith and the lockout replication behaviour correct?
Question 5:
Assuming MrSmith account is Site 3 is not showing as locked out and MrSmith logs in to a computer in Site 3 (and therein against a DC in site 3). If he enters his password correctly, (therefore no need to refer back the PDC) I assume be will be able to login?
Question 6:
Depending on the answer to question 5 above, every time a user logs on to the domain is the PDC emulator referenced e.g. just in case the account is locked out? (e.g. even if the account shows
as not locked out and the user enters their password correctly)
Thanks very much in advance