Users and Group Replication Is Not in Synchronization with LSA Changes (272476)
The information in this article applies to:
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Advanced Server
This article was previously published under Q272476 SYMPTOMS
When you revise users and group rights and set user rights assignments, and then replicate these changes, if you look at a different domain controller, the group policy updates are not registered at the target server even though the users and group rights changes have arrived at the target server.
You can check for this issue by using the Replmon.exe tool in Windows 2000 Support Tools: - Add the replication target server to the watch list.
- Right-click the server name and click Show Group Policy Object Status.
CAUSE
A program uses Windows NT 4.0 APIs to manipulate user and group accounts and to communicate to the Link State Algorithm (LSA) of a domain to set user rights assignments against the primary domain controller (PDC) emulator in Windows 2000.
Because Windows NT 4.0 replicates both types of changes using the same replication engine, the changes arrive at backup domain controllers (BDC) at the same time. In Windows 2000, LSA security changes that are made on the domain controller are stored in the default domain controller group policy object, which is a separate store and replication engine.
Windows 2000 directory changes are replicated by using remote procedure call (RPC) between domain controllers and following the replication topology and schedule that is stored in the configuration naming context. You can view this context by using the Active Directory Sites and Services snap-in.
File Replication service (FRS) uses the same information to replicate the group policy information. However, differences between Active Directory and FRS replication cause group policy changes to arrive at the target server later .
REFERENCES
DC AD
Modification Type: | Minor | Last Reviewed: | 1/26/2006 |
---|
Keywords: | kbenv kbfix kbprb KB272476 |
---|
|