I've got a Windows 2003 Active Directory infrastructure, and there are times (such as when terminating an employee) that I want instantaneous propagation across both of my AD servers. Currently, I make the change in both places, which I suspect is unhealthy, but it's the only way I know to make sure that the account is disabled to every machine.
Is there a better way? Do I have to wait for the normal propagation time for convergence, or is there a way to "force" it?
If you go into Active Directory Sites and Services, you can force replications. Open the Server object and click on the NTDS Settings. This will give you a list of their replication partners for GC data as well as regular DC-DC traffic. As I understand it, you can force replication by going to each of the connections, right-clicking on it, and choosing "Replicate Now".
(source: sysadmin1138.net)
There is an even easier change. Just reset the users password. That is one of the few instant replications that AD performs. No need to run site replication
EDIT:
Small edit. It's not completely instant. What is does is forward the change in an out-of-band update. (It doesn't wait for normal replication cycles)
however, it's probably about as close to instant that you can get with AD.
Make the change to one domain controller. Then open up AD Sites and Services. Then drill down to each site, Servers, DC, NTDS Settings, then right-click each connection and choose Replicate Now.
Note: Each connection will tell you the From Server and To Server for the replication.
Note: Obviously, start the first replication From the DC you made the change on.
If you have a small domain, this shouldn't be too taxing a task. If you have a larger domain (more DCs) then you could script this.
To script, you need to use the CMD command called REPADMIN. For a full description of the command type REPADMIN /?. In short, you would use the command in a way similar to this:
To find out the replication partnerships for a specific DC from the command line type the following:
Once you have figured out the right path/order to replicate to all your DCs, you can just dump all the commands into a batch file, and execute it when you need to replicate changes out quickly.
Here's a Technet article that outlines the AD replication model. Look at the Urgent Replication section for a discussion of what gets replicated immediately and doesn't require a forced replication. Mostly it's critical user security events (password changes, account lockouts) that are replicated immediately. There are configuration considerations to be made to make this happen site to site.
Remember when you play with forcing replication, all replication links are one-way, incoming. If you want to push changes outbound from a DC via the Sites & Services console, you have to go to each replica-partner and PULL from the source DC.
There is an easier way to force "outbound-full-replication" using the repadmin.exe tool from the Windows 2003 SP1 Support Tools kit:
This will push the changes via all replication links, outward from your source DC, for the default naming contaxt (which is where your user data is).
There 's also the possibility to make this using repadmin.exe with the /sync switch or you can even script it using ReplicaSync wich is included in the IADsTools.
You might see this kb article wich discuss the availables options.