Making Active Directory changes atomic

I've got a Windows 2003 Active Directory infrastructure, and there are times (such as when terminating an employee) that I want instantaneous propagation across both of my AD servers. Currently, I make the change in both places, which I suspect is unhealthy, but it's the only way I know to make sure that the account is disabled to every machine.

Is there a better way? Do I have to wait for the normal propagation time for convergence, or is there a way to "force" it?


Solution 1:

If you go into Active Directory Sites and Services, you can force replications. Open the Server object and click on the NTDS Settings. This will give you a list of their replication partners for GC data as well as regular DC-DC traffic. As I understand it, you can force replication by going to each of the connections, right-clicking on it, and choosing "Replicate Now". alt text
(source: sysadmin1138.net)

Solution 2:

There is an even easier change. Just reset the users password. That is one of the few instant replications that AD performs. No need to run site replication

EDIT:

Small edit. It's not completely instant. What is does is forward the change in an out-of-band update. (It doesn't wait for normal replication cycles)

however, it's probably about as close to instant that you can get with AD.