How do I configure Directory and Resource Administrator to write password changes to all domain controllers instead of one?
Directory and Resource Administrator 6.x
A trigger can be configured in Directory and Resource Administrator (DRA) to update all domain controllers in the domain when a password is reset. A sample post-task trigger is available in the Knowledge Depot, which pushes out password changes made, using DRA, to all domain controllers. The script can be downloaded from the "Policy and Trigger" scripts section in the Knowledge Depot PushUpdatesToDCsPost.vbs (requires username and password).
To configure the trigger, perform the following steps on the Directory and Resource Administrator server:
- Download the PushUpdatesToDCsPost.vbs script to the desired location on the DRA servers. For example, C:\scripts\PushUpdatesToDCsPost.vbs .
- Launch the 'Directory and Resource Administrator' interface.
- Expand 'Policy and Automation Management' node and select Automation triggers.
- Select New.
- Click Browse in the Associate to Operation text box and select UserSetInfo and UserSetPassword operations.
- Select the post-task trigger radio button and click Next.
- Select All ActiveViews under the "Apply to actions on objects included in" section.
- Select All Assistant Admin groups under the "Apply to actions performed by" section and click Next.
- Select Script for the File type and input the pathway to the script in the DO file path (ie. C:\scripts\PushUpdatesToDCsPost.vbs) and click Next.
- Change the error if desired and click Next.
- Specify a name for the trigger and click Next | Finish.
This trigger may cause performance problems ,when resetting passwords using DRA, depending on the number of domain controllers in the domain and if they reside across slow WAN links.
DRA will replicate the trigger setting from the Primary DRA server to the Secondary server, however the actual script file must be manually copied to the same location on all secondary servers.