Replicating Logon Scripts on Domain Controllers

Published: September 1, 1997

Exploring Windows NT - Tips & Techniques for Microsoft Windows NT Professionals
A Publication of the Cobb Group

In the cover article "Using Logon Scripts to Provide Consistent Network Connections," we explained that clients must download logon scripts from the authenticating server that they use to log on to the domain. Although a Primary Domain Controller (PDC) automatically replicates the domain account database on all Backup Domain Controllers (BDCs), it doesn't automatically replicate logon scripts. If the PDC is down, and a BDC authenticates a client, the client's logon script may be unavailable. Fortunately, you can keep a master copy of your logon scripts on a PDC and use NT's Directory Replications service to copy them to other domain controllers. In this article, we'll show you how to use the Directory Replicator service to make sure the client's logon script is always available on an authenticating server.

On This Page

Overview
Replicating within and across domains
Directory structure
Creating the account
Starting the service
Configuring the Export server
Configuring Import servers
Permissions
Conclusion

Overview

Before starting up the Directory Replicator service, you'll need to plan a directory structure for the replication data and decide where you want to replicate data. To use the service, you must first create a domain account for the service's use. Then you must configure the domain controller (usually the PDC) that will house the master copy of your logon scripts as an Export server. Finally, you must configure all other domain controllers targeted for data replication as Import servers.

Replicating within and across domains

You can export and import replicated data between individual computers or entire domains. Exporting data to every import server in an entire domain is often easier than naming specific target computers within the domain. However, if a WAN bridge separates the target domain from the export domain controller, you may have to name specific target computers. Exporting data to an entire domain uses broadcast mechanisms that WAN bridges may block. Naming target computers forgoes the use of broadcast packets.

Directory structure

The Directory Replicator service's default Export folder is %SystemRoot%\System32\ Repl\Export. The default Import folder is %SystemRoot%\System32\Repl\Import. The Directory Replicator service will re-create the Export folder's directory structure in the target Import directory unless you specify that the service omit certain subdirectories or files. You can configure the Directory Replicator service to synchronize file copies immediately after changes occur or wait for two minutes after changes.

Please Note The default login script folder for domain controllers is %SystemRoot%\ System32\ Rep\Import\Scripts. Therefore, you'll want to keep the master copies of your logon scripts in the PDC's Export folder and replicate them in Import directories on the domain's BDCs. Then, you'll need to export the scripts from one of the BDC's Import folders to the PDC's Import folder. Doing so will make the login scripts available to clients authenticating with the PDC.

Creating the account

You must create the Replicator account in the domain where replication will occur. You can name the Replicator service's account anything but Replicator, as this is already the name of one of NT's domain groups. In our example, we named the account Mr Replicator. Make sure that the account never expires and that the service doesn't have to change its account at next logon. Add the account to the Backup Operators, Domain Users, and Replicator domain groups, and make sure that the account is available for logon at all times. When setting the account's password, be sure to follow the guidelines given in the article "Eleven Tips for Protecting Your Passwords" on page 12.

Starting the service

To start the Replicator service, open the Services applet in the PDC's Control Panel. Select the Directory Replicator service in the dialog's list box, and click the Stop button if the service is already running. Then click the Startup button, and the Service dialog box will appear. Select the Automatic option under Startup Type, and select the This Account option under Log On As. Click the browse button next to the This Account field to display the Add User dialog box.

In this dialog box, select the Directory Replicator service's account name, and click Add to return to the Service dialog box. Then, enter the account's Password in the Password and Confirm Password fields. Figure A shows how the Service dialog box should appear after making these changes. Click OK, and you'll see a Server Manager message stating that the Replicator service account has been granted the Log On As Service right. Finally, start the service by restarting the PDC.

Figure A: You must choose the Startup Type Automatic and Log On As This Account options.

Configuring the Export server

After creating the account and starting the service, you can configure your PDC as the Export server. First, open the Server applet in the PDC's Control Panel, and click the Replication button to display the Directory Replication dialog box shown in Figure B. Select both the Export Directories and Import Directories options. The default paths in the From Path and To Path fields correspond to the default Export and Import directories that we described previously. The Export Directories To List will appear blank, indicating that the server will export directories to all Import servers (all of the BDCs) in the local domain.

Figure B: You must configure your PDC as an Export server to replicate your logon scripts.

You can also export to specific Import servers with the local domain only, Import servers in other domains, or entire domains. To do so, click the Export Directories AddÉ button and select the computers or domains you want to add to the Export Directories To List.

Next, you must determine when the Directory Replicator service will replicate your scripts on the Import servers. First, Click the Export Directories ManageÉ button to display the Manage Exported Directories dialog box, shown in Figure C. This dialog box shows that the Directory Replicator service will replicate the Scripts subdirectory in all default Import directories.

Figure C: Leave the Wait Until Stabilized option unselected to replicate files immediately after you change them.

By default, the service will replicate the Scripts directory whenever its contents change and all of its files are closed. If you select the Wait Until Stabilized option, the service will wait at least two minutes after all files are closed before replicating the directory. We recommend leaving this option unselected on your PDC\Export server but enabling it on the BDC\Import server that will export the scripts back to your PDC.

Please Note The Directory Replicator service will overwrite, but will not delete, existing files in Import directories.

You'll notice that while Figure B shows that the Export Directories To List is blank, the Import Directories From List contains the name Roswell, a BDC in the local domain. For our example we've chosen this BDC to export the logon scripts from its default Import folder to the PDC's Import folder. To accomplish this, we clicked the Import Directories AddÉ button to display the Manage Imported Directories dialog box, and chose Roswell from the list of servers in the local domain.

Please Note You can add additional subdirectories to your Export or Import directories by clicking the Add… button in the Manage Exported Directories or Manage Imported Directories dialog boxes. You can also add locks to temporarily block the export or import of directories. The details of these procedures are beyond the scope of this article.

Configuring Import servers

You'll need to make the following configurations to each of your Import servers. First, open the Server applet in the Control Panel, and click the Replication button to display the Directory Replication dialog box. Select the Import Directories option, and click the AddÉ button if you want to import directories from other domains or only certain Export servers.

As we explained above, you must select one BDC/Import server to use to export your logon scripts to the PDC's Import folder. For our example we chose the Import server Roswell. Figure D shows the Directory Replication dialog box for this server. First, we added Area-51, the target PDC, to the Export Directories To List. Then we changed the Export Directories From Path to point to the BDC's default Import folder. We also clicked the Export Directories ManageÉ button and selected the Wait Until Stabilized option.

Figure D: One of your BDC\Import servers must export your logon scripts to the PDC.

Please Note The Import server that exports logon scripts to the PDC's Import directory must have the Wait Until Stabilized option checked. Otherwise, the BDC won't export the files to the PDC's Import directory.

Permissions

If replication doesn't occur properly and you receive access denied errors in the Export or Import server event logs, you should examine the permissions for the default Export and Import folders. The Replicator group must have Change permissions for these directories in order for the Directory Replicator service to function.

Conclusion

If you plan to implement logon scripts for user accounts, you'll need to use NT's Directory Replicator service to copy your scripts to all of your domain controllers.

In this article, we showed how to start the Directory Replicator service and configure Export and Import servers. We also showed you how to replicate logon scripts from a BDC to the PDC's Import directory.

We at Microsoft Corporation hope that the information in this work is valuable to you. Your use of the information contained in this work, however, is at your sole risk. All information in this work is provided "as -is", without any warranty, whether express or implied, of its accuracy, completeness, fitness for a particular purpose, title or non-infringement, and none of the third-party products or information mentioned in the work are authored, recommended, supported or guaranteed by Microsoft Corporation. Microsoft Corporation shall not be liable for any damages you may sustain by using this information, whether direct, indirect, special, incidental or consequential, even if it has been advised of the possibility of such damages.