After you specify the Active Directory sites in which you want to push changes, you can also select what kind of changes to propagate. The following options are available:
Select this option to propagate information about unlocking and enabling user accounts in Active Directory. It is recommended to use this option when a managed domain has users in multiple Active Directory sites.
Select this option to propagate information about editing, locking and unlocking Q&A profile, and passcodes issued by help desk. It is recommended to use this option when users and Password Manager Service use domain controllers from different sites. In this case, if users update their Q&A profiles using Secure Password Extension (via the domain controller in one site), and then attempt to use the profiles on the Self-Service (via the domain controller in another site), they may encounter the issue when the updated Q&A profile is not yet available because of intersite replication latency.
Select this option to propagate information about changing or resetting user password. It is recommended to use this option in the following environment. You have several Active Directory sites in your environment; a user’s computer and Password Manager Service are located in different sites. User authentication is performed via a read-only domain controller (RODC).
In this environment, users may experience downtime in the following scenario:
To mitigate this issue, after selecting the corresponding Active Directory site (in which the RODC is located) and the writable domain controller from the site, select the Propagate password-related changes check box to immediately propagate password changes to the selected writable domain controller and enable user authentication via the RODC.