Which domain controller(s) should I be using

Which domain controller(s) should I be using

Need some help from support and would be helpful to hear from other folks using the product.
I have set the product to only use the primary domain controller emulator PDCe. The thought behind this is:
  • When an account is locked out no matter where, the lockout is replicated from the local site DC up to the PDCe right away
    • This makes unlocks against the PDCe always work as the PDCe has seen the lockout right away
  • When an account is unlocked, or password reset, the user then tries to login to Windows. By design, Windows will attempt authentication against the local site DC. The local site DC likely won't have received the unlock notice or new password through regular replication, so therefore Windows then attempts authentication against the PDCe, where the new information is.
With this method, in theory everything should work great. But what about if the PDCe goes down for planned or unplanned reasons? By not having a backup DC specified, this product is essentially not useable at that point.
So why not just set another DC to be used? My thought here is that by setting another DC, I could run into these issues:
  • When account gets locked out, the lockout is sent from local site DC to PDCe right away. A backup DC may not have the lockout yet, so I could see the program "failing" to unlock an account if it tried it on another DC that hasn't received the lockout.
  • We are using the workaround in the program so users cannot reuse old passwords (where it will go in and set it to random password, then do change password as the user). My understanding is the application would do this action on any of the DCs I have specified.
    • If this is the case, what would happen if the program made the reset to random, then change to user password, right on the cusp of AD replication. If that happened, the PDCe would replicate to the backup DC, and before the application did a reset. Therefore, it would then reset the PW on the backup DC, but would fail on changing to the users password.
Any help is greatly appreciated

                  New to ADSelfService Plus?