I have two LDS servers on the same subnet. They replicate well. If I change an attribute, it gets replicated after 15 seconds.

LDS is configured to honor password policies. When a user makes too many wrong password attemps, his account is locked and that user's lockoutTime attribute is set accordingly.

But lockoutTime is not replicated as urgent. In fact, it is not replicated unless there is another change somewhere in the directory. The lockoutTime attribute will be replicated.

Here is an (edited Wireshark) trace. It shows normal replication trafic

No.   Time     Protocol Length Info
  133 16:23:02 DRSUAPI  562    DsGetNCChanges request
  134 16:23:02 DRSUAPI  3042   DsGetNCChanges response
  152 16:23:17 DRSUAPI  562    DsGetNCChanges request
  157 16:23:17 DRSUAPI  242    DsGetNCChanges response
  230 16:24:57 DRSUAPI  562    DsGetNCChanges request
  231 16:24:57 DRSUAPI  2930   DsGetNCChanges response
  246 16:25:12 DRSUAPI  562    DsGetNCChanges request

Right after that, I lock the user (with a FOR loop and ldifde). Nothing happens, until I give up and change the description attribute on the user, then about 15 seconds later I see the replication go through.

 1984 16:31:05 DRSUAPI  562    DsGetNCChanges request
 1985 16:31:05 DRSUAPI  2930   DsGetNCChanges response

The lockoutTime and description is replicated. As stated here, if I set lockoutTime to 0, replication occurs after 15 seconds !

I have enabled replication diagnostics, but nothing shows up in the instance's logs - strange.

I have enabled change notification between sites, restarted both services, but I did not see any changes.

How can I make the lockoutTime replication urgent ?