If you still have a Windows 2000 domain controller, you should probably know that a group’s membership attribute is completely replicated between the domain controllers every time a change occurs. For example, even if you add or remove a single user to the group, domain controllers have to replicate the entire group and not only the change that you’ve made.

This creates unnecessary traffic and load on the domain controllers, but fortunately everything changed with Windows Server 2003 and above. The real problem of this behavior is when multiple administrators make changes at the same time to the same group. One administrator’s change will be probably overwritten by the change that other administrators make. The logic here is that the last writer wins.

If you have domain controllers that run Windows Server 2003, there is a new feature called LVR. Practically, individual values of a multi-value attribute of an Active Directory object (in our case, a group) are replicated separately. So multiple administrators can make changes to the membership of a group at the same time, assuming that they do not manipulate the same user. All changes are kept and the replication traffic is minimized, because Active Directory replicates only the changes and not the entire membership of the group.

The LVR feature works only if your forest is in the Server 2003 interim or native functional level. For Windows Server 2008 R2, your forest must be in the Server 2003 or Server 2008 or Server 2008 R2 functional level. Practically, if you have at least one domain controller with Windows 2000, the LVR will not work.