AD intersite replication lag - security problem?

From: Kev (this-doesnt-exist@any-mailserver.com)
Date: 01/10/03

• Next message: Sergio: "Protecting unshared files"
• Previous message: Ray: "EnableICMPRedirect or EnableICMPRedirects"
• Next in thread: Tim Hines, MCSE [MVP]: "Re: AD intersite replication lag - security problem?"
• Reply: Tim Hines, MCSE [MVP]: "Re: AD intersite replication lag - security problem?"
• Reply: Joe Richards [MVP]: "Re: AD intersite replication lag - security problem?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "Kev" <this-doesnt-exist@any-mailserver.com>
Date: Fri, 10 Jan 2003 12:23:47 -0500

Yesterday I discovered something that worries me. Here's the scenario:

User JDOE was terminated from my company (let's say) ACME Corp.
This user worked in one of ACME's offices overseas. This office is part of
the Active Directory Site 'B'.
JDOE's account was disabled on a domain controller that also resides in Site
'B'.
Site 'A' has a VPN Server, and a domain controller. Site 'A' and Site 'B'
use the DEFAULTIPSITELINK for replication.
Now here's the kicker. The disabled user was still able to log onto the
network at Site 'A' using VPN and had normal access to everything for a
period of 3 hours!
I realize that the replication interval for DEFAULTIPSITELINK is 180
minutes, but I assumed (wrongly)that an event such as disabling a user would
trigger a replication.

Am I overlooking something? I don't think that I should have to force
replication between all of my sites after an employee is terminated. I also
don't think that I should have to set the replication interval to such a
small amount that it will possibly clog up the link. Any insights on this
will be appreciated.

Thanks,
Kev

• Next message: Sergio: "Protecting unshared files"
• Previous message: Ray: "EnableICMPRedirect or EnableICMPRedirects"
• Next in thread: Tim Hines, MCSE [MVP]: "Re: AD intersite replication lag - security problem?"
• Reply: Tim Hines, MCSE [MVP]: "Re: AD intersite replication lag - security problem?"
• Reply: Joe Richards [MVP]: "Re: AD intersite replication lag - security problem?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Site Links ... > You are correct in that replication will be every 30 min. ... > password changes and account disabling are immediate though. ... > immediate replication, you can put them into the same site and encaps ... (microsoft.public.win2000.active_directory) Re: AD Replication Questions ... If you fire someone and you have multiple Sites then disabling the user ... account object will be subject to the Intrasite as well as Intersite ... Glad that you added a second DC in Dallas. ... > events would cause replication immediatly. ... (microsoft.public.windows.server.active_directory) Re: Denay replication in AD ... disabling replication from those DCs to that particular DC is NOT the ... If replication does not occur within the tombstone lifetime you ... # Jorge de Almeida Pinto # MVP Windows Server - Directory Services ... BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx ... (microsoft.public.win2000.active_directory) Re: AD intersite replication lag - security problem? ... Kev, I hate this answer as much as anyone but the answer is "This is by ... Nothing will force an immediate replication across sites to normal DC's. ... > I realize that the replication interval for DEFAULTIPSITELINK is 180 ... but I assumed that an event such as disabling a user ... (microsoft.public.win2000.security) Re: Moving ADAM instances between sites ... site from the defaultipsitelink? ... To then limit replication you would need to create a siteLink ... the ADAM instance event logs on those servers). ... (microsoft.public.windows.server.active_directory)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint