Forcing authentication with a specific DC
From: Sharyn (sschmidt_at_todhunter.com)
Date: 07/01/03
- Next message: Les: "RE: changing permissions on Downloaded Program Files directory"
- Previous message: zmlm: "What do I need to concifg to allow only one domain user to log on one computer?"
- In reply to: Hindy: "Forcing authentication with a specific DC"
- Next in thread: Hindy: "Forcing authentication with a specific DC"
- Reply: Hindy: "Forcing authentication with a specific DC"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 1 Jul 2003 07:49:43 -0700
Hi Hindy,
Thanks for your reply.
The problem is not them logging onto the domain after
changing passwords, the problem is I have other
applications and appliances that rely on the domain
credentials.
Typical example here:
User at site b changes their password on the site b domain
controller. User then wants to log onto the internet.
Firewall authentication at site A is required for internet
access. Firewall uses domain credentials for
authentication, as in, enter your network user name and
password for internet access. Firewall looks to the DC at
site A for the proper credentials. Until replication
between site a and site b occurs, user is unable to log
onto the internet.
We have been working around this by manually entering the
user's password onto the site A DC. This is not an option
that is available to use anymore.
So, I need the user to be able to change their
password/auth on the Site A DC.
Make sense?
It's not just the firewall, the Citrix servers take their
logon credentials from the site A server too.
Most of the time, this isnt a real issue as not everyone
changes their password at the same time, and not everyone
tries to launch something that relies on network
credentials right after changing their password.
Now, however, that I need my users to change their
password en mass, I know this is going to be a problem
that I want to try to avoid.
>-----Original Message-----
>I don't think you need to worry about the DC's at site
>not having an up to date password. I take it your PDC
>emulator DC is at the main site?
>
>Read this, and see if it resolves your problem:
>
>"In Windows 2000, when a user password is changed at a
>specific domain controller, that domain controller
>attempts to update the respective replica at the domain
>controller that holds the PDC emulator role. Update of
>the PDC emulator occurs immediately, without respect to
>schedules between sites on site links. The updated
>password is propagated to other domain controllers by
>normal replication within a site. When the user logs on
>to a domain and is authenticated by a domain controller
>that does not have the updated password, the domain
>controller refers to the PDC emulator to check the
>credentials of the user name and password rather than
>denying authentication based on a nonvalid password.
>Therefore, the user can log on successfully even when the
>authenticating domain controller has not yet received the
>updated password."
>
>
>from:
>ms-
>help://MS.TechNet.2003JUN.1033/win2ksrv/tnoffline/prodtech
>nol/win2ksrv/reskit/distsys/part1/dsgch06.htm
>
>
>>-----Original Message-----
>>Hi,
>>
>>I have 5 remotes sites, and my main site here. Each
>remote
>>site has a DC that users at that site authenticate to
>when
>>they log onto the domain.
>>
>>Due to a password policy change, I need to force all my
>>users to change their password, a site at a time, at the
>>next logon. However, I don't want them authenticating
>with
>>their local DC, I want them to authenticate at the main
>>site, due to replication latency, citrix servers and a
>>firewall that uses account credentials from the main
>site
>>here.
>>
>>If I disable the netlogon service, on their local DC's,
>I
>>am assuming their authentication request will go
>>elsewhere. In the past, I have noticed that when a
>certain
>>site's server is down, users authenticate with whichever
>>DC nabs their request first.
>>
>>I don't want this happening. I want to ensure that they
>do
>>not authenticate with their local DC AND they *do* auth
>>with my DC here.
>>
>>Is this possible?
>>
>>If it is, how do I accomplish this?
>>
>>Thanks,
>>Sharyn
>>
>>.
>>
>.
>
- Next message: Les: "RE: changing permissions on Downloaded Program Files directory"
- Previous message: zmlm: "What do I need to concifg to allow only one domain user to log on one computer?"
- In reply to: Hindy: "Forcing authentication with a specific DC"
- Next in thread: Hindy: "Forcing authentication with a specific DC"
- Reply: Hindy: "Forcing authentication with a specific DC"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
