Forcing authentication with a specific DC
From: Sharyn (sschmidt_at_todhunter.com)
Date: 07/01/03
- Next message: John: "Default logon Win2000 Pro"
- Previous message: Jason Garms [MSFT]: "Event Viewer/ Success Audit"
- In reply to: Hindy: "Forcing authentication with a specific DC"
- Next in thread: Hindy: "Forcing authentication with a specific DC"
- Reply: Hindy: "Forcing authentication with a specific DC"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 1 Jul 2003 12:45:55 -0700
Hi Hindy,
Thanks again for your response.
To answer your questions, yes, just one DC at site A, and
yes it holds all the FSMO roles, including the PDC
emulator.
Yes again, site A is the site that all remotes connect
back through to get to the internet, everyone
authenticates with the firewall through this site. There
is no direct internet access anywhere but in Site A.
Although, in theory, it *should* receive the passwords
quickly, sometimes, this is not the case. I have done some
testing with this. It can take anywhere between 5 and 10
minutes for the password changes to actually replicate
over to site A, from site b.
In the meantime, user changes their password, then tries
to log onto the Citrix server which tells them their
credentials are wrong and to enter new ones. They then
enter the new password, but the Citrix server is still
looking at the site A DC, and is looking for the old
password. User is confused, doesn't know which password to
use and locks out their account. THIS gets replicated
almost instantaneously back to site B and they no longer
have access to any network resources.
Like I said before, when this is staggered, it wasnt that
big a deal to just reset passwords. However, we have
implemented a new security policy and we, the IT dept, are
not supposed to know what the user's password is. So, if
we reset it for them, then we have to force them to change
it again, and the whole scenario starts over.
We are going to a complex password scheme with less
frequent changes required. I don't want to stagger the
password changes as those users that *just* changed their
password won't be required to do it again for another 30
days. As I'm sure you know, password policy is domain
wide, so we all have to do this together for it to work.
The post below yours, about disabling the netlogon service
in all DC's but Site A's will work in theory but will be a
nightmare as far as bandwidth and log on speed.
There has to be a way to do this...at least..one would
think.
I'll check back tomorrow too..to see what you think.
Sharyn
>-----Original Message-----
>I see your problem now.
>
>Have you just one DC at Site A, and does this hold all
>the FSMO roles for the domain? (I take it this is the
>site that all remote sites connect back thru for Internet
>access).
>
>What I'm getting at is if this Site A DC is the PDC
>emulator for the domain, then surely it should receive
>the replicated passwords pretty quickly, going off the
>quote in my previous post at least? Or are you finding
>its not the way its works in the real world?
>
>Out of interest, how long are you finding it roughly
>takes from the user changing their password on a remote
>site, to Site A receiving the change?
>
>I'll try and check back tomorrow.
>
>>-----Original Message-----
>>Hi Hindy,
>>
>>Thanks for your reply.
>>
>>The problem is not them logging onto the domain after
>>changing passwords, the problem is I have other
>>applications and appliances that rely on the domain
>>credentials.
>>
>>Typical example here:
>>
>>User at site b changes their password on the site b
>domain
>>controller. User then wants to log onto the internet.
>>
>>Firewall authentication at site A is required for
>internet
>>access. Firewall uses domain credentials for
>>authentication, as in, enter your network user name and
>>password for internet access. Firewall looks to the DC
>at
>>site A for the proper credentials. Until replication
>>between site a and site b occurs, user is unable to log
>>onto the internet.
>>
>>We have been working around this by manually entering
>the
>>user's password onto the site A DC. This is not an
>option
>>that is available to use anymore.
>>
>>So, I need the user to be able to change their
>>password/auth on the Site A DC.
>>
>>Make sense?
>>
>>It's not just the firewall, the Citrix servers take
>their
>>logon credentials from the site A server too.
>>
>>Most of the time, this isnt a real issue as not everyone
>>changes their password at the same time, and not
>everyone
>>tries to launch something that relies on network
>>credentials right after changing their password.
>>
>>Now, however, that I need my users to change their
>>password en mass, I know this is going to be a problem
>>that I want to try to avoid.
>>>-----Original Message-----
>>>I don't think you need to worry about the DC's at site
>>>not having an up to date password. I take it your PDC
>>>emulator DC is at the main site?
>>>
>>>Read this, and see if it resolves your problem:
>>>
>>>"In Windows 2000, when a user password is changed at a
>>>specific domain controller, that domain controller
>>>attempts to update the respective replica at the domain
>>>controller that holds the PDC emulator role. Update of
>>>the PDC emulator occurs immediately, without respect to
>>>schedules between sites on site links. The updated
>>>password is propagated to other domain controllers by
>>>normal replication within a site. When the user logs on
>>>to a domain and is authenticated by a domain controller
>>>that does not have the updated password, the domain
>>>controller refers to the PDC emulator to check the
>>>credentials of the user name and password rather than
>>>denying authentication based on a nonvalid password.
>>>Therefore, the user can log on successfully even when
>the
>>>authenticating domain controller has not yet received
>the
>>>updated password."
>>>
>>>
>>>from:
>>>ms-
>>>help://MS.TechNet.2003JUN.1033/win2ksrv/tnoffline/prodte
>ch
>>>nol/win2ksrv/reskit/distsys/part1/dsgch06.htm
>>>
>>>
>>>>-----Original Message-----
>>>>Hi,
>>>>
>>>>I have 5 remotes sites, and my main site here. Each
>>>remote
>>>>site has a DC that users at that site authenticate to
>>>when
>>>>they log onto the domain.
>>>>
>>>>Due to a password policy change, I need to force all
>my
>>>>users to change their password, a site at a time, at
>the
>>>>next logon. However, I don't want them authenticating
>>>with
>>>>their local DC, I want them to authenticate at the
>main
>>>>site, due to replication latency, citrix servers and a
>>>>firewall that uses account credentials from the main
>>>site
>>>>here.
>>>>
>>>>If I disable the netlogon service, on their local
>DC's,
>>>I
>>>>am assuming their authentication request will go
>>>>elsewhere. In the past, I have noticed that when a
>>>certain
>>>>site's server is down, users authenticate with
>whichever
>>>>DC nabs their request first.
>>>>
>>>>I don't want this happening. I want to ensure that
>they
>>>do
>>>>not authenticate with their local DC AND they *do*
>auth
>>>>with my DC here.
>>>>
>>>>Is this possible?
>>>>
>>>>If it is, how do I accomplish this?
>>>>
>>>>Thanks,
>>>>Sharyn
>>>>
>>>>.
>>>>
>>>.
>>>
>>.
>>
>.
>
- Next message: John: "Default logon Win2000 Pro"
- Previous message: Jason Garms [MSFT]: "Event Viewer/ Success Audit"
- In reply to: Hindy: "Forcing authentication with a specific DC"
- Next in thread: Hindy: "Forcing authentication with a specific DC"
- Reply: Hindy: "Forcing authentication with a specific DC"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
