Re: PDC EMU ?
- From: "Jorge Silva" <jorgesilva_pt@xxxxxxxxxxx>
- Date: Sat, 5 Aug 2006 23:15:51 +0100
Hi
Inline
1. With the avoidpdc set if user changes password in site 2, no message
is
sent to pdc em in ste 1 so the dc in site 3 isnt "immedialtely" told, but
will site 3 be told next time replications happens ? When would the
second
DC in site 2 be told of the change immediately, next replication or never.
*Yes, by default, when someone changes a password, the change occurs on the
local domain controller (DC), but Windows also pushes the change to the PDCe
role holder because changes can take time to replicate around the domain, if
these changes weren't pushed to the PDCe role holder and someone tried to
log on with the new password that wasn't replicated, the logon would fail
(Because as already said, by default if the user fails to authenticate the
DC will try to contact the PDCe and check if there's any change). Be aware
that the AvoidPDCOnWan setting change only affect the DC were you're
performing this change. Be aware that the DC in site 2 only tries to contact
the PDCe if the user fails its authentication, otherwise it doesn't try to
verify the PW with the PDCe.
a. Timing for sites would have to point to a local time source not pdcNot that I'm aware of. Time will be processed as normal (with the PDCe).
emu
b. GPO changes would not be imediately sent down but would they passActive Directory service data-replication between domain controllers in
around all sites when replication happened.
different sites occurs less frequently than replication between domain
controllers in the same site, and occurs during scheduled periods only.
Between sites, FRS replication occurs spontaneously, and is not determined
by the site link replication schedule; this is not an issue within sites.
The directory service replication schedule and frequency are properties of
the site links that connect sites.
--
I hope that the information above helps you
Good Luck
Jorge Silva
MCSA
Systems Administrator
"skhips" <skhips@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:48B10832-B159-45A5-9131-4AA4B06937C6@xxxxxxxxxxxxxxxx
Cheers for both of your time, just to clarify two points,
1. With the avoidpdc set if user changes password in site 2, no message
is
sent to pdc em in ste 1 so the dc in site 3 isnt "immedialtely" told, but
will site 3 be told next time replications happens ? When would the
second
DC in site 2 be told of the change immediately, next replication or never.
2. If this setting is applied are their any negatives apart from the
above
and would the below be correct.
a. Timing for sites would have to point to a local time source not pdc
emu
b. GPO changes would not be imediately sent down but would they pass
around all sites when replication happened.
c. If I decided not to have it always set is it something you could just
apply if a link to the pdc emu was going to be down for a long time.
Cheers, and my first reply from a MVP, like speaking to royalty.
"Joe Richards [MVP]" wrote:
1. The bad attempt counts are maintained separately for all DCs whether
they are able to talk to the PDC or not. So if the user is hitting the
same DC over and over again, no, they will not get extra attempts.
2. All AvoidPDCOnWan does is tell the local DC not to contact the PDC in
the event of password changes or authentication failures.
Normally if you change a password in Site2, the Site2 DC calls out to he
PDC in Site1 and lets it know there was a password change, then if you
try to logon to a Site3 DC and specify the new password, the Site3 DC
will see the password is wrong but will doublecheck with the PDC.
Enabling AvoidPDCOnWan shuts all of that off.
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
skhips wrote:
1. If the wan link is down to the PC Emulator does that mean as it
records
bad password attempts a user would be able to have more password
attempt than
configured in the doamin GPO.
2. If I use the AvoidPdcOnWan setting on W2K3 in W2K mode in a remote
site
will all of the tasks that the PDC Emulator is responsible for still
function
at the remote site or will it cause issues.
TIA
.
- References:
- Re: PDC EMU ?
- From: Joe Richards [MVP]
- Re: PDC EMU ?
- From: skhips
- Re: PDC EMU ?
- Prev by Date: Delete NTDS Settings Data
- Next by Date: Re: Oh.... I'm just wondering who' ..... SIMPLIFIED and need a simple answer
- Previous by thread: Re: PDC EMU ?
- Next by thread: Re: PDC EMU ?
- Index(es):
Relevant Pages
|
