Re: Configuring ADAM replication resets passwords
Tech-Archive recommends: Fix windows errors by optimizing your registry
On Aug 3, 8:52 pm, "Dmitri Gavrilov [MSFT]"
<dmit...@xxxxxxxxxxxxxxxxxxxx> wrote:
Are you sure the passwords were lost? How did you check?
Note that passwords cannot be read back from the directory, this is a
security feature. If you attempt to read one, you'll always get a NULL (no
value) back.
The only way to check if the password is there is to bind as this user with
the password.
--
Dmitri Gavrilov
SDE, Active Directory team
Well, I'm as sure as I can be without being able to export the
passwords. We have written an application that uses ADAM as a user
store for authentication. Prior to configuring replication, users
could log in to the app. Configure replication, users get an
authentication error. Reset the users' passwords and they can log in
again. As I say, this is repeatable.
Judging by your reply, it doesn't sound as though configuring
replication should be doing this. Any ideas on how we go about
troubleshooting this, or is there any other information that would be
useful?
Also, this may be a red-herring, but what is meant to happen when you
restore an ADAM instance? We seem to get the same behaviour (lost
passwords) when we do a restore from MS Backup.
Thanks,
Ewan
.
Relevant Pages
- Re: machines cant update their machine account passwords
... "I can't post logs or command output because I'm not at work and can't post when I'm at work anyway. ... passwords in ADS. ... FRS errors and replication errors, ... Are there any GPO settings that can ...
(microsoft.public.windows.server.active_directory) - machines cant update their machine account passwords
... So eventually when it comes time for them to be changed by the machine and they attempt to use their new password ADS will deny them access. ... For some reason though after about 2 months I started having the same problems: machines can't get GPO updates, FRS errors and replication errors, and authentication denials. ... I can temporarily fix it by using ADS to reset machine account passwords but if I do that twice then things go to hell in a hand basket. ... My DNS settings are fine, Kerberos is fine, NTP got a little wacky on our network the last couple days but machines are still within their 5 min tolerance with the ADS servers, and we haven't changed anything within the domain itself (especially GPO settings) because we are in configuration lockdown for test purposes. ...
(microsoft.public.windows.server.active_directory) - Re: Configuring ADAM replication resets passwords
... resetting of user passwords is not expected behavior on configuring ... after you configure replication which ADAM instance is your ... being valid did you restore the ADAM instance to the same server? ...
(microsoft.public.windows.server.active_directory) - Re: machines cant update their machine account passwords
... Not to mention it won't fix the DCs because if they can't replicate then resetting their passwords will just make them forever out of sync and never be able to establish their secure channel and will lead to a rebuild. ... I removed ADS and reinstalled ADS, and I actually had to do it on both machines now that I think about it but just doing it on one didn't fix the problem. ... FRS errors and replication errors, ... Are there any GPO settings that can ...
(microsoft.public.windows.server.active_directory) - Re: Question - Can I force a machine to use a specific DC for Authentication
... If they are in one site passwords are updated immediately between the DC's, if they in different sites the lowest replication time is 15 minutes configurable in ADSS. ... So even to set the proxy to one fixed DC will not help if the user is in a different site then that DC. ... hence I want to force the proxy to authenticate to HODC1. ...
(microsoft.public.windows.server.general) |
|
