Re: Configuring ADAM replication resets passwords

Do you think it is possible that a different password policy is being
applied on the other systems which causes the passwords to be effectively
expired?

That might explain why the bind fails but then starts working again after a
password reset. Since pwd policy is based on the machine effective policy,
it is totally possible to have different behaviors on different machines,
even though the actual ADAM data is replicated.

This is one reason why I think it is important to have the ADAM machines in
a configuration set all have the same password GPO applied to them.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Lee Flight" <lef@xxxxxxxxxxxxxxx> wrote in message
news:u6iiwrZ2HHA.1168@xxxxxxxxxxxxxxxxxxxxxxx
Hi

resetting of user passwords is not expected behavior on configuring
a replica or restoring from backup. We need some more info
to help debug this:

[1] how did you check that replication had completed? An instance
that has not fully replicated may issue referrals back to the
original instance so pointing a tools that follows referrals, e.g.
ADSIEdit can lead to a misleading picture.

[2] after you configure replication which ADAM instance is your
application attempting to bind to? Is the application aware of
the second ADAM instance?

[3] after you configure replication have you tried binding as the ADAM
user using ldp.exe to connect to the *original* ADAM instance?

[4] for an authentication that is failing using ldp.exe can we see an ldf
dump
of the ADAM user *after* the failed bind attempt on the original
instance?
You can dump the user using ldifde from the ADAM Tools Command
Prompt on the original ADAM instance:

ldifde -f con -d "cn=myuser1,ou=myusers,o=myorg" -s
localhost:adamport

where following -d is the distinguishedName of the ADAM user,
adamport
is the port number ADAM is listening on.

[5] when you restored the backup that resulted in accounts no longer
being valid did you restore the ADAM instance to the same server?
Again did you try binding using ldp.exe? Can we see a dump of the
restored user after a failed bind using ldp.exe?


Thanks
Lee Flight

<ewan_mcteagle@xxxxxxxxxxx> wrote in message
news:1186548747.229448.31510@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
On Aug 3, 8:52 pm, "Dmitri Gavrilov [MSFT]"
<dmit...@xxxxxxxxxxxxxxxxxxxx> wrote:
Are you sure the passwords were lost? How did you check?
Note that passwords cannot be read back from the directory, this is a
security feature. If you attempt to read one, you'll always get a NULL
(no
value) back.
The only way to check if the password is there is to bind as this user
with
the password.

--
Dmitri Gavrilov
SDE, Active Directory team

Well, I'm as sure as I can be without being able to export the
passwords. We have written an application that uses ADAM as a user
store for authentication. Prior to configuring replication, users
could log in to the app. Configure replication, users get an
authentication error. Reset the users' passwords and they can log in
again. As I say, this is repeatable.

Judging by your reply, it doesn't sound as though configuring
replication should be doing this. Any ideas on how we go about
troubleshooting this, or is there any other information that would be
useful?

Also, this may be a red-herring, but what is meant to happen when you
restore an ADAM instance? We seem to get the same behaviour (lost
passwords) when we do a restore from MS Backup.

Thanks,

Ewan





.

Relevant Pages

  • Re: Configuring ADAM replication resets passwords
    ... resetting of user passwords is not expected behavior on configuring ... after you configure replication which ADAM instance is your ... being valid did you restore the ADAM instance to the same server? ...
    (microsoft.public.windows.server.active_directory)
  • Re: Architectural question for product security deployment
    ... ADAM uses the local and domain policies where it's installed. ... Also, to change passwords via LDAP, you must connect via a secure method by ... bit (may not work in workgroup setting; you may need an alternate method, ... > 1) I Installed ADAM by first logging in a system admin and creating the ...
    (microsoft.public.windows.server.active_directory)
  • Re: ADAM - AD_Schema load fails with error
    ... It sounds like you are saying that the passwords are not bought down by ... If ADAMSync is bringing accounts into ADAM as native accounts... ... >> somewhere as Windows Principals. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Active Directory to ADAM Sync Password question
    ... You can't read passwords out of AD or sync them with ADAMSync. ... I'm confused by your statement as bind proxy objects are designed ... specifically so that you can have an object in ADAM to do a simple bind on ...
    (microsoft.public.windows.server.active_directory)
  • Re: Configuring ADAM replication resets passwords
    ... applied on the other systems which causes the passwords to be effectively ... This is one reason why I think it is important to have the ADAM machines ... after you configure replication which ADAM instance is your ...
    (microsoft.public.windows.server.active_directory)