Re: RODC ...
- From: "Paul Bergson [MVP-DS]" <pbbergs@xxxxxxxxxxxxxx>
- Date: Tue, 6 Oct 2009 15:29:58 -0500
Each site should have their own group if you have uniqueness you need to
keep in order.
--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.
"southpaw" <southpaw@xxxxxxxxxx> wrote in message
news:ujQ11ToRKHA.508@xxxxxxxxxxxxxxxxxxxxxxx
Meinolf,
My concern is we have a high user turn arround in our remote offices. Can
I simply create a PRP global group for each remote site and intruct my
helpdesk to add the new users to this group we creating new user accounts
?
Thanks
"Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message
news:6cb2911d70778cc14abc5213476@xxxxxxxxxxxxxxxxxxxxxxx
Hello southpaw,
Without PRP logons are not possible correct, but this is a one time
configuration, so not an administrative overhead.
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and
confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
Sorry one question..
Just to be clear it seems as though there would be more administrative
overhead if we were to use RODCs in our remote sites. Reason being for
example we have local Win2003 DCs currently in our small remote
offices and
if the WAN link goes down I believe the users are still able Auth and
logon
to the local DC and access local resources file servers , share ,
printers
etc in that site.
My dilemma...We are currently have in place a central helpdesk staff
in
corp headquarters that creates all user accounts etc
From what I have gather it seems that if we were to replace our remote
Win2003 DCs with RODC the WAN link between the RODC and RWDC goes
down,
users in the remote office will not be able to log on, or access local
resources if PRP allow is not enable for the remote user, is this
correct ?
If so this may be an administrative nightmare to manage for remote
offices
..
"Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message
news:6cb2911d706a8cc14a51e11585b@xxxxxxxxxxxxxxxxxxxxxxx
Hello southpaw,
Only if the PRP is configured for that account it will be cached.
Only then the users are able to logon if the WAN link is down.
The Password Replication Policy acts as an access control list (ACL).
It
determines if an RODC should be permitted to cache a password. After
the
RODC receives an authenticated user or computer logon request, it
refers
to the Password Replication Policy to determine if the password for
the
account should be cached. The same account can then perform
subsequent
logons more efficiently.
The Password Replication Policy lists the accounts that are permitted
to
be cached, and accounts that are explicitly denied from being cached.
The
list of user and computer accounts that are permitted to be cached
does
not imply that the RODC has necessarily cached the passwords for
those
accounts. An administrator can, for example, specify in advance any
accounts that an RODC will cache. This way, the RODC can authenticate
those accounts, even if the WAN link to the hub site is offline.
See also:
http://technet.microsoft.com/en-us/library/cc730883(WS.10).aspx
You should consider using a newsreader like outlook express or other
ones like Omea reader for example. That way you have a good overview
and do not rely on the web based version.
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and
confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
Hi Meinolf,
Sorry for the dupe post but interestingly I can't find my post from
yesterday . Not sure why I can't see it..:-)
"Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message
news:6cb2911d70638cc14a2a64abf42@xxxxxxxxxxxxxxxxxxxxxxx
Hello southpaw,
Please see the answer to your posting form yesterday.
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties,
and
confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
Hi,
By default I believe I read some where users and computers
password are cached on an RODC after first logon. I assume "yes",
correct ? If so when would I use PRP can you give an example ?
What happens if the WAN link between my RODC and RWDC is down will
users still be able to logon and access local shared resources,
file shares in the local RODC site ?
.
- References:
- Re: RODC ...
- From: southpaw
- Re: RODC ...
- From: Meinolf Weber [MVP-DS]
- Re: RODC ...
- From: southpaw
- Re: RODC ...
- Prev by Date: Re: dcdiag - replication Concerns
- Next by Date: Re: Some Windows XP Users Take 3 - 5 Minutes Before Login Script Runs
- Previous by thread: Re: RODC ...
- Next by thread: Re: RODC ...
- Index(es):
Relevant Pages
|
