We're looking at a product to manage passwords - it enforces common password policy and keeps passwords in sync across multiple platforms (mainframe, AD, NDS, Unix, etc.), as well as provides self-service password change/reset via a browser interface.
One of its features on AD is that it's nominally site-aware - it can determine a browser's location based on IP address and change the AD password on a DC in that site. So far, so good. Now the tricky part - it can also be configured to ALWAYS change the password on one or more DCs that you specify on the config, in addition to the one it selects. The idea is to specify DCs near resources at headquarters that people access from branch offices. This is supposed to ensure that people can access the resources immediately rather than waiting for the new password to replicate. Net result is that the same password change is applied directly at multiple DCs in different sites at the same time. My question is, what is the impact on the DCs and replication traffic ? What are the caveats of such a scenario ? One other thing - the helpdesk can use the web interface to assist callers who choose not to use self-service. In that case, the helpdesk can see a list of all DCs and select the one(s) they wish to send the change to. This can be disabled, but is the default if you enable 'site-awareness'. This bothers me a bit, since there's nothing to prevent a helpdesk person from selecting 'em all. Your thoughts ? Dave List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
