That strikes me as a way to cause replication storms in a flash, depending on how the application is written. Say you have 10 DC's, and this app changes the password on all 10 dc's. That's at least 81 different replication messages, since each DC will recongnize that as a different change.
Seems to me to be both overkill and unnecessary. -------------------------------------------------------------- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. > -----Original Message----- > From: Fugleberg, David A [mailto:[EMAIL PROTECTED] > Sent: Wednesday, July 30, 2003 3:23 PM > To: [EMAIL PROTECTED] > Subject: [ActiveDir] Simultaneous password change on multiple DCs > > > We're looking at a product to manage passwords - it enforces > common password policy and keeps passwords in sync across > multiple platforms (mainframe, AD, NDS, Unix, etc.), as well > as provides self-service password change/reset via a browser > interface. > > One of its features on AD is that it's nominally site-aware - > it can determine a browser's location based on IP address and > change the AD password on a DC in that site. So far, so > good. Now the tricky part - it can also be configured to > ALWAYS change the password on one or more DCs that you > specify on the config, in addition to the one it selects. > The idea is to specify DCs near resources at headquarters > that people access from branch offices. This is supposed to > ensure that people can access the resources immediately > rather than waiting for the new password to replicate. > > Net result is that the same password change is applied > directly at multiple DCs in different sites at the same time. > My question is, what is the impact on the DCs and > replication traffic ? What are the caveats of such a scenario ? > > One other thing - the helpdesk can use the web interface to > assist callers who choose not to use self-service. In that > case, the helpdesk can see a list of all DCs and select the > one(s) they wish to send the change to. This can be > disabled, but is the default if you enable 'site-awareness'. > This bothers me a bit, since there's nothing to prevent a > helpdesk person from selecting 'em all. Your thoughts ? > > Dave > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
