Yep, don't let them change in multiple places. We make them hunt out the PDC and make the change there. If they can't get to the PDC they just grab the default DC for the domain.
That product has gone through quite a bit of change in the last year or two, we beat them up pretty bad as they initially had some interesting ideas. I actually wrote my unlock tool initially because of my dealings with them to prove a point about delegation in AD. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, David A Sent: Thursday, July 31, 2003 10:46 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Simultaneous password change on multiple DCs Yep, that's the one. My main concern was additional load on the PDCE, as Gil and Roger mentioned. I wondered if their workaround wouldn't be made unneccesary by the SP4 enhancements, specifically the one where the PDCE replicates the user object to the remote DC that has chained an authentication request to it. Our DCs are being updated with SP4 right now anyhow, so maybe this will all be non-issue soon. I'm just not comfortable with changing the same value on multiple DCs simultaneously (on purpose !), so I'm hoping not to implement that feature. Dave -----Original Message----- From: Joe [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 30, 2003 4:20 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Simultaneous password change on multiple DCs By any chance is this product called PSYNC from MTEC? I have worked with them for a couple of years on various things, if so you can email me separately and we can chat... [EMAIL PROTECTED] If it isn't, consider it as they are doing a decent job now and I am sure there are some people who watch this listserv that may be shocked to see I wrote that.... I absolutely wouldn't recommend changing passwords in multiple sites at once, the previously valid reason for it is no longer valid UNLESS for some reason the remote site can't get to the PDC to do PDC Chaining (and the accompanying special replication that will take place in SP4 and Q812499) which would then make me ask, how would you get to the site to change the password in the first place with a centralized system. So anyway, make sure your DC's have SP4 or at least Q812499 and then change the passwords all centrally on whatever DC gets selected and you should be fine. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, David A Sent: Wednesday, July 30, 2003 3:23 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Simultaneous password change on multiple DCs We're looking at a product to manage passwords - it enforces common password policy and keeps passwords in sync across multiple platforms (mainframe, AD, NDS, Unix, etc.), as well as provides self-service password change/reset via a browser interface. One of its features on AD is that it's nominally site-aware - it can determine a browser's location based on IP address and change the AD password on a DC in that site. So far, so good. Now the tricky part - it can also be configured to ALWAYS change the password on one or more DCs that you specify on the config, in addition to the one it selects. The idea is to specify DCs near resources at headquarters that people access from branch offices. This is supposed to ensure that people can access the resources immediately rather than waiting for the new password to replicate. Net result is that the same password change is applied directly at multiple DCs in different sites at the same time. My question is, what is the impact on the DCs and replication traffic ? What are the caveats of such a scenario ? One other thing - the helpdesk can use the web interface to assist callers who choose not to use self-service. In that case, the helpdesk can see a list of all DCs and select the one(s) they wish to send the change to. This can be disabled, but is the default if you enable 'site-awareness'. This bothers me a bit, since there's nothing to prevent a helpdesk person from selecting 'em all. Your thoughts ? Dave List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
