Forcing authentication with a specific DC

[Hindy]

I don't think you need to worry about the DC's at site
not having an up to date password. I take it your PDC
emulator DC is at the main site?

Read this, and see if it resolves your problem:

"In Windows 2000, when a user password is changed at a
specific domain controller, that domain controller
attempts to update the respective replica at the domain
controller that holds the PDC emulator role. Update of
the PDC emulator occurs immediately, without respect to
schedules between sites on site links. The updated
password is propagated to other domain controllers by
normal replication within a site. When the user logs on
to a domain and is authenticated by a domain controller
that does not have the updated password, the domain
controller refers to the PDC emulator to check the
credentials of the user name and password rather than
denying authentication based on a nonvalid password.
Therefore, the user can log on successfully even when the
authenticating domain controller has not yet received the
updated password."


from:
ms-
help://MS.TechNet.2003JUN.1033/win2ksrv/tnoffline/prodtech
nol/win2ksrv/reskit/distsys/part1/dsgch06.htm

 

[Sharyn]

Hi Hindy,

Thanks for your reply.

The problem is not them logging onto the domain after
changing passwords, the problem is I have other
applications and appliances that rely on the domain
credentials.

Typical example here:

User at site b changes their password on the site b domain
controller. User then wants to log onto the internet.

Firewall authentication at site A is required for internet
access. Firewall uses domain credentials for
authentication, as in, enter your network user name and
password for internet access. Firewall looks to the DC at
site A for the proper credentials. Until replication
between site a and site b occurs, user is unable to log
onto the internet.

We have been working around this by manually entering the
user's password onto the site A DC. This is not an option
that is available to use anymore.

So, I need the user to be able to change their
password/auth on the Site A DC.

Make sense?

It's not just the firewall, the Citrix servers take their
logon credentials from the site A server too.

Most of the time, this isnt a real issue as not everyone
changes their password at the same time, and not everyone
tries to launch something that relies on network
credentials right after changing their password.

Now, however, that I need my users to change their
password en mass, I know this is going to be a problem
that I want to try to avoid.

 

[Hindy]

I see your problem now.

Have you just one DC at Site A, and does this hold all
the FSMO roles for the domain? (I take it this is the
site that all remote sites connect back thru for Internet
access).

What I'm getting at is if this Site A DC is the PDC
emulator for the domain, then surely it should receive
the replicated passwords pretty quickly, going off the
quote in my previous post at least? Or are you finding
its not the way its works in the real world?

Out of interest, how long are you finding it roughly
takes from the user changing their password on a remote
site, to Site A receiving the change?

I'll try and check back tomorrow.

 

[Sharyn]

Hi Hindy,

Thanks again for your response.

To answer your questions, yes, just one DC at site A, and
yes it holds all the FSMO roles, including the PDC
emulator.

Yes again, site A is the site that all remotes connect
back through to get to the internet, everyone
authenticates with the firewall through this site. There
is no direct internet access anywhere but in Site A.

Although, in theory, it *should* receive the passwords
quickly, sometimes, this is not the case. I have done some
testing with this. It can take anywhere between 5 and 10
minutes for the password changes to actually replicate
over to site A, from site b.

In the meantime, user changes their password, then tries
to log onto the Citrix server which tells them their
credentials are wrong and to enter new ones. They then
enter the new password, but the Citrix server is still
looking at the site A DC, and is looking for the old
password. User is confused, doesn't know which password to
use and locks out their account. THIS gets replicated
almost instantaneously back to site B and they no longer
have access to any network resources.

Like I said before, when this is staggered, it wasnt that
big a deal to just reset passwords. However, we have
implemented a new security policy and we, the IT dept, are
not supposed to know what the user's password is. So, if
we reset it for them, then we have to force them to change
it again, and the whole scenario starts over.

We are going to a complex password scheme with less
frequent changes required. I don't want to stagger the
password changes as those users that *just* changed their
password won't be required to do it again for another 30
days. As I'm sure you know, password policy is domain
wide, so we all have to do this together for it to work.

The post below yours, about disabling the netlogon service
in all DC's but Site A's will work in theory but will be a
nightmare as far as bandwidth and log on speed.

There has to be a way to do this...at least..one would
think.

I'll check back tomorrow too..to see what you think.

Sharyn

 

[Hindy]

I've sent you a mail, but just in case see article
KB306602 on technet.

Cheers