Authentication and Cached Credentials Problem

[sabnetadmin]

We have several WAN locations and a corporate HQ location
connected via VPN. Three of these locations have DC's on
their local subnet (one being corporate HQ). The other
locations have NAS devices for file storage on their
local subnet. The three with DC's are in separate sites.
The other's are in the corporate HQ site.

I know that you're supposed to have a DC on every subnet
if you want to authenticate. However, I know it's
possible to have those subnets without DC's authenticate
to the corporate HQ DC because I have tried it. However,
I have a problem when a link between the corporate HQ
subnet and the other subnets goes down. They can't seem
to access files on the NAS device because their
permissions are not being recognized. Is there a way to
combat this? I thought cache credentials where supposed
to alleviate problems like this?! If you have any
information or experience with this, that would be great.
Thanks.

 

[Lanwench [MVP - Exchange]]

Cahced credentials will let them log into their computers, but won't give
them access to any network resources.

 

[Antonio Lam]

It is truth that you don't need a DC on every subnet, however it is a
good idea to put a DC in every remote site. While the Cached
Credentials surely will solve your problem when the WAN link is not
available, there is a catch. When you login using the cached
credentials, the system is giving you the benefit of the doubt today.
But you, as a network administrator, would be unhappy to find out that
the bad guy can still login to the workstation on Thursday when you
have deleted his account on Wednesday.

Antonio