windows 2000 authentication

[Graham Turner]

was wondering if any one could give us a "heads up" on how we prevent a
windows 2000 domain controller from authenticating a user logon request.

by comparison on an NT4 domain controller, the configuration of "pausing"
the netlogon service would prevent the DC from authenticating a user logon
request

i would guess that the same "fix" may apply to a win2k DC for an NTLM logon
request say from a downlevel (non Kerberos aware client) but am not sure
whether this would apply to a Kerberos logon request.

TIA

GT

 

[Paul]

Graham

Yes its true that pausing the netlogon service will stop that DC from
authenticating users, however, if you are trying to stop all users in a
location from logging on to a DC full stop remember the client contacts DNS
for a list of DC's to log on to. If you have paused one particular DC this
could force all the users to log onto another DC may be at the other end of
the WAN.

Also if you have Exchange 2000 in place and the DC you are stoping the
Netlogon service is a GC this could cause lots more issues such as clients
unable to use outlook, log on to the AD, etc etc...

hope this helps

Paul

 

[Dean Wells [MVP]]

was wondering if any one could give us a "heads up" on how we prevent
a windows 2000 domain controller from authenticating a user logon
request.

by comparison on an NT4 domain controller, the configuration of
"pausing" the netlogon service would prevent the DC from
authenticating a user logon request

i would guess that the same "fix" may apply to a win2k DC for an NTLM
logon request say from a downlevel (non Kerberos aware client) but am
not sure whether this would apply to a Kerberos logon request.

TIA

GT

Your request needs a little clarification in order to provide some
possible solutions, for what reason do you wish to stop the DC
authenticating users?

Dean

 

[Graham Turner]

Dear All, thanks for your replies back and apologies for not giving more
information.

am looking at the concept of a DC with a lazy replication schedule as the
point of recovery from an AD "disaster".

as such given that its directory may be some way out of date do not want
users / computers using it for authentication while retaining its capabilty
in terms of replication et al.

as such am needing to consider the implications of pausing the netlogon
service in respect of the above.

the issue of impact w..r.t the Kerberos comes from not fully understanding
the role of the netlogon in Kerberos authentication and whether i need to go
further by disabling say KDC - but then how does that impact say
replication.

Thanks

GT

was wondering if any one could give us a "heads up" on how we prevent
a windows 2000 domain controller from authenticating a user logon
request.

by comparison on an NT4 domain controller, the configuration of
"pausing" the netlogon service would prevent the DC from
authenticating a user logon request

i would guess that the same "fix" may apply to a win2k DC for an NTLM
logon request say from a downlevel (non Kerberos aware client) but am
not sure whether this would apply to a Kerberos logon request.

TIA

GT

Your request needs a little clarification in order to provide some
possible solutions, for what reason do you wish to stop the DC
authenticating users?

Dean

--
Dean Wells [MVP / Windows platform]
MSEtechnology
[[ Please respond to the Newsgroup only regarding posts ]]
R e m o v e t h e m a s k t o s e n d e m a i l

 

[Dean Wells [MVP]]

Dear All, thanks for your replies back and apologies for not giving
more information.

am looking at the concept of a DC with a lazy replication schedule as
the point of recovery from an AD "disaster".

as such given that its directory may be some way out of date do not
want users / computers using it for authentication while retaining
its capabilty in terms of replication et al.

as such am needing to consider the implications of pausing the
netlogon service in respect of the above.

the issue of impact w..r.t the Kerberos comes from not fully
understanding the role of the netlogon in Kerberos authentication and
whether i need to go further by disabling say KDC - but then how does
that impact say replication.

Thanks

GT

Your request needs a little clarification in order to provide some
possible solutions, for what reason do you wish to stop the DC
authenticating users?

Dean

--
Dean Wells [MVP / Windows platform]
MSEtechnology
[[ Please respond to the Newsgroup only regarding posts ]]
R e m o v e t h e m a s k t o s e n d e m a i l

Since you're implementing a lazy replication schedule, I'm assuming
you're going to place the DC in question in a site configured to impose
that desired latency. If this is the case, the DC will not be used by
clients for authentication (this assumes the site, site link and subnet
objects are correctly configured in order to make the DC appear on a
subnet of its own). Two possible exceptions exist; the very first time
a client attempts to authenticate it will possess no site knowledge and
will use any DC returned by DNS (local subnet priority will assist but
is dependant upon your IP configuration) and downlevel clients without
the AD extensions do not support site affinity period.

I would not recommend stopping the NETLOGON service since it contributes
more than merely playing a role in authentication; the registration of
its _critical_ DNS records is a significant example.

It is also worth mentioning that (assuming defaults are in place), if a
new, apparently bad password is submitted against the latent DC that it
will proxy the authentication attempt against the domain's PDC FSMO
which (again assuming defaults are in place) will be up to date thereby
authenticating the client.

In short, it really comes down to the motivating factors for doing this.
If it is solely due to your desire for extreme replication latency I
would suggest that you rely upon the features I described above, if not,
please provide further information.

HTH

Dean

 

[Graham Turner]

Dean, thanks for the post reply ..

the motivation is merely for the lazy replication schedule

i was aware that appropriately configured site configurations would enable
us to "load" the server discovery process against this DC but was looking
for a "belts and braces" solution that does not allow the server to process
a logon request along the lines of pausing the netlogon service on an NT4
domain controller

it would seem that there is none ?? given the additional required
functionality of netlogon functionality in a windows 2000 domain
environment.

Thanks for your help

GT

Dear All, thanks for your replies back and apologies for not giving
more information.

am looking at the concept of a DC with a lazy replication schedule as
the point of recovery from an AD "disaster".

as such given that its directory may be some way out of date do not
want users / computers using it for authentication while retaining
its capabilty in terms of replication et al.

as such am needing to consider the implications of pausing the
netlogon service in respect of the above.

the issue of impact w..r.t the Kerberos comes from not fully
understanding the role of the netlogon in Kerberos authentication and
whether i need to go further by disabling say KDC - but then how does
that impact say replication.

Thanks

GT

Your request needs a little clarification in order to provide some
possible solutions, for what reason do you wish to stop the DC
authenticating users?

Dean

--
Dean Wells [MVP / Windows platform]
MSEtechnology
[[ Please respond to the Newsgroup only regarding posts ]]
R e m o v e t h e m a s k t o s e n d e m a i l

Since you're implementing a lazy replication schedule, I'm assuming
you're going to place the DC in question in a site configured to impose
that desired latency. If this is the case, the DC will not be used by
clients for authentication (this assumes the site, site link and subnet
objects are correctly configured in order to make the DC appear on a
subnet of its own). Two possible exceptions exist; the very first time
a client attempts to authenticate it will possess no site knowledge and
will use any DC returned by DNS (local subnet priority will assist but
is dependant upon your IP configuration) and downlevel clients without
the AD extensions do not support site affinity period.

I would not recommend stopping the NETLOGON service since it contributes
more than merely playing a role in authentication; the registration of
its _critical_ DNS records is a significant example.

It is also worth mentioning that (assuming defaults are in place), if a
new, apparently bad password is submitted against the latent DC that it
will proxy the authentication attempt against the domain's PDC FSMO
which (again assuming defaults are in place) will be up to date thereby
authenticating the client.

In short, it really comes down to the motivating factors for doing this.
If it is solely due to your desire for extreme replication latency I
would suggest that you rely upon the features I described above, if not,
please provide further information.

HTH

Dean

--
Dean Wells [MVP / Windows platform]
MSEtechnology
[[ Please respond to the Newsgroup only regarding posts ]]
R e m o v e t h e m a s k t o s e n d e m a i l

 

[Dean Wells [MVP]]

Dean, thanks for the post reply ..

the motivation is merely for the lazy replication schedule

i was aware that appropriately configured site configurations would
enable us to "load" the server discovery process against this DC but
was looking for a "belts and braces" solution that does not allow the
server to process a logon request along the lines of pausing the
netlogon service on an NT4 domain controller

it would seem that there is none ?? given the additional required
functionality of netlogon functionality in a windows 2000 domain
environment.

Thanks for your help

GT

Dear All, thanks for your replies back and apologies for not giving
more information.

am looking at the concept of a DC with a lazy replication schedule
as the point of recovery from an AD "disaster".

as such given that its directory may be some way out of date do not
want users / computers using it for authentication while retaining
its capabilty in terms of replication et al.

as such am needing to consider the implications of pausing the
netlogon service in respect of the above.

the issue of impact w..r.t the Kerberos comes from not fully
understanding the role of the netlogon in Kerberos authentication
and whether i need to go further by disabling say KDC - but then
how does that impact say replication.

Thanks

GT

Your request needs a little clarification in order to provide some
possible solutions, for what reason do you wish to stop the DC
authenticating users?

Dean

--
Dean Wells [MVP / Windows platform]
MSEtechnology
[[ Please respond to the Newsgroup only regarding posts ]]
R e m o v e t h e m a s k t o s e n d e m a i l

Since you're implementing a lazy replication schedule, I'm assuming
you're going to place the DC in question in a site configured to
impose that desired latency. If this is the case, the DC will not
be used by clients for authentication (this assumes the site, site
link and subnet objects are correctly configured in order to make
the DC appear on a subnet of its own). Two possible exceptions
exist; the very first time a client attempts to authenticate it will
possess no site knowledge and will use any DC returned by DNS (local
subnet priority will assist but is dependant upon your IP
configuration) and downlevel clients without the AD extensions do
not support site affinity period.

I would not recommend stopping the NETLOGON service since it
contributes more than merely playing a role in authentication; the
registration of its _critical_ DNS records is a significant example.

It is also worth mentioning that (assuming defaults are in place),
if a new, apparently bad password is submitted against the latent DC
that it will proxy the authentication attempt against the domain's
PDC FSMO which (again assuming defaults are in place) will be up to
date thereby authenticating the client.

In short, it really comes down to the motivating factors for doing
this. If it is solely due to your desire for extreme replication
latency I would suggest that you rely upon the features I described
above, if not, please provide further information.

HTH

Dean

--
Dean Wells [MVP / Windows platform]
MSEtechnology
[[ Please respond to the Newsgroup only regarding posts ]]
R e m o v e t h e m a s k t o s e n d e m a i l

Sadly, I fear I didn't provide you with much of a solution. That said, I
feel it's worth mentioning that you do have the ability to alter the way
a DC is ordered in a DNS server's round-robin'd response, i.e. - pushed
to the bottom of an ordered list. The registry settings that impose
these rules worked in the RTM of 2000 and appeared broken in both SP1
and SP2, I haven't tried them again in later SPs but they work as
expected in Server 2003.

Other pieces to this puzzle-board of a solution remain but, having not
tested them in production, I am hesitant to recommend them.

Dean