[389-users] Password sync

jean-Noël Chardron Jean-Noel.Chardron at dr15.cnrs.fr
Tue Jul 7 10:54:31 UTC 2009 

Hugo Etievant a écrit :
> hello,
>
> jean-Noël Chardron a écrit :
>> Hello,
>>
>> I have a Network with two Windows 2000 server , I suppose one is 
>> master (or  primary) and one is secondary - I don't know exactly the 
>> vocabulary of Windows. the AD is "replicated" over the two Windows 
>> Server
>>
>> I installed synchronization between the FDS server and the AD on a 
>> host (say Windows-1 server), with Agreement replication
>> then I installed the password sync on the Windows-1 host.
>> All is ok when the password is changed on the Windows-1 server, the 
>> password is synchronized to the FDS.
>>
>> Now when a user change his password on a windows XP station in the AD 
>> (the operation is CTRL+ALT+DEL then change password)  the password is 
>> not necessary sync to the FDS.
>> my hypothesis : it seems it depends  on which windows server the 
>> password has been changed. Some time the password is sync when, I 
>> suppose, the Windows1 server answer to the request to change the 
>> password, but when the windows2 server answer , then the password is 
>> not sync.
>>
>> is my hypothesis correct ?
> Yes, it is correct.
> Password is captured in clear by passsync service into the AD server 
> witch is used by workstation for changing password operation.
> Master AD server give password to slave servers in no-clear mode and 
> crypted password can not be captured by passsync service.
>
>
>> Can I install the password sync programm on the other Windows2 server 
>> even if the replicated agreement is beetween FDS and Windows1 server 
>> ? wich will behavior be ?
> No, you can't.
>
> In the AD-FDS synchronization architecture, only one synchronization 
> is allowed.
> If you install two passsync services into two AD servers you take 
> risks to create problems in replication.
>
> cf : 
> http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Windows_Sync.html
> "WARNING : There can only be a single sync agreement between the 
> Directory Server environment and the Active Directory environment. 
> Multiple sync agreements to the same Active Directory domain can 
> create entry conflicts."
>
> This is the point of failure of the FDS/windows sync architecture.
>
>
thank you for your reply
However by looking in the documentation PDF I found this:
9.2.4. Step 4: Install the Password Sync Service
Password Sync can be installed on every domain controller in the Active 
Directory domain in order to
synchronize Windows passwords.
I do not know how to interpret the above
So I installed a second passSync.msi on the slave windows2 server

> regards
>


-- 
Jean-Noel Chardron
Délégation CNRS Aquitaine et Limousin
Service du Traitement de l'Information
Avenue des Arts et métiers
BP 105
33402 TALENCE - FRANCE
tél : (33) 5.57.35.58.41
fax : (33) 5.57.35.58.01
MSN : jnc at dr15.cnrs.fr

More information about the 389-users mailing list