[389-users] Password sync
jean-Noël Chardron
Jean-Noel.Chardron at dr15.cnrs.fr
Tue Jul 7 10:54:31 UTC 2009
Hugo Etievant a écrit :
> hello,
>
> jean-Noël Chardron a écrit :
>> Hello,
>>
>> I have a Network with two Windows 2000 server , I suppose one is
>> master (or primary) and one is secondary - I don't know exactly the
>> vocabulary of Windows. the AD is "replicated" over the two Windows
>> Server
>>
>> I installed synchronization between the FDS server and the AD on a
>> host (say Windows-1 server), with Agreement replication
>> then I installed the password sync on the Windows-1 host.
>> All is ok when the password is changed on the Windows-1 server, the
>> password is synchronized to the FDS.
>>
>> Now when a user change his password on a windows XP station in the AD
>> (the operation is CTRL+ALT+DEL then change password) the password is
>> not necessary sync to the FDS.
>> my hypothesis : it seems it depends on which windows server the
>> password has been changed. Some time the password is sync when, I
>> suppose, the Windows1 server answer to the request to change the
>> password, but when the windows2 server answer , then the password is
>> not sync.
>>
>> is my hypothesis correct ?
> Yes, it is correct.
> Password is captured in clear by passsync service into the AD server
> witch is used by workstation for changing password operation.
> Master AD server give password to slave servers in no-clear mode and
> crypted password can not be captured by passsync service.
>
>
>> Can I install the password sync programm on the other Windows2 server
>> even if the replicated agreement is beetween FDS and Windows1 server
>> ? wich will behavior be ?
> No, you can't.
>
> In the AD-FDS synchronization architecture, only one synchronization
> is allowed.
> If you install two passsync services into two AD servers you take
> risks to create problems in replication.
>
> cf :
> http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Windows_Sync.html
> "WARNING : There can only be a single sync agreement between the
> Directory Server environment and the Active Directory environment.
> Multiple sync agreements to the same Active Directory domain can
> create entry conflicts."
>
> This is the point of failure of the FDS/windows sync architecture.
>
>
thank you for your reply
However by looking in the documentation PDF I found this:
9.2.4. Step 4: Install the Password Sync Service
Password Sync can be installed on every domain controller in the Active
Directory domain in order to
synchronize Windows passwords.
I do not know how to interpret the above
So I installed a second passSync.msi on the slave windows2 server
> regards
>
--
Jean-Noel Chardron
Délégation CNRS Aquitaine et Limousin
Service du Traitement de l'Information
Avenue des Arts et métiers
BP 105
33402 TALENCE - FRANCE
tél : (33) 5.57.35.58.41
fax : (33) 5.57.35.58.01
MSN : jnc at dr15.cnrs.fr
More information about the 389-users
mailing list