[389-users] Password sync
jean-Noël Chardron
Jean-Noel.Chardron at dr15.cnrs.fr
Tue Jul 7 15:58:09 UTC 2009
Rich Megginson a écrit :
> jean-Noël Chardron wrote:
>> Hugo Etievant a écrit :
>>> hello,
>>>
>>> jean-Noël Chardron a écrit :
>>>> Hello,
>>>>
>>>> I have a Network with two Windows 2000 server , I suppose one is
>>>> master (or primary) and one is secondary - I don't know exactly
>>>> the vocabulary of Windows. the AD is "replicated" over the two
>>>> Windows Server
>>>>
>>>> I installed synchronization between the FDS server and the AD on a
>>>> host (say Windows-1 server), with Agreement replication
>>>> then I installed the password sync on the Windows-1 host.
>>>> All is ok when the password is changed on the Windows-1 server, the
>>>> password is synchronized to the FDS.
>>>>
>>>> Now when a user change his password on a windows XP station in the
>>>> AD (the operation is CTRL+ALT+DEL then change password) the
>>>> password is not necessary sync to the FDS.
>>>> my hypothesis : it seems it depends on which windows server the
>>>> password has been changed. Some time the password is sync when, I
>>>> suppose, the Windows1 server answer to the request to change the
>>>> password, but when the windows2 server answer , then the password
>>>> is not sync.
>>>>
>>>> is my hypothesis correct ?
>>> Yes, it is correct.
>>> Password is captured in clear by passsync service into the AD server
>>> witch is used by workstation for changing password operation.
>>> Master AD server give password to slave servers in no-clear mode and
>>> crypted password can not be captured by passsync service.
>>>
>>>
>>>> Can I install the password sync programm on the other Windows2
>>>> server even if the replicated agreement is beetween FDS and
>>>> Windows1 server ? wich will behavior be ?
>>> No, you can't.
>>>
>>> In the AD-FDS synchronization architecture, only one synchronization
>>> is allowed.
>>> If you install two passsync services into two AD servers you take
>>> risks to create problems in replication.
>>>
>>> cf :
>>> http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Windows_Sync.html
>>> "WARNING : There can only be a single sync agreement between the
>>> Directory Server environment and the Active Directory environment.
>>> Multiple sync agreements to the same Active Directory domain can
>>> create entry conflicts."
>>>
>>> This is the point of failure of the FDS/windows sync architecture.
>>>
>>>
>> thank you for your reply
>> However by looking in the documentation PDF I found this:
>> 9.2.4. Step 4: Install the Password Sync Service
>> Password Sync can be installed on every domain controller in the
>> Active Directory domain in order to
>> synchronize Windows passwords.
>> I do not know how to interpret the above
>> So I installed a second passSync.msi on the slave windows2 server
> Windows sync (the part that goes from DS to AD) is single master - but
> password changes are the exception to this - in fact you must install
> PassSync.msi on every AD domain controller to get all of the password
> changes.
Ok thanks,
perhaps an update of the documentation will be welcome. Because for me
it was not obvious to have to install on all the windows domain server.
I installed the PassSync.msi just on the master Windows server. so the
FDS has missed many updates passwords.
>>
>>> regards
>>>
>>
>>
>
>
> ------------------------------------------------------------------------
>
> --
> 389 users mailing list
> 389-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
--
Jean-Noel Chardron
More information about the 389-users
mailing list