?
Solved

Query on password changes in an AD environment

Posted on 2010-01-05
14
Medium Priority
?
292 Views
Last Modified: 2012-05-08
Hi

I had some queries on password changes in an AD environment I was hoping someone could help me with.

We are running AD 2003 in our domain. Let's say we have three AD sites; London, Paris, Munich.

Each AD site has two DC's, apart from London which has three. LON-DC3 is the PDC Emulator.

The replication interval between London and Munich is set to 180 minutes.

QUESTION 1: Let's say that someone makes a password change on MUNICH-DC1. Is this change replicated to the PDC Emulator immediately? Or will it be replicated at the next replication cycle (so up to 180 minutes)?

QUESTION 2: Let's say that User1's account is locked out, and has been for about 5 days. On MUNICH-DC1, the account is unlocked. The user then tries to log onto a client machine in Munich. Assuming AD SItes and Services is set correctly with all Munich IP addresses pointing to the Munich site, would he be able to log on, or would he need to change for the password change to be replicated to the PDC Emulator?
0
Comment
Question by:kam_uk
  • 6
  • 4
  • 4
14 Comments
 
LVL 70

Accepted Solution

by:
KCTS earned 1000 total points
ID: 26180141
In both cases the change is regarded as URGENT and immidiately replicated to all DCs in the same site, however the information will only be replicated to other sites at the specified replicarion intervals ans there will be some latency involved - see http://www.informit.com/articles/article.aspx?p=21472
0
 
LVL 71

Assisted Solution

by:Chris Dent
Chris Dent earned 1000 total points
ID: 26180168

1. Best described here:

http://technet.microsoft.com/en-us/library/cc772726%28WS.10%29.aspx

See "Replication of Password Changes".

So in your scenario, the PDC Emulator is notified immediately, for everything else your normal replication process applies.

If the user logs on using a DC that does not have the changed password, the DC will not deny authorisation until after it has checked with the PDC Emulator (which, in turn, will be aware of the password change).

2. Same article, this time see the section titled "Urgent Replication of Account Lockout Changes".

HTH

Chris
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 26180180

> In both cases the change is regarded as URGENT

Password changes are *not* regarded as Urgent. It has a slightly different approach to replication than the lockout (which is regarded as urgent).

Chris
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
LVL 70

Expert Comment

by:KCTS
ID: 26180237
From MS http://technet.microsoft.com/en-us/library/cc772726(WS.10).aspx#w2k3tr_repup_how_huzs

Password changes are replicated differently than both normal (non-urgent) replication and urgent replication. Changes to security account passwords present a replication latency problem wherein a users password is changed on domain controller A and the user subsequently attempts to log on, being authenticated by domain controller B. If the password has not replicated from A to B, the attempt to log on fails. Active Directory replication remedies this situation by forwarding password changes immediately to a single domain controller in the domain, the PDC emulator.

In Active Directory, when a user password is changed at a domain controller, that domain controller attempts to update the respective replica at the domain controller that holds the PDC emulator role. Update of the PDC emulator occurs immediately, without respect to schedules on site links. The updated password is propagated to other domain controllers by normal replication within a site.

When the user logs on to a domain and is authenticated by a domain controller that does not have the updated password, the domain controller refers to the PDC emulator to check the credentials of the user name and password rather than denying authentication based on an invalid password. Therefore, the user can log on successfully even when the authenticating domain controller has not yet received the updated password. On domain controllers that are running Windows Server 2003 or Windows 2000 Server with SP4, if the authentication is successful at the PDC emulator, the PDC emulator replicates the password immediately to the requesting domain controller to prevent that domain controller from having to check the PDC emulator again.

If the update at the PDC emulator fails for any reason, the password change is replicated non-urgently by normal replication.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 26180249

Which is the section I advised reading above :)

Chris
0
 
LVL 70

Expert Comment

by:KCTS
ID: 26180276
So it is - my humble apoligies.
0
 
LVL 3

Author Comment

by:kam_uk
ID: 26180333
Thanks guys - appreciate the help!

Ok - so let's say we change user A's password on MUNICH-DC1, and also unlock his account which was previously locked.

He then tries to log onto a client machine in London (LONDON-CLIENT1).

From what I understand, the replication of the unlocking and password change should have been replicated immediately from MUNICH-DC1 to LONDON-DC3 (the PDC Emulator). Even if the DC that LON-CLIENT1 was connecting to when User1 tries to logon (e.g. LONDON-DC1) hadn't replicated with LONDON-DC3 yet, it would still check with LONDON-DC3 before denying the logon?

But when you say immediately, there has to be time for the change to travel across the WAN and also for the change to take effect in the NTDS database, so it wouldn't be immediate? Perhaps a few minutes or longer?

Secondly, is there any reason why LONDON-CLIENT1 would not allow User1 to logon after the password was changed on MUNICH-DC1?
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 26180458

> before denying the logon?

Correct.

> But when you say immediately, there has to be time for the change to travel across the WAN and also
> for the change to take effect in the NTDS database, so it wouldn't be immediate? Perhaps a few
> minutes or longer?

The database will be memory resident at this point, so the time to commit the change should be negligible.

You're right that network conditions will effect how quickly a change can be replicated. But there we're only likely to care about latency, the size of the notification will also be negligible (rendering bandwidth fairly irrelevant).

Of course, if the DC the password is changed on is completely unable to communicate with others then neither the notification or the change will go anywhere.

> Secondly, is there any reason why LONDON-CLIENT1 would not allow User1 to logon after the
> password was changed on MUNICH-DC1?

With the client authenticating against LONDON-DC1? Only if the PDC is not aware that the password has been changed. That's covered by this statement from the article above:

  "If the update at the PDC emulator fails for any reason, the password change is
  replicated non-urgently by normal replication."

At that point the 180 minute replication interval will come back into play.

Chris
0
 
LVL 3

Author Comment

by:kam_uk
ID: 26180477
Thanks again...

"If the update at the PDC emulator fails for any reason, the password change is
  replicated non-urgently by normal replication."

Under what circumstance would the update fail? Are we talking if the PDC was actually down - or could the update fail for minor reasons and be quite likely?
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 26180525

When the PDC is down, or unreachable over the network. The remote DC will need to connect directly to the PDC (using RPC), if it cannot, normal replication will be used.

Chris
0
 
LVL 70

Expert Comment

by:KCTS
ID: 26180536
Unlocking is NOT urgent - see the above article.
PDC down is the most likely scenareo for it failing to update
0
 
LVL 3

Author Comment

by:kam_uk
ID: 26180553
Ah, so even though account LOCKING *is* urgent, account UNLOCKING is *not* urgent?
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 26180579

Correct, an unlock event will be subject to the replication schedule. And the PDC will have no early notification that the account is unlocked.

Chris
0
 
LVL 3

Author Comment

by:kam_uk
ID: 26180669
Thanks both!
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question