Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Fallback to NTLM in case of domain controller disconnection

Posted on 2011-03-01
1
Medium Priority
?
542 Views
Last Modified: 2012-05-11
Hi experts,
1.      Is it correct that the entire file share mechanism in windows server 2003 environment is working with NTLM, meaning that if the domain controller will be dropped; I will still have share capabilities?

2.      Regardless to that, is that correct that if I will lose connection to the domain controller (in server 2003 environment) all the components will fall back to NTLM mechanism and in potential all the basic services should work (printing,IIS,sharing..)?
Thanks in advance,
0
Comment
Question by:WAS_Infra
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 10

Accepted Solution

by:
rscottvan earned 2000 total points
ID: 35008449
NTLM is an authentication type, but has no bearing on your question.  NTLM or Kerberos can be used to authenticate with a Domain Controller, or a Member Server, or a Standalone Server, or a workstation.  Kerberos is a more secure mechanism.

If a system cannot connect to a Domain Controller to authenticate users, it will still authenticate them if they have previously logged on to that system.  This is because the local Security Account Management database will cache the credentials of anyone who has previously logged on, and will authenticate the user against those cached credentials if a DC cannot be reached.  (This is default behavior, it can be disabled if desired.)

So, if a user has never accessed a server resource (like a share) and tries to access it for the first time when a DC is not available, they will not be able to authenticate to use the resource.  However, if they have previously accessed any resource on that server, the server will grant access so long as the user is using the same credentials as the last time they accessed the resource.

Read more about it here:
http://support.microsoft.com/kb/913485
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question