> -----Original Message----- > From: fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com] On Behalf > Of Rich Megginson > Sent: Friday, December 12, 2008 1:11 PM > To: General discussion list for the Fedora Directory server project. > Subject: Re: AD Password Sync Question > > Christopher Barry wrote: > > Greetings, > > > > After reading chapter 19 of the RH docs about AD > integration, I have a question regarding the 'lifetime' and > locality of the plaintext password, and how this actually > gets captured and sync'd. > > > > In a multi-site AD Enterprise, with a lot of DCs, would the > password sync service need to run on every DC, > Yes. > > with a partnership to the one master master Directory Server? > Yes, that's the best way. You can point passsync at any master > anywhere, as long as you are prepared to deal with latency > issues (e.g. > if you add a user then immediately change the password, you > may have to > wait for that new user to show up on your local replica first). > > I'm wondering how if a user in Texas changes their > password, it gets placed into the Directory Server Master in > Pennsylvania. > > > The DS MMR protocol will update the password on all other DS servers. > > > > Thanks, > > -C > > Thanks Rich for your quick response. I think you're saying that unlike user/group sync, where you need a single MMDS to be the master interface to AD for all MMDSes, the passsync service can point to any replicated MMDS. Since most user adds are needed locally first, would it be better to do the local DC -> local MMDS passsync first as a rule? Also, and this is no doubt in the docs too somewhere, but while I've got your ear, is there a limit on the number of MMDSes? e.g. can I have a MMDS at every site paired with a DC? Thanks a lot, -C
