jean-No?l Chardron wrote: > Hugo Etievant a ?crit : >> hello, >> >> jean-No?l Chardron a ?crit : >>> Hello, >>> >>> I have a Network with two Windows 2000 server , I suppose one is >>> master (or primary) and one is secondary - I don't know exactly the >>> vocabulary of Windows. the AD is "replicated" over the two Windows >>> Server >>> >>> I installed synchronization between the FDS server and the AD on a >>> host (say Windows-1 server), with Agreement replication >>> then I installed the password sync on the Windows-1 host. >>> All is ok when the password is changed on the Windows-1 server, the >>> password is synchronized to the FDS. >>> >>> Now when a user change his password on a windows XP station in the >>> AD (the operation is CTRL+ALT+DEL then change password) the >>> password is not necessary sync to the FDS. >>> my hypothesis : it seems it depends on which windows server the >>> password has been changed. Some time the password is sync when, I >>> suppose, the Windows1 server answer to the request to change the >>> password, but when the windows2 server answer , then the password is >>> not sync. >>> >>> is my hypothesis correct ? >> Yes, it is correct. >> Password is captured in clear by passsync service into the AD server >> witch is used by workstation for changing password operation. >> Master AD server give password to slave servers in no-clear mode and >> crypted password can not be captured by passsync service. >> >> >>> Can I install the password sync programm on the other Windows2 >>> server even if the replicated agreement is beetween FDS and Windows1 >>> server ? wich will behavior be ? >> No, you can't. >> >> In the AD-FDS synchronization architecture, only one synchronization >> is allowed. >> If you install two passsync services into two AD servers you take >> risks to create problems in replication. >> >> cf : >> http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Windows_Sync.html >> "WARNING : There can only be a single sync agreement between the >> Directory Server environment and the Active Directory environment. >> Multiple sync agreements to the same Active Directory domain can >> create entry conflicts." >> >> This is the point of failure of the FDS/windows sync architecture. >> >> > thank you for your reply > However by looking in the documentation PDF I found this: > 9.2.4. Step 4: Install the Password Sync Service > Password Sync can be installed on every domain controller in the > Active Directory domain in order to > synchronize Windows passwords. > I do not know how to interpret the above > So I installed a second passSync.msi on the slave windows2 server Windows sync (the part that goes from DS to AD) is single master - but password changes are the exception to this - in fact you must install PassSync.msi on every AD domain controller to get all of the password changes. > >> regards >> > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20090707/b8bb45a9/attachment.bin
