Rich Megginson a ?crit : > jean-No?l Chardron wrote: >> Hugo Etievant a ?crit : >>> hello, >>> >>> jean-No?l Chardron a ?crit : >>>> Hello, >>>> >>>> I have a Network with two Windows 2000 server , I suppose one is >>>> master (or primary) and one is secondary - I don't know exactly >>>> the vocabulary of Windows. the AD is "replicated" over the two >>>> Windows Server >>>> >>>> I installed synchronization between the FDS server and the AD on a >>>> host (say Windows-1 server), with Agreement replication >>>> then I installed the password sync on the Windows-1 host. >>>> All is ok when the password is changed on the Windows-1 server, the >>>> password is synchronized to the FDS. >>>> >>>> Now when a user change his password on a windows XP station in the >>>> AD (the operation is CTRL+ALT+DEL then change password) the >>>> password is not necessary sync to the FDS. >>>> my hypothesis : it seems it depends on which windows server the >>>> password has been changed. Some time the password is sync when, I >>>> suppose, the Windows1 server answer to the request to change the >>>> password, but when the windows2 server answer , then the password >>>> is not sync. >>>> >>>> is my hypothesis correct ? >>> Yes, it is correct. >>> Password is captured in clear by passsync service into the AD server >>> witch is used by workstation for changing password operation. >>> Master AD server give password to slave servers in no-clear mode and >>> crypted password can not be captured by passsync service. >>> >>> >>>> Can I install the password sync programm on the other Windows2 >>>> server even if the replicated agreement is beetween FDS and >>>> Windows1 server ? wich will behavior be ? >>> No, you can't. >>> >>> In the AD-FDS synchronization architecture, only one synchronization >>> is allowed. >>> If you install two passsync services into two AD servers you take >>> risks to create problems in replication. >>> >>> cf : >>> http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Windows_Sync.html >>> "WARNING : There can only be a single sync agreement between the >>> Directory Server environment and the Active Directory environment. >>> Multiple sync agreements to the same Active Directory domain can >>> create entry conflicts." >>> >>> This is the point of failure of the FDS/windows sync architecture. >>> >>> >> thank you for your reply >> However by looking in the documentation PDF I found this: >> 9.2.4. Step 4: Install the Password Sync Service >> Password Sync can be installed on every domain controller in the >> Active Directory domain in order to >> synchronize Windows passwords. >> I do not know how to interpret the above >> So I installed a second passSync.msi on the slave windows2 server > Windows sync (the part that goes from DS to AD) is single master - but > password changes are the exception to this - in fact you must install > PassSync.msi on every AD domain controller to get all of the password > changes. Ok thanks, perhaps an update of the documentation will be welcome. Because for me it was not obvious to have to install on all the windows domain server. I installed the PassSync.msi just on the master Windows server. so the FDS has missed many updates passwords. >> >>> regards >>> >> >> > > > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -- Jean-Noel Chardron
