Rich Megginson a écrit :
jean-Noël Chardron wrote:
Hugo Etievant a écrit :
hello,
jean-Noël Chardron a écrit :
Hello,
I have a Network with two Windows 2000 server , I suppose one is
master (or primary) and one is secondary - I don't know exactly
the vocabulary of Windows. the AD is "replicated" over the two
Windows Server
I installed synchronization between the FDS server and the AD on a
host (say Windows-1 server), with Agreement replication
then I installed the password sync on the Windows-1 host.
All is ok when the password is changed on the Windows-1 server, the
password is synchronized to the FDS.
Now when a user change his password on a windows XP station in the
AD (the operation is CTRL+ALT+DEL then change password) the
password is not necessary sync to the FDS.
my hypothesis : it seems it depends on which windows server the
password has been changed. Some time the password is sync when, I
suppose, the Windows1 server answer to the request to change the
password, but when the windows2 server answer , then the password
is not sync.
is my hypothesis correct ?
Yes, it is correct.
Password is captured in clear by passsync service into the AD server
witch is used by workstation for changing password operation.
Master AD server give password to slave servers in no-clear mode and
crypted password can not be captured by passsync service.
Can I install the password sync programm on the other Windows2
server even if the replicated agreement is beetween FDS and
Windows1 server ? wich will behavior be ?
No, you can't.
In the AD-FDS synchronization architecture, only one synchronization
is allowed.
If you install two passsync services into two AD servers you take
risks to create problems in replication.
cf :
http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Windows_Sync.html
"WARNING : There can only be a single sync agreement between the
Directory Server environment and the Active Directory environment.
Multiple sync agreements to the same Active Directory domain can
create entry conflicts."
This is the point of failure of the FDS/windows sync architecture.
thank you for your reply
However by looking in the documentation PDF I found this:
9.2.4. Step 4: Install the Password Sync Service
Password Sync can be installed on every domain controller in the
Active Directory domain in order to
synchronize Windows passwords.
I do not know how to interpret the above
So I installed a second passSync.msi on the slave windows2 server
Windows sync (the part that goes from DS to AD) is single master - but
password changes are the exception to this - in fact you must install
PassSync.msi on every AD domain controller to get all of the password
changes.
Ok thanks,
perhaps an update of the documentation will be welcome. Because for me
it was not obvious to have to install on all the windows domain server.
I installed the PassSync.msi just on the master Windows server. so the
FDS has missed many updates passwords.
regards
------------------------------------------------------------------------
--
389 users mailing list
389-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
--
Jean-Noel Chardron
--
389 users mailing list
389-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
