|
server
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
ADAM UserProxy Authentication (Which Domain Controller?)Hello all,
I'm using an ADAM LDAP server populated with userProxyFull objects for a number of web applications and I wanted to know how to know which of the many DCs in my company's system the ADAM server is using for authentication. Is there a way to specify this so that it always uses one in close proximity? Thanks, Marc Hi,
for bindProxy authentication ADAM uses LogonUser [1]. I have never tested how LogonUser [2] interacts with the AD sites model (if it does)...are your ADAM instances in subnets assigned to AD sites? Lee Flight [1] e.g. http://support.microsoft.com/kb/940448 [2] http://msdn.microsoft.com/en-us/library/aa378184(VS.85).aspx Show quoteHide quote "Marc" <elliottm***@gmail.com> wrote in message news:b5fe08a2-28f2-46d4-ac97-183983c08b6c@37g2000yqp.googlegroups.com... > Hello all, > > I'm using an ADAM LDAP server populated with userProxyFull objects for > a number of web applications and I wanted to know how to know which of > the many DCs in my company's system the ADAM server is using for > authentication. Is there a way to specify this so that it always uses > one in close proximity? > > Thanks, > > Marc Yes, it uses the site model so it is probably connecting to a DC at
the same site. The use case I get is like this: * user changes password at site Y * attempt to logon to ADAM application at site X * because replication hasn't yet happened between the DC at Y and X, the logon fails Show quoteHide quote On Mar 24, 6:36 am, "Lee Flight" <l***@le.ac.uk-nospam> wrote: > Hi, > for bindProxy authentication ADAM uses LogonUser [1]. > I have never tested how LogonUser [2] interacts with the AD > sites model (if it does)...are your ADAM instances in subnets > assigned to AD sites? > > Lee Flight > > [1] e.g.http://support.microsoft.com/kb/940448 > [2]http://msdn.microsoft.com/en-us/library/aa378184(VS.85).aspx > > "Marc" <elliottm***@gmail.com> wrote in message > > news:b5fe08a2-28f2-46d4-ac97-183983c08b6c@37g2000yqp.googlegroups.com... > > > Hello all, > > > I'm using an ADAM LDAP server populated with userProxyFull objects for > > a number of web applications and I wanted to know how to know which of > > the many DCs in my company's system the ADAM server is using for > > authentication. Is there a way to specify this so that it always uses > > one in close proximity? > > > Thanks, > > > Marc Hi,
I think AD should handle that case as the password change in site Y should be notified to the DC that has the PDC emulator (FSMO) role in (whatever) site, the failed authentication in site X should be checked against the PDC. I think that all still applies in latest AD DS, however that behavior is configurable (AvoidPDCOnWan) so what you describe may occur. Lee Flight Show quoteHide quote "Marc" <elliottm***@gmail.com> wrote in message news:dded203f-6967-43f0-9af8-a6b37993714d@w35g2000yqm.googlegroups.com... > Yes, it uses the site model so it is probably connecting to a DC at > the same site. The use case I get is like this: > > * user changes password at site Y > * attempt to logon to ADAM application at site X > * because replication hasn't yet happened between the DC at Y and X, > the logon fails > > > On Mar 24, 6:36 am, "Lee Flight" <l***@le.ac.uk-nospam> wrote: >> Hi, >> for bindProxy authentication ADAM uses LogonUser [1]. >> I have never tested how LogonUser [2] interacts with the AD >> sites model (if it does)...are your ADAM instances in subnets >> assigned to AD sites? >> >> Lee Flight >> >> [1] e.g.http://support.microsoft.com/kb/940448 >> [2]http://msdn.microsoft.com/en-us/library/aa378184(VS.85).aspx >> >> "Marc" <elliottm***@gmail.com> wrote in message >> >> news:b5fe08a2-28f2-46d4-ac97-183983c08b6c@37g2000yqp.googlegroups.com... >> >> > Hello all, >> >> > I'm using an ADAM LDAP server populated with userProxyFull objects for >> > a number of web applications and I wanted to know how to know which of >> > the many DCs in my company's system the ADAM server is using for >> > authentication. Is there a way to specify this so that it always uses >> > one in close proximity? >> >> > Thanks, >> >> > Marc > This is the way it is supposed to work for sure. I don't have a good idea
where to go looking to try find out what the problem is. It would be interesting if another network login originating from the same server that ADAM is on would produce the same failure. If AvoidPDCOnWan is enabled, then I think this is the expected behavior and you just have to wait for replication. If AvoidPDCOnWan is disabled, then it would seem like the problem might be related to the PDCe itself. -- Show quoteHide quoteJoe Kaplan-MS MVP Directory Services Programming Co-author of "The .NET Developer's Guide to Directory Services Programming" http://www.directoryprogramming.net "Lee Flight" <l**@le.ac.uk-nospam> wrote in message news:%23Zi23OMrJHA.1300@TK2MSFTNGP05.phx.gbl... > Hi, > > I think AD should handle that case as the password change in site Y should > be notified > to the DC that has the PDC emulator (FSMO) role in (whatever) site, the > failed authentication in site X should be checked against the PDC. I think > that all still applies in latest AD DS, however that behavior is > configurable (AvoidPDCOnWan) so what you describe may occur. > > Lee Flight >  
Thread options
Other interesting topics
Do Child DC's need unrestricted IP access to Root DC's?
After 2000 to 2003 upgrade sysvol is not accessable Manually removing cert server from AD DNS/DHCP problem while migrating computers using ADMT Group Domain Admins cannot be found Validation for 2000 to 2003 upgrade Way to set using Active Directory, which ports for remote desktop? Logon issue in a 2 domain trust - Win 2003 DC fails when isolated from network GPO Version mismatch in Sysvol |
|||||||||||||||||||||||
