Which server process the password change?
hi there,
as far know when user's password gets reset on dc (domain controller), dc replicate changes dc holds pdc emulator role right away.
my questions are:
1. when user changes own password (using ctrl+alt+del -> change password...), machine talk directly pdc emulator?
2. if so, happens if pdc emulator unavailable , role haven't been seized (manually) dc, password changes processed temporary active dc?
thanks!
the dc connected changes password in copy of ad database, forwards change dc pdc emulator role. if dc not available, password change still propogate normal replication.
however, if user attempts use new password, , dc user connected believes password wrong, dc forward authentication request pdc emulator verification. if normal replication has not yet passed new password dc's, , pdc emulator still not available, user may not able authenticate new password. if user makes enough attempts, locked out.
edit: in past i tested in lab setup pdc emulator unavailable. found when user attempts logon bad password bad password count can incremented more 1 each bad password attempt when pdc emulator down. user can locked out sooner expected. however, tested bad password, 1 did not match either correct password, or 1 in password history. if user attempts logon previous password, authentication attempt still forwarded pdc emulator, bad password count not incremented, long bad password among 2 recent passwords in history.
richard mueller - mvp enterprise mobility (directory services)
Windows Server > Directory Services
Comments
Post a Comment