AD password syncing, replication, & Exchange

  • Thread starter Thread starter Chad Bailey
  • Start date Start date
C

Chad Bailey

Guest
Here's the problem....

We have one 2003 domain spread over multiple physical sites. Each site
is connected to the main site by WAN links and has a local domain
controller. The main office site has an Exchange server which hosts all
client mailboxes, including the ones for the remote site users.

The problem we have is with password synchronization timing. For
example, if a user's password expires and they have to change it on
their client, and they are in the home site where the Exchange server is
located, there are no issues.

BUT!... if a user at one of the remote sites changes their password, the
synchronization is such in AD across the remote links that Exchange does
not get the updated information until the next replication time which at
the shortest is 15 minutes. So this person is locked out of exchange
until the AD replication is sent to the home site.

In AD, I have defined individual subnets and sites for these remote
locations. As best I can tell, when you define different sites, it is
impossible to reduce the replication time under 15 minutes. And that is
what presents the password syncing issues for us.

Is there anyway around this problem?

Thanks for any advice.

Chad
 
Re: AD password syncing, replication, & Exchange

Hello Chad,

If a DC other than the PDCemulator receives an authentication request with
a bad password, before it rejects the authentication request outright it
will refer the authentication request to the PDCemulator.

So make sure the Exchange has the PDCEmulator under the ESM "recipient update
service".

See here about the passwored replication, scroll down to "Replication of
Password Changes":
http://technet2.microsoft.com/windo...b763-45ec-b971-c23cdc27400e1033.mspx?mfr=true

http://www.microsoft.com/technet/abouttn/flash/tips/tips_060805.mspx

Do you use OWA from Exchange?

Also check this document about, search it for Exchange:
http://www.microsoft.com/downloads/...90-A13B-4977-A4FC-3E2B67E3748E&displaylang=en

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

> Here's the problem....
>
> We have one 2003 domain spread over multiple physical sites. Each site
> is connected to the main site by WAN links and has a local domain
> controller. The main office site has an Exchange server which hosts
> all client mailboxes, including the ones for the remote site users.
>
> The problem we have is with password synchronization timing. For
> example, if a user's password expires and they have to change it on
> their client, and they are in the home site where the Exchange server
> is located, there are no issues.
>
> BUT!... if a user at one of the remote sites changes their password,
> the synchronization is such in AD across the remote links that
> Exchange does not get the updated information until the next
> replication time which at the shortest is 15 minutes. So this person
> is locked out of exchange until the AD replication is sent to the home
> site.
>
> In AD, I have defined individual subnets and sites for these remote
> locations. As best I can tell, when you define different sites, it is
> impossible to reduce the replication time under 15 minutes. And that
> is what presents the password syncing issues for us.
>
> Is there anyway around this problem?
>
> Thanks for any advice.
>
> Chad
>
 
Back
Top