AD password syncing, replication, & Exchange

[Guest Chad Bailey]

Here's the problem....

 

We have one 2003 domain spread over multiple physical sites. Each site

is connected to the main site by WAN links and has a local domain

controller. The main office site has an Exchange server which hosts all

client mailboxes, including the ones for the remote site users.

 

The problem we have is with password synchronization timing. For

example, if a user's password expires and they have to change it on

their client, and they are in the home site where the Exchange server is

located, there are no issues.

 

BUT!... if a user at one of the remote sites changes their password, the

synchronization is such in AD across the remote links that Exchange does

not get the updated information until the next replication time which at

the shortest is 15 minutes. So this person is locked out of exchange

until the AD replication is sent to the home site.

 

In AD, I have defined individual subnets and sites for these remote

locations. As best I can tell, when you define different sites, it is

impossible to reduce the replication time under 15 minutes. And that is

what presents the password syncing issues for us.

 

Is there anyway around this problem?

 

Thanks for any advice.

 

Chad

[Guest Meinolf Weber]

Re: AD password syncing, replication, & Exchange

 

Hello Chad,

 

If a DC other than the PDCemulator receives an authentication request with

a bad password, before it rejects the authentication request outright it

will refer the authentication request to the PDCemulator.

 

So make sure the Exchange has the PDCEmulator under the ESM "recipient update

service".

 

See here about the passwored replication, scroll down to "Replication of

Password Changes":

http://technet2.microsoft.com/windowsserver/en/library/1465d773-b763-45ec-b971-c23cdc27400e1033.mspx?mfr=true

 

http://www.microsoft.com/technet/abouttn/flash/tips/tips_060805.mspx

 

Do you use OWA from Exchange?

 

Also check this document about, search it for Exchange:

http://www.microsoft.com/downloads/details.aspx?FamilyID=8C8E0D90-A13B-4977-A4FC-3E2B67E3748E&displaylang=en

 

Best regards

 

Meinolf Weber

Disclaimer: This posting is provided "AS IS" with no warranties, and confers

no rights.

** Please do NOT email, only reply to Newsgroups

** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

> Here's the problem....

>

> We have one 2003 domain spread over multiple physical sites. Each site

> is connected to the main site by WAN links and has a local domain

> controller. The main office site has an Exchange server which hosts

> all client mailboxes, including the ones for the remote site users.

>

> The problem we have is with password synchronization timing. For

> example, if a user's password expires and they have to change it on

> their client, and they are in the home site where the Exchange server

> is located, there are no issues.

>

> BUT!... if a user at one of the remote sites changes their password,

> the synchronization is such in AD across the remote links that

> Exchange does not get the updated information until the next

> replication time which at the shortest is 15 minutes. So this person

> is locked out of exchange until the AD replication is sent to the home

> site.

>

> In AD, I have defined individual subnets and sites for these remote

> locations. As best I can tell, when you define different sites, it is

> impossible to reduce the replication time under 15 minutes. And that

> is what presents the password syncing issues for us.

>

> Is there anyway around this problem?

>

> Thanks for any advice.

>

> Chad

>