win 2003 ADS Password change

Tutorials Win: Microsoft Windows Forum

I setup a win 2008 ADS Domain with 2 DC's/DNS & 2 Member machines.

The 1st DC plays all FSMO roles.
Then I disconnected the 1 DC from the network & logged on from my Member
machines to the domain as enterprise admin. I was authenticated by the 2nd DC
that was availiable.
I then attempted a password change of my enterprise admin AC from my member
machine & i was allowed to change the password.
Later I brought the 1st DC in the network .
Now I could logon as enterprise admin from any of my member machine with the
old enterprise admin pwd as well as the new pwd [Strange]. With the old pwd
the 1st Dc authenticates me & with the new pwd the 2nd Dc authenticates me.

This shouldnt be the case. Could someone explain the strange behaviour?
Top

Re: win 2003 ADS Password change by S

S
Mon May 05 01:44:44 PDT 2008

New password gets validated by DC2.
Old password gets validated by DC1 that is a PDC emulator.

The real question is - why the password change didn't replicate to DC1?
dcdiag?

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

"Vicky" <Vicky@discussions.microsoft.com> wrote in message
news:FF963529-512C-4E3A-ABD9-82D9DE994EBC@microsoft.com...
>I setup a win 2008 ADS Domain with 2 DC's/DNS & 2 Member machines.
>
> The 1st DC plays all FSMO roles.
> Then I disconnected the 1 DC from the network & logged on from my Member
> machines to the domain as enterprise admin. I was authenticated by the 2nd
> DC
> that was availiable.
> I then attempted a password change of my enterprise admin AC from my
> member
> machine & i was allowed to change the password.
> Later I brought the 1st DC in the network .
> Now I could logon as enterprise admin from any of my member machine with
> the
> old enterprise admin pwd as well as the new pwd [Strange]. With the old
> pwd
> the 1st Dc authenticates me & with the new pwd the 2nd Dc authenticates
> me.
>
> This shouldnt be the case. Could someone explain the strange behaviour?
>
>


Top

Re: win 2003 ADS Password change by Meinolf

Meinolf
Mon May 05 07:06:58 PDT 2008

Hello Vicky,

If DC's did not replicate correctly this can happen, so check replication
in your domain with repadmin /showreps . Also i would run dcdiag on both
DC's to check for errors.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

> I setup a win 2008 ADS Domain with 2 DC's/DNS & 2 Member machines.
>
> The 1st DC plays all FSMO roles.
> Then I disconnected the 1 DC from the network & logged on from my
> Member
> machines to the domain as enterprise admin. I was authenticated by the
> 2nd DC
> that was availiable.
> I then attempted a password change of my enterprise admin AC from my
> member
> machine & i was allowed to change the password.
> Later I brought the 1st DC in the network .
> Now I could logon as enterprise admin from any of my member machine
> with the
> old enterprise admin pwd as well as the new pwd [Strange]. With the
> old pwd
> the 1st Dc authenticates me & with the new pwd the 2nd Dc
> authenticates me.
> This shouldnt be the case. Could someone explain the strange
> behaviour?
>


Top

Re: win 2003 ADS Password change by Vicky

Vicky
Mon May 05 10:25:01 PDT 2008

If PDC emulator was off the network, should pwd change happen at all from a
member machine for a domain user or domain/enterprise admin?

"S. Pidgorny <MVP>" wrote:

> New password gets validated by DC2.
> Old password gets validated by DC1 that is a PDC emulator.
>
> The real question is - why the password change didn't replicate to DC1?
> dcdiag?
>
> --
> Svyatoslav Pidgorny, MS MVP - Security, MCSE
> -= F1 is the key =-
>
> * http://sl.mvps.org * http://msmvps.com/blogs/sp *
>
> "Vicky" <Vicky@discussions.microsoft.com> wrote in message
> news:FF963529-512C-4E3A-ABD9-82D9DE994EBC@microsoft.com...
> >I setup a win 2008 ADS Domain with 2 DC's/DNS & 2 Member machines.
> >
> > The 1st DC plays all FSMO roles.
> > Then I disconnected the 1 DC from the network & logged on from my Member
> > machines to the domain as enterprise admin. I was authenticated by the 2nd
> > DC
> > that was availiable.
> > I then attempted a password change of my enterprise admin AC from my
> > member
> > machine & i was allowed to change the password.
> > Later I brought the 1st DC in the network .
> > Now I could logon as enterprise admin from any of my member machine with
> > the
> > old enterprise admin pwd as well as the new pwd [Strange]. With the old
> > pwd
> > the 1st Dc authenticates me & with the new pwd the 2nd Dc authenticates
> > me.
> >
> > This shouldnt be the case. Could someone explain the strange behaviour?
> >
> >
>
>
>
Top