Yes, the Kerberos settings are what applies here. However, the answer also
depends on when the DC goes down:
1. The DC is down when you try to log on
If you have previously logged on from workstationA, you can use cached
credentials to logon
If you have changed your password from another workstation since you logged
on to workstationA, then you will need to use the old password (since that is
what is cached)
While you can log on to the workstation, you will not be able to conect to
any network resources until the DC comes back up
By default, win2kx caches the last 10 successful logons (this can be
changed via GPO)
2. You are logged on to the network and connected to network resources when the
DC goes down
You can remain connected to the network resources until Kerberos forces a
renewal
You will not be able to connect to any new network resources
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Steve
Sent: Tuesday, November 30, 2004 10:18 AM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] Accessing resources when a domain controller is
unavailable (sightly OT)
Are the Kerberos settings the one that apply to this?
By default they are Maximum lifetime for a user ticket 10 hours,
maximum lifetime fore a service ticket 600 minutes, and maximum
lifetime for a ticket renewal 7 days.
Does this mean that cached credentials will work for 10 hours or 7 days?
Name resolution is not an issue on these smaller sites as each has
only one subnet.
Cheers
On Tue, 30 Nov 2004 12:55:52 -0500, Renouf, Phil
<[EMAIL PROTECTED]> wrote:
> Yes, the client will continue to use Cached Credentials to allow you to
> log onto your workstation. How long you can do that depends on some
> customizable settings that you can control with GPOs. Off the top of my
> head I am not sure what the defaults are, but I am sure someone less
> lazy than me can fill us both in.
>
> One of the main concerns in that type of centralized DC setup is name
> resolution. If the DCs are your DNS servers and you don't have any
> local name resolution methods (DNS or perhaps WINS) then you'll have
> issues connecting to the other local servers by name while the DCs are
> unavailable.
>
> Phil
>
>
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Steve
> Sent: Tuesday, November 30, 2004 11:59 AM
> To: [EMAIL PROTECTED]
> Subject: [ActiveDir] Accessing resources when a domain controller is
> unavailable (sightly OT)
>
> A question for planning placement of Domain Controllers.
>
> Windows 2003 Native mode domain in a mixed level forest
>
> Lets assume that all DC's are centralized in a central site and that
> there are robust high speed/high capacity lines connecting all sites.
>
> Lets further assume that each remote site has Windows 2000/XP clients
> and a local file server.
>
> Normally when a resource has to be contacted locally the workstation
> authenticates with the DC and gets granted access (too simple but for
> this example good enough).
>
> Now what happens when a DC is not available? Will the local file server
> accept Cached credentials? If so for how long? Will the workstation
> maintain access until the next time their kerberos ticket needs to be
> renewed? Is there some magic time period until the DC must be contacted
> again?
>
> I tested/seen how this works in practice, what I'm looking for is the
> actual reasons why access is granted/denied in this scenario.
>
> A link to a reference explaining this would also be great.
>
> Thanks
>
> Steve
> List info : http://www.activedir.org/mail_list.htm
> List FAQ : http://www.activedir.org/list_faq.htm
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info : http://www.activedir.org/mail_list.htm
> List FAQ : http://www.activedir.org/list_faq.htm
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
