Thanks everyone for your replies. I especially appreciate the "real world" answers...
This should help put to rest our "discussion". Mike Baudino "Patrick R. Sweeney" <[EMAIL PROTECTED]>@mail.activedir.org on 04/02/2003 09:52:17 AM Please respond to [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] To: <[EMAIL PROTECTED]> cc: Subject: RE: [ActiveDir] downlevel client authentication The choice is governed by the secure channel. This is established on a first-response basis. Given the absence of the DSClient the client behavior should still be as described in Q266729. This seems to be borne out by your experiences. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet Sent: Wednesday, April 02, 2003 10:25 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] downlevel client authentication We have about 20 remote WAN sites, each running an AD domain controller. Almost every site still has a fair number of NT4 and win98 clients - none with the AD client installed. I have a kixtart script that runs on the workstation from the login script that logs (among other things) the authenticating server. What I see is that overwhelmingly, back-level clients hit their local AD DC for authentication. This leads me to believe that either WINS responses are sorted by IP subnet (so that the local DC is presented first), or that workstations attempt to find a DC by broadcast before using WINS, or, possibly, that a workstation attempts to open a socket to all DCs returned by wins, and the first to complete is the one that's used. This would normally be the "closest" DC. I'm curious, but not enough so to fire up a sniffer. The confusion comes from the fact that Microsoft has published conflicting information on how clients authenticate, and how backlevel clients authenticate in an AD environment. If memory serves, the Windows 2000 server help system explicitly states that backlevel clients authenticate against the PDC emulator, which is incorrect. I know this was a big issue for us when we went AD. We were scared to death to turn off our old remote BDCs - even a call to PSS could definitively answer the question. A good clue came from examining the log files that my script created. I saw that even with a local BDC, the local AD DC was authenticating backlevel clients. The definitive answer came when we simply shut a BDC down at a small remote site, and noticed that the AD DC picked right up. -----Original Message----- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 02, 2003 7:49 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] downlevel client authentication Well, you're all partially correct. AD (whether mixed mode or not) appears the same as a "straight" NT4 domain to all downlevel (i.e. non-AD aware clients). What that means is that the PDC emulator is the only place passwords can be changed by these clients. It also means that any DC can authenticate users. The thing to keep in mind is how NT4 style domains actually authenticate. Assuming WINS is available, a client queries WINS for domain controllers who can service the domain to which the client is trying to authenticate (looking for 1Ch records in WINS). WINS returns up to 25 domain controllers - in NO particular order - to the client. There is no guarantee that the DCs returned will be local to the client. Does that help at all? -------------------------------------------------------------- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis Inc. > -----Original Message----- > From: Mike Baudino [mailto:[EMAIL PROTECTED] > Sent: Tuesday, April 01, 2003 6:23 PM > To: [EMAIL PROTECTED] > Subject: [ActiveDir] downlevel client authentication > > > All, > > Please help me resolve a "discussion" with some strong opinions on > both sides of the camp. You see, our reading on the role of the PDC > Emulator in regard to a mixed-mode domain with downlevel clients > (we're not upgrading the NT4.0 client > software) has left us with differing interpretations. > > We agree and understand that the PDC Emulator is contacted directlry > by the downlevel clients to change their passwords. We also > understand and agree that the PDC Emulator is the source of SAM > replication. > > Our disagreement is in authentication. Some folks are reading it as > all downlevel client activity, including authentication, is done at > the PDC emulator. Others read this as the downlevel client is > authenticated by the domain controller that responds first (or the > last time the client was authenticated [we're also a bit unclear on > that concept]). > > To me, this is very clear (but I could be the cause of the confusion). > In a branch office environment running mixed mode we would have a > combination of Win2k and NT4.0 domain controllers in the field > offices. The NT4.0 BDC's are not aware of the fact that they're > really part of an AD domain and nor would the clients. Thus, if the > client's don't know about AD, and the BDC doesn't know about AD, how > would the client know that it had to contact the PDC emulator to be > authenticated? It wouldn't. Hence, downlevel client > authentication must occur at any domain controller (again, > the one that responds first [or the last one]). > > > Please help clear this up and please include a link to > something that helps clear this up. > > > Thanks, > Mike Baudino > > > > ******************* PLEASE NOTE ******************* > This E-Mail/telefax message and any documents accompanying > this transmission may contain privileged and/or confidential > information and is intended solely for the addressee(s) named > above. If you are not the intended addressee/recipient, you > are hereby notified that any use of, disclosure, copying, > distribution, or reliance on the contents of this > E-Mail/telefax information is strictly prohibited and may > result in legal action against you. Please reply to the > sender advising of the error in transmission and immediately > delete/destroy the message and any accompanying documents. Thank you. > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
