Are the Kerberos settings the one that apply to this? By default they are Maximum lifetime for a user ticket 10 hours, maximum lifetime fore a service ticket 600 minutes, and maximum lifetime for a ticket renewal 7 days.
Does this mean that cached credentials will work for 10 hours or 7 days? Name resolution is not an issue on these smaller sites as each has only one subnet. Cheers On Tue, 30 Nov 2004 12:55:52 -0500, Renouf, Phil <[EMAIL PROTECTED]> wrote: > Yes, the client will continue to use Cached Credentials to allow you to > log onto your workstation. How long you can do that depends on some > customizable settings that you can control with GPOs. Off the top of my > head I am not sure what the defaults are, but I am sure someone less > lazy than me can fill us both in. > > One of the main concerns in that type of centralized DC setup is name > resolution. If the DCs are your DNS servers and you don't have any > local name resolution methods (DNS or perhaps WINS) then you'll have > issues connecting to the other local servers by name while the DCs are > unavailable. > > Phil > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Steve > Sent: Tuesday, November 30, 2004 11:59 AM > To: [EMAIL PROTECTED] > Subject: [ActiveDir] Accessing resources when a domain controller is > unavailable (sightly OT) > > A question for planning placement of Domain Controllers. > > Windows 2003 Native mode domain in a mixed level forest > > Lets assume that all DC's are centralized in a central site and that > there are robust high speed/high capacity lines connecting all sites. > > Lets further assume that each remote site has Windows 2000/XP clients > and a local file server. > > Normally when a resource has to be contacted locally the workstation > authenticates with the DC and gets granted access (too simple but for > this example good enough). > > Now what happens when a DC is not available? Will the local file server > accept Cached credentials? If so for how long? Will the workstation > maintain access until the next time their kerberos ticket needs to be > renewed? Is there some magic time period until the DC must be contacted > again? > > I tested/seen how this works in practice, what I'm looking for is the > actual reasons why access is granted/denied in this scenario. > > A link to a reference explaining this would also be great. > > Thanks > > Steve > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
