We have 115 remote locations, each has a NW 5.1 SP8 server. The PCs at
these locations are running XP with 4.91SP2 client. We are using IDM for
password sync with the mainframe and AD so they need Universal Password
and NMAS.

The issue is if the WAN link fails, no users at the remote site can log in
or unlock a locked screen even though their local server holds a replica
of their partition. The remote servers currently do NOT have a replica of
the Security container.

I understand eDir 8.8 caches the security data NMAS is looking for without
needing to replicate the Security container everywhere. This is not an
option because 8.8 does not run on NW 5.1. Upgrade to NW 6.5 (or
OES/Linux) is not going to happen at the remote sites...branch offices are
going all Windoze by the end of 2007.

I confirmed that putting a replica of Security on a remote server appears
to fix the problem. I'm not excited about replicating the Security
container to 115 WAN connected servers, but the impact should be small
since it is fairly static and should not generate a lot of sync traffic.
Also, I would think this would eliminate a lot of NMAS related traffic
over the WAN.

BUT, my question is why doesn't the client just fail back to NDS login if
it can't use NMAS? I thought it was supposed to work that way. Is there
some special configuration on the client of local server required to
support this?