Recently we had an issue where we received a lot of "old" passwords from
an AD, which caused a major amount of issues for a significant number of
users. I refer to them as old because the passwords were not recent
password changes. So these were cached passwords potentially from a
domain controller that could not contact the remote loader or some sort
of restore, possibly of the registry? Whatever the case it has lead to
a more in depth understanding of how passwords are synchronized which
has of course led to questions\comments.

1- Why are passwords cached on the individual DC's when the engine is
not connected to the remote loader? When a password change cannot be
processed due to an unassociated object the password is cached by the
Remote Loader, and each additional password change overwrites the
previous, so when the password is finally processed only the latest
password is synchronized. If the engine is not connected to the remote
loader and a user, who is associated, changes their password multiple
times on multiple dc's the passwords will be processed in the order the
Remote Loader receives them, meaning the latest password change might
not be the last one synchronized. If the Remote Loader cached the
passwords and successive changes were made they would be overwritten and
the latest password would be synchronized.

2- As far as I know, the AD driver parameter pub-password-expire-time
will specify the number of minutes a driver will attempt to sync a
password, the time is from when the remote loader receives the password.
Wouldn't it make more sense for the value to expire a password based on
the time it was set?

Just looking for feedback\thoughts.


Kgallogly's Profile:
View this thread: