| Author | Messages | |
ddriggs
Posts:9
 | | 07/01/2009 10:52 PM |
| I am having some confusion about Exchange authentication and Active
Directory. We have a single forest with six domains that is Windows server
2003 R2SP2. The Exchange Server (2003) is in the root domain on a server
that is not a domain controller. Two of the domains in our forest are remote
sites connected via a T1 WAN link.
Recently the T1 link to one of our sites went down. As a result no one at
the remote site could log into the Exchange server. This is understandable
when the employees are on the site with the dead T1 connection. What
confuses me is that none of the employees at this site could login to e-mail
remotely via Outlook Web Access. Now if user accounts are replicated
forest-wide? Then why could the users at the disconnected remote site not
log into OWA via another domain controller (which authenticates users for
the unreacheable remote server) not disconnected due to a out of service T1
WAN link?
| | | |
| Ravi.Sabharanjak@barclaysglobal.com
Posts:0
| | 07/01/2009 10:58 PM |
|
The user accounts are not replicated forest wide. Certain information is
replicated to the global catalog, but the DC's from a domain are
responsible for authenticating users from their domain.
Were any domain controllers from the users domain accessible to the
exchange servers when the T1 outage happened? If all the DC's are on the
downed side of the T1 link, the exchange server would not be able to
authenticate the user logging in to OWA as they would not be able to
contact a DC to verify the user's identity.
-Ravi
________________________________
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Dave
Sent: Wednesday, July 01, 2009 2:51 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Exchange and Active Directory authentication
confusion
I am having some confusion about Exchange authentication and Active
Directory. We have a single forest with six domains that is Windows
server 2003 R2SP2. The Exchange Server (2003) is in the root domain on a
server that is not a domain controller. Two of the domains in our forest
are remote sites connected via a T1 WAN link.
Recently the T1 link to one of our sites went down. As a result no one
at the remote site could log into the Exchange server. This is
understandable when the employees are on the site with the dead T1
connection. What confuses me is that none of the employees at this site
could login to e-mail remotely via Outlook Web Access. Now if user
accounts are replicated forest-wide? Then why could the users at the
disconnected remote site not log into OWA via another domain controller
(which authenticates users for the unreacheable remote server) not
disconnected due to a out of service T1 WAN link?
--
This message and any attachments are confidential, proprietary, and may be privileged. If this message was misdirected, Barclays Global Investors (BGI) does not waive any confidentiality or privilege. If you are not the intended recipient, please notify us immediately and destroy the message without disclosing its contents to anyone. Any distribution, use or copying of this e-mail or the information it contains by other than an intended recipient is unauthorized. The views and opinions expressed in this e-mail message are the author's own and may not reflect the views and opinions of BGI, unless the author is authorized by BGI to express such views or opinions on its behalf. All email sent to or from this address is subject to electronic storage and review by BGI. Although BGI operates anti-virus programs, it does not accept responsibility for any damage whatsoever caused by viruses being passed.
| | | |
| ddriggs
Posts:9
| | 07/01/2009 11:31 PM |
| Thank you for clearing this up for me. Another hole in my knowledge has
been patched! Are there any workarounds for this limitation?
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of joe
Sent: Wednesday, July 01, 2009 3:03 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Exchange and Active Directory authentication
confusion
The security information to authenticate/authorize a user is not replicated
forest wide. A user can only be authenticated by a domain controller for the
domain they are a member of. So say you have one DC for DomainXYZ and it
went down, even though you have 100 DCs for DomainPDQ not a single DomainXYZ
user could logon.
--
O'Reilly Active Directory Fourth Edition -
http://www.joeware.net/win/ad4e.htm
_____
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Dave
Sent: Wednesday, July 01, 2009 5:51 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Exchange and Active Directory authentication confusion
I am having some confusion about Exchange authentication and Active
Directory. We have a single forest with six domains that is Windows server
2003 R2SP2. The Exchange Server (2003) is in the root domain on a server
that is not a domain controller. Two of the domains in our forest are remote
sites connected via a T1 WAN link.
Recently the T1 link to one of our sites went down. As a result no one at
the remote site could log into the Exchange server. This is understandable
when the employees are on the site with the dead T1 connection. What
confuses me is that none of the employees at this site could login to e-mail
remotely via Outlook Web Access. Now if user accounts are replicated
forest-wide? Then why could the users at the disconnected remote site not
log into OWA via another domain controller (which authenticates users for
the unreacheable remote server) not disconnected due to a out of service T1
WAN link?
| | | |
| listmail
Posts:763
| | 07/02/2009 1:27 PM |
| Have a domain controller for every domain you want authentication to be
available for in the locations you want it available.
Alternately, get collapse the six domains down to one, you likely don't
really need six domains.
--
O'Reilly Active Directory Fourth Edition -
http://www.joeware.net/win/ad4e.htm
_____
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Dave
Sent: Wednesday, July 01, 2009 6:31 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Exchange and Active Directory authentication
confusion
Thank you for clearing this up for me. Another hole in my knowledge has
been patched! Are there any workarounds for this limitation?
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of joe
Sent: Wednesday, July 01, 2009 3:03 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Exchange and Active Directory authentication
confusion
The security information to authenticate/authorize a user is not replicated
forest wide. A user can only be authenticated by a domain controller for the
domain they are a member of. So say you have one DC for DomainXYZ and it
went down, even though you have 100 DCs for DomainPDQ not a single DomainXYZ
user could logon.
--
O'Reilly Active Directory Fourth Edition -
http://www.joeware.net/win/ad4e.htm
_____
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Dave
Sent: Wednesday, July 01, 2009 5:51 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Exchange and Active Directory authentication confusion
I am having some confusion about Exchange authentication and Active
Directory. We have a single forest with six domains that is Windows server
2003 R2SP2. The Exchange Server (2003) is in the root domain on a server
that is not a domain controller. Two of the domains in our forest are remote
sites connected via a T1 WAN link.
Recently the T1 link to one of our sites went down. As a result no one at
the remote site could log into the Exchange server. This is understandable
when the employees are on the site with the dead T1 connection. What
confuses me is that none of the employees at this site could login to e-mail
remotely via Outlook Web Access. Now if user accounts are replicated
forest-wide? Then why could the users at the disconnected remote site not
log into OWA via another domain controller (which authenticates users for
the unreacheable remote server) not disconnected due to a out of service T1
WAN link?
| | | |
| ddriggs
Posts:9
| | 07/02/2009 9:14 PM |
| This forest domain design was done before my time by a consultant. It is a
very odd design. All of the domains are flat rather than parent child
hierarchical. The explanation for this was better security. If anyone
compromised one domain it would be more difficult to get access to the other
domains. I am somewhat skeptical of this explanation. This is a K-12
environment so there is the possibility of malicious end users.
The next iteration to 2008 server I hope to migrate to the one forest one
domain design that seems to be the consensus for better and easier
maintenance?
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of joe
Sent: Thursday, July 02, 2009 5:26 AM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Exchange and Active Directory authentication
confusion
Have a domain controller for every domain you want authentication to be
available for in the locations you want it available.
Alternately, get collapse the six domains down to one, you likely don't
really need six domains.
--
O'Reilly Active Directory Fourth Edition -
http://www.joeware.net/win/ad4e.htm
_____
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Dave
Sent: Wednesday, July 01, 2009 6:31 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Exchange and Active Directory authentication
confusion
Thank you for clearing this up for me. Another hole in my knowledge has
been patched! Are there any workarounds for this limitation?
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of joe
Sent: Wednesday, July 01, 2009 3:03 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Exchange and Active Directory authentication
confusion
The security information to authenticate/authorize a user is not replicated
forest wide. A user can only be authenticated by a domain controller for the
domain they are a member of. So say you have one DC for DomainXYZ and it
went down, even though you have 100 DCs for DomainPDQ not a single DomainXYZ
user could logon.
--
O'Reilly Active Directory Fourth Edition -
http://www.joeware.net/win/ad4e.htm
_____
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Dave
Sent: Wednesday, July 01, 2009 5:51 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Exchange and Active Directory authentication confusion
I am having some confusion about Exchange authentication and Active
Directory. We have a single forest with six domains that is Windows server
2003 R2SP2. The Exchange Server (2003) is in the root domain on a server
that is not a domain controller. Two of the domains in our forest are remote
sites connected via a T1 WAN link.
Recently the T1 link to one of our sites went down. As a result no one at
the remote site could log into the Exchange server. This is understandable
when the employees are on the site with the dead T1 connection. What
confuses me is that none of the employees at this site could login to e-mail
remotely via Outlook Web Access. Now if user accounts are replicated
forest-wide? Then why could the users at the disconnected remote site not
log into OWA via another domain controller (which authenticates users for
the unreacheable remote server) not disconnected due to a out of service T1
WAN link?
| | | |
| ddriggs
Posts:9
| | 07/02/2009 10:07 PM |
| So the consultant really needed to create gulp six different forests? I
would never do that.
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Paul Bergson
(ALLETE)
Sent: Thursday, July 02, 2009 1:48 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Exchange and Active Directory authentication
confusion
Agree with Brian.
Security boundary is the forest not the domain.
Thanks
Paul
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Brian Desmond
Sent: Thursday, July 02, 2009 3:17 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Exchange and Active Directory authentication
confusion
Said explanation is 100% wrong.
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
Active Directory, 4th Ed - <http://www.briandesmond.com/ad4/>
http://www.briandesmond.com/ad4/
Microsoft MVP - <https://mvp.support.microsoft.com/profile/Brian>
https://mvp.support.microsoft.com/profile/Brian
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Dave
Sent: Thursday, July 02, 2009 3:13 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Exchange and Active Directory authentication
confusion
This forest domain design was done before my time by a consultant. It is a
very odd design. All of the domains are flat rather than parent child
hierarchical. The explanation for this was better security. If anyone
compromised one domain it would be more difficult to get access to the other
domains. I am somewhat skeptical of this explanation. This is a K-12
environment so there is the possibility of malicious end users.
The next iteration to 2008 server I hope to migrate to the one forest one
domain design that seems to be the consensus for better and easier
maintenance?
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of joe
Sent: Thursday, July 02, 2009 5:26 AM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Exchange and Active Directory authentication
confusion
Have a domain controller for every domain you want authentication to be
available for in the locations you want it available.
Alternately, get collapse the six domains down to one, you likely don't
really need six domains.
--
O'Reilly Active Directory Fourth Edition -
http://www.joeware.net/win/ad4e.htm
_____
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Dave
Sent: Wednesday, July 01, 2009 6:31 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Exchange and Active Directory authentication
confusion
Thank you for clearing this up for me. Another hole in my knowledge has
been patched! Are there any workarounds for this limitation?
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of joe
Sent: Wednesday, July 01, 2009 3:03 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Exchange and Active Directory authentication
confusion
The security information to authenticate/authorize a user is not replicated
forest wide. A user can only be authenticated by a domain controller for the
domain they are a member of. So say you have one DC for DomainXYZ and it
went down, even though you have 100 DCs for DomainPDQ not a single DomainXYZ
user could logon.
--
O'Reilly Active Directory Fourth Edition -
http://www.joeware.net/win/ad4e.htm
_____
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Dave
Sent: Wednesday, July 01, 2009 5:51 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Exchange and Active Directory authentication confusion
I am having some confusion about Exchange authentication and Active
Directory. We have a single forest with six domains that is Windows server
2003 R2SP2. The Exchange Server (2003) is in the root domain on a server
that is not a domain controller. Two of the domains in our forest are remote
sites connected via a T1 WAN link.
Recently the T1 link to one of our sites went down. As a result no one at
the remote site could log into the Exchange server. This is understandable
when the employees are on the site with the dead T1 connection. What
confuses me is that none of the employees at this site could login to e-mail
remotely via Outlook Web Access. Now if user accounts are replicated
forest-wide? Then why could the users at the disconnected remote site not
log into OWA via another domain controller (which authenticates users for
the unreacheable remote server) not disconnected due to a out of service T1
WAN link?
| | | |
| gabriel/tfi
Posts:381
| | 07/02/2009 10:25 PM |
| If youre looking for a radical solution, consolidate everything into one
singleForest/singleDomain.. Gabriele.
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Dave
Sent: giovedì 2 luglio 2009 0.31
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Exchange and Active Directory authentication
confusion
Thank you for clearing this up for me. Another hole in my knowledge has
been patched! Are there any workarounds for this limitation?
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of joe
Sent: Wednesday, July 01, 2009 3:03 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Exchange and Active Directory authentication
confusion
The security information to authenticate/authorize a user is not replicated
forest wide. A user can only be authenticated by a domain controller for the
domain they are a member of. So say you have one DC for DomainXYZ and it
went down, even though you have 100 DCs for DomainPDQ not a single DomainXYZ
user could logon.
--
O'Reilly Active Directory Fourth Edition -
http://www.joeware.net/win/ad4e.htm
_____
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Dave
Sent: Wednesday, July 01, 2009 5:51 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Exchange and Active Directory authentication confusion
I am having some confusion about Exchange authentication and Active
Directory. We have a single forest with six domains that is Windows server
2003 R2SP2. The Exchange Server (2003) is in the root domain on a server
that is not a domain controller. Two of the domains in our forest are remote
sites connected via a T1 WAN link.
Recently the T1 link to one of our sites went down. As a result no one at
the remote site could log into the Exchange server. This is understandable
when the employees are on the site with the dead T1 connection. What
confuses me is that none of the employees at this site could login to e-mail
remotely via Outlook Web Access. Now if user accounts are replicated
forest-wide? Then why could the users at the disconnected remote site not
log into OWA via another domain controller (which authenticates users for
the unreacheable remote server) not disconnected due to a out of service T1
WAN link?
| | | |
| ddriggs
Posts:9
| | 07/03/2009 2:58 AM |
| That confirms my skepticism about the design. This design will go away
when we upgrade to Windows server 2008. Unfortunately that will be some time
due to the economy and resultant budget crunch.
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Brian Desmond
Sent: Thursday, July 02, 2009 6:39 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Exchange and Active Directory authentication
confusion
Yeah that design makes no sense to me given what I imagine your environment
looks like (having spent a lot of time in K-12).
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Dave
Sent: Thursday, July 02, 2009 7:20 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Exchange and Active Directory authentication
confusion
I had a hard time describing what the consultant did. The domain design
looks like this:
|Administrative Root domain
|High school domain
|Middle school domain
|Elementary school domain
As opposed to a Parent Administraive Root domain with the other domains
being branches of the root domain in a "tree". By forest domain design I
mean just how the domains are arranged visually in the forest. The
consultant's design does not have child or branch domains at least not
visually.
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Crawford, Scott
Sent: Thursday, July 02, 2009 2:17 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Exchange and Active Directory authentication
confusion
That was my first thought too, but the fact that he says "forest domain
design" seems to imply that he sees a distinction. Of course, we could just
wait til the OP relies.
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Rick Sheikh
Sent: Thursday, July 02, 2009 3:57 PM
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] Exchange and Active Directory authentication
confusion
Didn't Dave mean separate forests by "All of the domains are flat rather
than parent child hierarchical. The explanation for this was better
security." ?
On Thu, Jul 2, 2009 at 3:48 PM, Paul Bergson (ALLETE) <pbergson@allete.com>
wrote:
Agree with Brian.
Security boundary is the forest not the domain.
Thanks
Paul
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Brian Desmond
Sent: Thursday, July 02, 2009 3:17 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Exchange and Active Directory authentication
confusion
Said explanation is 100% wrong.
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
Active Directory, 4th Ed - <http://www.briandesmond.com/ad4/>
http://www.briandesmond.com/ad4/
Microsoft MVP - <https://mvp.support.microsoft.com/profile/Brian>
https://mvp.support.microsoft.com/profile/Brian
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Dave
Sent: Thursday, July 02, 2009 3:13 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Exchange and Active Directory authentication
confusion
This forest domain design was done before my time by a consultant. It is a
very odd design. All of the domains are flat rather than parent child
hierarchical. The explanation for this was better security. If anyone
compromised one domain it would be more difficult to get access to the other
domains. I am somewhat skeptical of this explanation. This is a K-12
environment so there is the possibility of malicious end users.
The next iteration to 2008 server I hope to migrate to the one forest one
domain design that seems to be the consensus for better and easier
maintenance?
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of joe
Sent: Thursday, July 02, 2009 5:26 AM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Exchange and Active Directory authentication
confusion
Have a domain controller for every domain you want authentication to be
available for in the locations you want it available.
Alternately, get collapse the six domains down to one, you likely don't
really need six domains.
--
O'Reilly Active Directory Fourth Edition -
http://www.joeware.net/win/ad4e.htm
_____
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Dave
Sent: Wednesday, July 01, 2009 6:31 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Exchange and Active Directory authentication
confusion
Thank you for clearing this up for me. Another hole in my knowledge has
been patched! Are there any workarounds for this limitation?
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of joe
Sent: Wednesday, July 01, 2009 3:03 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Exchange and Active Directory authentication
confusion
The security information to authenticate/authorize a user is not replicated
forest wide. A user can only be authenticated by a domain controller for the
domain they are a member of. So say you have one DC for DomainXYZ and it
went down, even though you have 100 DCs for DomainPDQ not a single DomainXYZ
user could logon.
--
O'Reilly Active Directory Fourth Edition -
http://www.joeware.net/win/ad4e.htm
_____
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Dave
Sent: Wednesday, July 01, 2009 5:51 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Exchange and Active Directory authentication confusion
I am having some confusion about Exchange authentication and Active
Directory. We have a single forest with six domains that is Windows server
2003 R2SP2. The Exchange Server (2003) is in the root domain on a server
that is not a domain controller. Two of the domains in our forest are remote
sites connected via a T1 WAN link.
Recently the T1 link to one of our sites went down. As a result no one at
the remote site could log into the Exchange server. This is understandable
when the employees are on the site with the dead T1 connection. What
confuses me is that none of the employees at this site could login to e-mail
remotely via Outlook Web Access. Now if user accounts are replicated
forest-wide? Then why could the users at the disconnected remote site not
log into OWA via another domain controller (which authenticates users for
the unreacheable remote server) not disconnected due to a out of service T1
WAN link?
| | | |
|
|