Kerberos

[fernando]

Hi there,
I'd like to know how to allow users to login to a file
server if no dc is available.

IE:
DC is down and we have 1 file server only where all user
data is.

User comes in and logs into their pc, it tells then to
use cached account.

Then how can I automatically give them access to the
fileserver's share without the dc present.

This is a disaster situation I need to cater for.

does anyone have any helpful tips or hints? Can Kerberos
account policies help with this or will it only help if
the dc comes back to life?

Cheers,
Fernando

 

[Opti_mystic]

Fernando,

If you have only one Active Directory DC, then that DC is
the sole Kerberos KDC. If that DC / Kerberos KDC is down,
then users logging on using cached credentials will not be
able to obtain Service Tickets to permit authentication to
the non-DC file server. This is by design.

Possible solutions include:

1. DCPROMO a second DC onto the File Server computer
2. Add a second DC on another Server computer
3. Add local accounts for the users on the the File Server
with the same name and passwords as their AD accounts

I would recommend #2. You really need 2 DC's, everybody
does. In the US Navy Submarine Service we have a
saying: "Two is one, one is none". This means that having
only one of any critical component is just the same as
having none, as when that component fails, there is no
backup.

Second choice is #1. Last choice would be #3.

Hope this helps.

Opti_mystic