Q: If my W2K server crashes I can still log into my domain workstation?
Re:hmm, that's a good point you bring up guy. I'm not sure how the machine is able to handle the local authentication in the event that a DC is unavailable because that also seems to go against the whole idea/security of kerberos 5. Perhaps it stores the hash that would get sent to a DC, however that also would seem like a less than ideal way of storing it…
I tried to find information on this and havent had much luck thusfar.
Also now that I think about it I seem to remember having a NT 4 workstation laptop that I used with a NT 4 domain and it had casched logins as I'm sure I used it while disconnected from the network, at least I'm fairly sure it was with a domain account I logged in and not a local one (I think). So it's possible that NT4 can casche logins (perhaps it just doesnt do it by default) I guess it's been a while now since I've used NT 4 on a laptop 
-Spy
Re:Spy – could you point me to some references on the logon caching? I'm trying to reconcile the idea with the Kerberos 5 architecture, and now my head is hurting. A big purpose of Kerberos is to prevent passwords from ever travelling across the wire, so I don't understand what information the client is using to authenticate the user.
Re:I wonder if I can tell the workstation to abandon the domain and convert back to a workgroup?
Yes, if you "right-click" on my computer you should be able to join the new domain.
If you had given the domain user account local admin rights on the workstation, wouldn't you still be able to log into the workstation even if the Domain controllers were down, using the domain user/pass? or does that only work on an NT 4 domain?
That has nothing to do with the domain, but rather the client you are using that is a member of the domain. Windows 2K/XP clients casche logins locally so that in the event of the DC being unavailable you can still login (this of course is very usefull on laptops), windows NT 4 clients do not casche login information so if it was a NT4 client you could not log in locally with a domain account if it did not have connectivity to your DC.
-Spy
Re:Originally posted by: guy
no it wont work because the computer account wont be correct (incorrect PW), the only way you would get it back is if you had a backup & restored it.
-Spy
So then… how to I reconstruct? I had this test network of one server and one workstation. I wonder if I can tell the workstation to abandon the domain and convert back to a workgroup? I vaguely recall that it's a one way path and I may need to reinstall XPpro in the workstation. I imagine I could do this if I had approval from the DC which is now dead. I wonder if local authorization is possible. I guess I'll just have to try it and see. :frown:
Re:If you had given the domain user account local admin rights on the workstation, wouldn't you still be able to log into the workstation even if the Domain controllers were down, using the domain user/pass? or does that only work on an NT 4 domain?
Re:no it wont work because the computer account wont be correct (incorrect PW), the only way you would get it back is if you had a backup & restored it.
-Spy
Re:Originally posted by: guy
if it's a 2K or XP client it will casche the login information so yes you would still be able to log in. if it is a NT 4 box than you would not be able to log in.
-Spy
If I rebuild the server (DM) will the client/server authenticate? Although I'll use the same name for the server I'm sure the SID will be different.
Re:if it's a 2K or XP client it will casche the login information so yes you would still be able to log in. if it is a NT 4 box than you would not be able to log in.
-Spy
0 Comments.