Cerulean
[H]F Junkie
- Joined
- Jul 27, 2006
- Messages
- 9,476
Old network domain: company.com
Old network subnet scheme: 192.168.1-50.0 (1 = servers, 5 = WAPs, switches, and tech center DHCP, 10+11+12 city division DHCP, 20 = DHCP for division at edge of city lines, 30 = DHCP for division thirty-eight miles away) + a VLAN for each office at each division facility (exaggerated greatly, but no joke)
New network: company.local
New network subnet scheme: class C 172.16.x.x
To support certain legacy applications in our migration process, we had to connect the second NIC of one of the old domain controllers (DNS service disabled of course) to the new network and gave it a static IP.
HERE IS THE PROBLEM: in our full VDI environment, we have had some issues where user accounts get locked out. This happens because the domain name (not including the TLD) is the same -- COMPANY -- and the majority of usernames for accounts on the new domain match an account on the old domain. On the new domain, for the time being, everyone (except select few who have sensitive/critical functions and data) has exactly the same password abc123$ (made it up). On the old domain, everyone has a unique, insanely easy and insecure, and IT documented password.
We have gotten this problem for people using Zero Clients (configured for VMView server on new domain), laptops (still on old domain), desktops (old domain). The solution we have found is to make the user's password on both old and new domains be identical.
However, there is one particular user who stands out (will not name job position, but someone who has a critical role in the company). We've synchronized his password, but his account still gets locked out. He has a laptop (old domain) with VMware View Client.
I do not know what my co-workers have tried, I was just asked to post about this to see if anyone had any ideas. One idea I had which I think my co-worker was trying before I left work was to rename the username of this user on the old domain to something else (such as their full name instead of first initial full last name, or append a number to their username). Neither domain is aware of each other's GUIDs for user objects, so in my mind changing the username on one of the domains should stop conflicts -- will find out tomorrow of this works. My co-worker has sifted through event logs but isn't finding anything useful.
Does anyone know of any good way to troubleshoot or diagnose situations like this?
Old network subnet scheme: 192.168.1-50.0 (1 = servers, 5 = WAPs, switches, and tech center DHCP, 10+11+12 city division DHCP, 20 = DHCP for division at edge of city lines, 30 = DHCP for division thirty-eight miles away) + a VLAN for each office at each division facility (exaggerated greatly, but no joke)
New network: company.local
New network subnet scheme: class C 172.16.x.x
To support certain legacy applications in our migration process, we had to connect the second NIC of one of the old domain controllers (DNS service disabled of course) to the new network and gave it a static IP.
HERE IS THE PROBLEM: in our full VDI environment, we have had some issues where user accounts get locked out. This happens because the domain name (not including the TLD) is the same -- COMPANY -- and the majority of usernames for accounts on the new domain match an account on the old domain. On the new domain, for the time being, everyone (except select few who have sensitive/critical functions and data) has exactly the same password abc123$ (made it up). On the old domain, everyone has a unique, insanely easy and insecure, and IT documented password.
We have gotten this problem for people using Zero Clients (configured for VMView server on new domain), laptops (still on old domain), desktops (old domain). The solution we have found is to make the user's password on both old and new domains be identical.
However, there is one particular user who stands out (will not name job position, but someone who has a critical role in the company). We've synchronized his password, but his account still gets locked out. He has a laptop (old domain) with VMware View Client.
I do not know what my co-workers have tried, I was just asked to post about this to see if anyone had any ideas. One idea I had which I think my co-worker was trying before I left work was to rename the username of this user on the old domain to something else (such as their full name instead of first initial full last name, or append a number to their username). Neither domain is aware of each other's GUIDs for user objects, so in my mind changing the username on one of the domains should stop conflicts -- will find out tomorrow of this works. My co-worker has sifted through event logs but isn't finding anything useful.
Does anyone know of any good way to troubleshoot or diagnose situations like this?