|Subject:||IIS Windows Integrated Authentication, AD account question|
|Posted by:||bdog_jdog (bentorr…@gmail.com)|
|Date:||27 Nov 2006|
Difficult question for all. We had a site name (in DNS) running on a
computer with the same AD name, call it Intranet. So machine name
Intranet, IIS site http://intranet, running Windows Integrated
I had been having progressive hardware problems with this box, and I
had a completely synched backup of the site content running on another
box, running with a host header of http://intranettest I had planned a
Saturday downtime (the next day) to do the cutover.
So, Intranet box dies completely Friday at 8AM. So, I remap DNS records
to http://intranettest box. Change the host header to http://intranet
I disable the AD object for Intranet box, since it didn't boot and I
didn't have a chance to rename it.
However, about 50% of people in my company can open up the new site.
Not DNS problems though. We monitor with TCP view, and Internet
Explorer doesn't send one packet on computers where it doesn't load
http://intranet. The site works every time with Firefox from everyone's
computer (except that there's no integrated auth).
I troubleshoot for about 3 embarrasing hours (dumping cache, dns
resolver cache, things like that), then delete the disabled AD object
for Intranet, after which EVERYTHING WORKS FINE!!!!
So, it seems like on about 50% of the computers, part of the Integrated
Authentication process actually checked the AD account of the requested
URL and noticed the account was disabled, so didn't even request the
page of the webserver.
This makes sense, sort of, and normally I would have renamed such a box
if I had the chance, but I just assumed disabling the account would
have the same effect as deleting it. Apparantly not.
And then, why did it work fine on 50% of my user's machines? We have
only two DC's and I pushed a replication to the other DC after
disabling the account.
What am I missing here?