Using sub-hosts to replicate password changes

In a global, native-mode Active Directory domain, password resets may take a long time to replicate from the domain controller serving the Bravura Security Fabric server to domain controllers accessed by users.

Bravura Security Fabric can bypass this replication process by directly setting a user’s new password and account status flags (intruder lockout, change password flag and expiry time/date) on each DC that the user might access. This includes DCs in the site from which the user’s web browser connected to Bravura Security Fabric , DCs in the site housing the user’s home directory, and regional DCs accessed by mail, database or other systems that the user might access.

To accelerate password replication in this way, set the Program to generate a list of target systems on the Target system information page for your Active Directory domain to dcselect.exe.

The sub-host plugin adds a list of DCs and sites to the help desk password reset screen, so that a help desk user can reset passwords on specific domain controllers. The plugin also automatically selects domain controllers for all self-service functions, based on the user’s web browser IP address and home directory server IP address.

To specify additional domain controllers for users of certain sites, edit the text file dc.man in the \<instance>\script\ directory. This file has the format:

domain domain-name site site-name DC1 DC2 

Site names may contain the wild cards ? (any single character) and ⋆ (any sequence of characters).

An example of dc.man follows:

domain example.com

# Every user should get a password reset on this central DC:

site ⋆ centraldc.example.com

# Users in Madrid should get a reset in London too:

site madrid.⋆ londondc1.example.com londondc2.example.com

# Users in Hong Kong should get a reset in Tokyo:

site hk.example.com tokdc1.example.com tokdc1.example.com