Difficult question for all. We had a site name (in DNS) running on a computer with the same AD name, call it Intranet. So machine name Intranet, IIS site running Windows Integrated Authentication.
I had been having progressive hardware problems with this box, and I had a completely synched backup of the site content running on another box, running with a host header of I had planned a Saturday downtime (the next day) to do the cutover.
So, Intranet box dies completely Friday at 8AM. So, I remap DNS records to box. Change the host header to I disable the AD object for Intranet box, since it didn't boot and I didn't have a chance to rename it.
However, about 50% of people in my company can open up the new site. Not DNS problems though. We monitor with TCP view, and Internet Explorer doesn't send one packet on computers where it doesn't load The site works every time with Firefox from everyone's computer (except that there's no integrated auth).
I troubleshoot for about 3 embarrasing hours (dumping cache, dns resolver cache, things like that), then delete the disabled AD object for Intranet, after which EVERYTHING WORKS FINE!!!!
So, it seems like on about 50% of the computers, part of the Integrated Authentication process actually checked the AD account of the requested URL and noticed the account was disabled, so didn't even request the page of the webserver.
This makes sense, I guess, and normally I would have renamed such a box if I had the chance, but I just assumed disabling the account would have the same effect as deleting it. Apparantly not.
And then, why did it work fine on 50% of my user's machines? We have only two DC's and I pushed a replication to the other DC after disabling the account.
What am I missing here?
thanks.
MB
I had been having progressive hardware problems with this box, and I had a completely synched backup of the site content running on another box, running with a host header of I had planned a Saturday downtime (the next day) to do the cutover.
So, Intranet box dies completely Friday at 8AM. So, I remap DNS records to box. Change the host header to I disable the AD object for Intranet box, since it didn't boot and I didn't have a chance to rename it.
However, about 50% of people in my company can open up the new site. Not DNS problems though. We monitor with TCP view, and Internet Explorer doesn't send one packet on computers where it doesn't load The site works every time with Firefox from everyone's computer (except that there's no integrated auth).
I troubleshoot for about 3 embarrasing hours (dumping cache, dns resolver cache, things like that), then delete the disabled AD object for Intranet, after which EVERYTHING WORKS FINE!!!!
So, it seems like on about 50% of the computers, part of the Integrated Authentication process actually checked the AD account of the requested URL and noticed the account was disabled, so didn't even request the page of the webserver.
This makes sense, I guess, and normally I would have renamed such a box if I had the chance, but I just assumed disabling the account would have the same effect as deleting it. Apparantly not.
And then, why did it work fine on 50% of my user's machines? We have only two DC's and I pushed a replication to the other DC after disabling the account.
What am I missing here?
thanks.
MB
