Demand-Dial Routing |
When a demand-dial interface is created with the Demand-Dial wizard in the Routing and Remote Access snap-in, the Add a user account so a remote router can dial in option on the Protocols and Security page of the wizard allows you to create a new user account that is used by the calling router. When this option is selected, a user account with the same name as the demand-dial interfaces is created in the security accounts database being used by the router on which the demand-dial interface is being created.
Table 6.2 lists where the user account is created.
Table 6.2 Location of User Accounts Created by the Demand-Dial Wizard
Router | Where the Account Is Created |
---|---|
Stand-alone | A local account as if created through the Local Users and Groups snap-in. |
Domain controller | A domain account as if created through the Active Directory Users and Groups snap-in. |
Member of a domain | A local account as if created through the Local Users and Groups snap-in. |
In all cases, the remote access permission is set to Allow access even though for a new account in a Windows 2000 native mode domain or a stand-alone router, the default remote access permission for newly created accounts is set to Control access through Remote Access Policy. This behavior can cause some confusion if you are using the access by policy administrative model. In the access by policy administrative model, the remote access permission of all user accounts is set to Control access through Remote Access Policy and the remote access permission of individual policies are set to either Grant remote access or Deny remote access.
When the user account is created, it is created with the current default password settings and policies set for your domain. Verify that each user account used by calling routers have the following password settings on the Account tab on the properties sheet of the user account:
If enabled, then you must manually disable this setting for accounts created with the Demand-Dial Wizard. If you do not disable this setting, then a demand-dial router is unable to connect using this account. When the calling router sends its credentials, the calling router is prompted to change the password. Because the initiation of a demand-dial connection is not an interactive process involving a user, the calling router is unable to change the password and aborts the connection attempt.
Because the demand-dial connection process is not interactive, if the password expires, the calling router is prompted to change the expired password and the connection attempt is aborted.