Interoperability with IBM Host Systems |
Within the SNA Server network, automated one-way LAN-to-AS/400 password synchronization is supported without any additional tools or products. In this scenario, the Host Account Synchronization Service, the Windows 2000 Account Synchronization Service, and the AS/400's host security system are interoperable and provide password synchronization for SNA Server users.
In other corporate network environments, third-party tools are required when implementing automated, two-way password synchronization or mainframe support. On a network, the Host Account Synchronization Service, the Windows 2000 Account Synchronization Service, and third-party security integration dynamic-link libraries (DLLs) cooperate with each other to support password synchronization. On the host, third-party products are usually required to facilitate password synchronization.
These components collectively allow two-way password synchronization between Windows 2000 and AS/400 or mainframe host computers. Changes made on one host can be replicated to other Windows 2000 or host computers. Similarly, changes to your Windows 2000 security domain can be automatically sent to all host computers.
For host-initiated changes, third-party software must be installed on the host system to trap password changes initiated by users logged on to the host computer, and on the SNA Server–based computer to receive changes from the host.
When a change is made on the host system, the host computer sends notification of changes to a third-party product's security integration DLL, which is installed on the computer running SNA Server. The DLL then forwards the host-initiated changes to the Host Account Synchronization Service. This service then locates the network address of the primary Windows 2000 Account Synchronization Service using the resource location of the master Host Account Cache.
After the Host Account Cache is located, the Host Account Synchronization Service sends password changes to the Host Account Cache service using encrypted remote procedure call (RPC) messages. Once the changes are received by the service, it propagates the appropriate changes in all security domains defined in the host security domain.
Windows 2000–initiated password synchronization works in a similar manner to host-initiated changes.
The Windows 2000 Account Synchronization Service is installed on a domain controller in one or more Windows 2000 domains. An associated DLL, installed in the same location, receives notice of any password changes that arise in the Windows 2000 domain, regardless of how the change was initiated. The DLL sends Windows 2000–initiated changes to the Windows 2000 Account Synchronization Service using encrypted RPC messages. Once the change is received, the service propagates the appropriate changes in all affected security domains.