Our system consists of numerous sites and DCs. Is there a solution to establish a dedicated DC to synchronize Local Administrator passwords from all sites to one DC for easier management?
2 Comments
Cliff_FisherMicrosoft
Status changed:NewtoNot at this time- JaySimmons
Hi KIMBOT ,
There are no plans for this. In what way would this suggestion make management easier?
Active Directory serves as the database for Windows LAPS, and AD is a multi-master, distributed datastore - I think this is a good thing. If you want though, you can declare by convention for yourself that one particular DC is the one that you will use for all Windows LAPS password queries\password-resets. You can manually force replication synchronization as needed to try to keep that one particular DC as up-to-date as possible with all client LAPS passwords. But I don't think this actually gains you anything real in terms of security or robustness?
Jay
