As part of our NAC implementation we are doing SSO by authenticating against AD. That means that we need to run KTpass.exe on one domain controller in the AD domain.
The expectation that we have based upon documentation is that the userid and associated information will propagate the other domain controllers and that we will be able to authenticate no matter which server we communicate with.
The MS team has some concerns and in addition to having them talk to MS I thought I would pose the questions here.
Can the KTpass command be undone?
Can replication be confirmed without shutting down the original DC?
Are there any known issues that we should know about before hand?