Question - Can I force a machine to use a specific DC for Authentication

  • Thread starter Thread starter Clubsprint
  • Start date Start date
C

Clubsprint

Guest
G'day all
my proxy/internet server (2003 service pack 2) runs a product called
Clearswift Mimesweeper that uses NT authentication to validate user data for
instigation of rulesets and reporting. We seemm to have a problem with some
users the proxy server is using a different DC to the users PC to
authenticate and this is then stopping the users from surfing the web when
authentication fails. The prtoblem appears to be that the proxy server is
using a remote (WAN) DC to Authenticate.
Does anyone know how I can force the proxy to authenticate to a particular
or is there some software that will work?
Thanks
 
Re: Question - Can I force a machine to use a specific DC for Authentication

Hello Clubsprint,

Normally it doesn't matter which DC's is used, when your replication between
the DC's is running correctly. Please describe your network setup, how many
sites, how are they connected, how many DC per site and how you setup your
DNS.

Did you check replication between the DC's with replmon GUI or repadmin /showrepl
from command line?

Did you configure AD sites and services with the subnets and move the DC
to the belonging sites?

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> G'day all
> my proxy/internet server (2003 service pack 2) runs a product called
> Clearswift Mimesweeper that uses NT authentication to validate user
> data for
> instigation of rulesets and reporting. We seemm to have a problem with
> some
> users the proxy server is using a different DC to the users PC to
> authenticate and this is then stopping the users from surfing the web
> when
> authentication fails. The prtoblem appears to be that the proxy server
> is
> using a remote (WAN) DC to Authenticate.
> Does anyone know how I can force the proxy to authenticate to a
> particular
> or is there some software that will work?
> Thanks
 
Re: Question - Can I force a machine to use a specific DC for Authentication

Can you not deploy another MIMEsweeper for Web in the other location where the users are having issues ? It's a bit heavy handed, but if your replication isn't working properly then it's a solution.

You could log a support call with your Clearswift partner network who I am sure would be happy to discuss options with you

Rgds

Alyn Hockey
Director Product Management
Clearswift
 
Re: Question - Can I force a machine to use a specific DC for Authentication

We have a central site with 2 DC's and six regional sites all with a DC.
HODC1 is Schema owner, Domain role owner, PDC role ,RID pool manager and GC
server
HODC2 is Infrastructure owner

I've checked the replication and all is OK

AD sites and services setup is fine and all replication is working (our AD
site is about 7 years old)

Links for regional sites are between 20Mb and 2Mb per site.

The problem will generally effect users after they change their passwords
but will sometimes just appear out of the blue.

Clearswift verdor and local office have said it's a problem when the
authentication of the user and the proxy server happens at different boxes,
hence I want to force the proxy to authenticate to HODC1.

Thanks
Mark



"Meinolf Weber" <meiweb(nospam)@gmx.de> wrote in message
news:ff16fb6692f48caf735b63c89e3@msnews.microsoft.com...
> Hello Clubsprint,
>
> Normally it doesn't matter which DC's is used, when your replication
> between the DC's is running correctly. Please describe your network setup,
> how many sites, how are they connected, how many DC per site and how you
> setup your DNS.
>
> Did you check replication between the DC's with replmon GUI or repadmin
> /showrepl from command line?
>
> Did you configure AD sites and services with the subnets and move the DC
> to the belonging sites?
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and
> confers no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>> G'day all
>> my proxy/internet server (2003 service pack 2) runs a product called
>> Clearswift Mimesweeper that uses NT authentication to validate user
>> data for
>> instigation of rulesets and reporting. We seemm to have a problem with
>> some
>> users the proxy server is using a different DC to the users PC to
>> authenticate and this is then stopping the users from surfing the web
>> when
>> authentication fails. The prtoblem appears to be that the proxy server
>> is
>> using a remote (WAN) DC to Authenticate.
>> Does anyone know how I can force the proxy to authenticate to a
>> particular
>> or is there some software that will work?
>> Thanks
>
>
 
Re: Question - Can I force a machine to use a specific DC for Authentication

Hello Clubsprint,

If they are in one site passwords are updated immediately between the DC's,
if they in different sites the lowest replication time is 15 minutes configurable
in ADSS. So depending on which site the password will be changed the new
password needs time for replication. So even to set the proxy to one fixed
DC will not help if the user is in a different site then that DC.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> We have a central site with 2 DC's and six regional sites all with a
> DC.
> HODC1 is Schema owner, Domain role owner, PDC role ,RID pool manager
> and GC
> server
> HODC2 is Infrastructure owner
> I've checked the replication and all is OK
>
> AD sites and services setup is fine and all replication is working
> (our AD site is about 7 years old)
>
> Links for regional sites are between 20Mb and 2Mb per site.
>
> The problem will generally effect users after they change their
> passwords but will sometimes just appear out of the blue.
>
> Clearswift verdor and local office have said it's a problem when the
> authentication of the user and the proxy server happens at different
> boxes, hence I want to force the proxy to authenticate to HODC1.
>
> Thanks
> Mark
> "Meinolf Weber" <meiweb(nospam)@gmx.de> wrote in message
> news:ff16fb6692f48caf735b63c89e3@msnews.microsoft.com...
>
>> Hello Clubsprint,
>>
>> Normally it doesn't matter which DC's is used, when your replication
>> between the DC's is running correctly. Please describe your network
>> setup, how many sites, how are they connected, how many DC per site
>> and how you setup your DNS.
>>
>> Did you check replication between the DC's with replmon GUI or
>> repadmin /showrepl from command line?
>>
>> Did you configure AD sites and services with the subnets and move the
>> DC to the belonging sites?
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>> G'day all
>>> my proxy/internet server (2003 service pack 2) runs a product called
>>> Clearswift Mimesweeper that uses NT authentication to validate user
>>> data for
>>> instigation of rulesets and reporting. We seemm to have a problem
>>> with
>>> some
>>> users the proxy server is using a different DC to the users PC to
>>> authenticate and this is then stopping the users from surfing the
>>> web
>>> when
>>> authentication fails. The prtoblem appears to be that the proxy
>>> server
>>> is
>>> using a remote (WAN) DC to Authenticate.
>>> Does anyone know how I can force the proxy to authenticate to a
>>> particular
>>> or is there some software that will work?
>>> Thanks
 
Re: Question - Can I force a machine to use a specific DC for Authentication


"Meinolf Weber" <meiweb(nospam)@gmx.de> wrote in message
news:ff16fb6697148caf8c8f7dd5961@msnews.microsoft.com...
> Hello Clubsprint,
>
> If they are in one site passwords are updated immediately between the
> DC's, if they in different sites the lowest replication time is 15 minutes
> configurable in ADSS. So depending on which site the password will be
> changed the new password needs time for replication. So even to set the
> proxy to one fixed DC will not help if the user is in a different site
> then that DC.
>

Here's my problem. You check replication and there are no errors however
we will get a replication problem for a number of days. It's the weirdest
thing.
It's annoying enough mangement that there a noises about removing the
product altogether.
 
Re: Question - Can I force a machine to use a specific DC for Authentication

Hello Clubsprint,

Plese post an unedited dcdiag /v, netdiag /v and repadmin /show repl from
all DC's here. If the output is to big pipe to a textfile like this:

dcdiag /v >C:\dcdiag.log

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> "Meinolf Weber" <meiweb(nospam)@gmx.de> wrote in message
> news:ff16fb6697148caf8c8f7dd5961@msnews.microsoft.com...
>
>> Hello Clubsprint,
>>
>> If they are in one site passwords are updated immediately between the
>> DC's, if they in different sites the lowest replication time is 15
>> minutes configurable in ADSS. So depending on which site the password
>> will be changed the new password needs time for replication. So even
>> to set the proxy to one fixed DC will not help if the user is in a
>> different site then that DC.
>>
> Here's my problem. You check replication and there are no errors
> however
> we will get a replication problem for a number of days. It's the
> weirdest
> thing.
> It's annoying enough mangement that there a noises about removing the
> product altogether.
 
Re: Question - Can I force a machine to use a specific DC for Authentication

Hi Meinolf
Don't know as I'm all that comfortable posting all that info to the web.
Can I email it to you? My emal is clubsprint at gmail dot com
Thanks


"Meinolf Weber" <meiweb(nospam)@gmx.de> wrote in message
news:ff16fb669fb38cafbecbcac0bcf@msnews.microsoft.com...
> Hello Clubsprint,
>
> Plese post an unedited dcdiag /v, netdiag /v and repadmin /show repl from
> all DC's here. If the output is to big pipe to a textfile like this:
>
> dcdiag /v >C:\dcdiag.log
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and
> confers no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>> "Meinolf Weber" <meiweb(nospam)@gmx.de> wrote in message
>> news:ff16fb6697148caf8c8f7dd5961@msnews.microsoft.com...
>>
>>> Hello Clubsprint,
>>>
>>> If they are in one site passwords are updated immediately between the
>>> DC's, if they in different sites the lowest replication time is 15
>>> minutes configurable in ADSS. So depending on which site the password
>>> will be changed the new password needs time for replication. So even
>>> to set the proxy to one fixed DC will not help if the user is in a
>>> different site then that DC.
>>>
>> Here's my problem. You check replication and there are no errors
>> however
>> we will get a replication problem for a number of days. It's the
>> weirdest
>> thing.
>> It's annoying enough mangement that there a noises about removing the
>> product altogether.
>
>
 
Re: Question - Can I force a machine to use a specific DC for Authentication

Hello Clubsprint,

I think you will use private ip ranges like 10..x.x.x 192..x.x.x or 172.x.x.x
so with this ip's nobody can reach you. Your server/domain name you can replace
like server1 or domain.local.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Hi Meinolf
> Don't know as I'm all that comfortable posting all that info to the
> web.
> Can I email it to you? My emal is clubsprint at gmail dot com
> Thanks
> "Meinolf Weber" <meiweb(nospam)@gmx.de> wrote in message
> news:ff16fb669fb38cafbecbcac0bcf@msnews.microsoft.com...
>
>> Hello Clubsprint,
>>
>> Plese post an unedited dcdiag /v, netdiag /v and repadmin /show repl
>> from all DC's here. If the output is to big pipe to a textfile like
>> this:
>>
>> dcdiag /v >C:\dcdiag.log
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>> "Meinolf Weber" <meiweb(nospam)@gmx.de> wrote in message
>>> news:ff16fb6697148caf8c8f7dd5961@msnews.microsoft.com...
>>>
>>>> Hello Clubsprint,
>>>>
>>>> If they are in one site passwords are updated immediately between
>>>> the DC's, if they in different sites the lowest replication time is
>>>> 15 minutes configurable in ADSS. So depending on which site the
>>>> password will be changed the new password needs time for
>>>> replication. So even to set the proxy to one fixed DC will not help
>>>> if the user is in a different site then that DC.
>>>>
>>> Here's my problem. You check replication and there are no errors
>>> however
>>> we will get a replication problem for a number of days. It's the
>>> weirdest
>>> thing.
>>> It's annoying enough mangement that there a noises about removing
>>> the
>>> product altogether.
 
Re: Question - Can I force a machine to use a specific DC for Authentication

Hello Clubsprint,

I can not find your posting's here with the results.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Hi Meinolf
> Don't know as I'm all that comfortable posting all that info to the
> web.
> Can I email it to you? My emal is clubsprint at gmail dot com
> Thanks
> "Meinolf Weber" <meiweb(nospam)@gmx.de> wrote in message
> news:ff16fb669fb38cafbecbcac0bcf@msnews.microsoft.com...
>
>> Hello Clubsprint,
>>
>> Plese post an unedited dcdiag /v, netdiag /v and repadmin /show repl
>> from all DC's here. If the output is to big pipe to a textfile like
>> this:
>>
>> dcdiag /v >C:\dcdiag.log
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>> "Meinolf Weber" <meiweb(nospam)@gmx.de> wrote in message
>>> news:ff16fb6697148caf8c8f7dd5961@msnews.microsoft.com...
>>>
>>>> Hello Clubsprint,
>>>>
>>>> If they are in one site passwords are updated immediately between
>>>> the DC's, if they in different sites the lowest replication time is
>>>> 15 minutes configurable in ADSS. So depending on which site the
>>>> password will be changed the new password needs time for
>>>> replication. So even to set the proxy to one fixed DC will not help
>>>> if the user is in a different site then that DC.
>>>>
>>> Here's my problem. You check replication and there are no errors
>>> however
>>> we will get a replication problem for a number of days. It's the
>>> weirdest
>>> thing.
>>> It's annoying enough mangement that there a noises about removing
>>> the
>>> product altogether.
 

Similar threads

E
How to integrate .NET Core Authentication with a program's existing authentication method
Replies
0
Views
197
e2bLou
E
M
Setting up Client Certificate Authentication for WCF Service hosted as an Azure Web App
Replies
0
Views
301
Meghali
M
P
LDAPS Authentication in asp.net application
Replies
0
Views
102
Praveen Kumar Chakrala
P
K
AdsOpenObject gives error code 0x8007052e which means invalid credentials
Replies
0
Views
210
Kalikousik
K
I
ARR as reverse-proxy authenticating itself to backend nodes with a Client Certificate
Replies
0
Views
329
IIS
I
Back
Top