<snip>
> I have users in branches all across the company that logon to other
> BDC's in other city's. Eg. Someone in vancouver logging into say
> montreal.
> Does anyone know of a port that I can block that off of each branch
> router ( im currently using 3661's ) to stop that. Or a Win2k setting I
> can modify to specify what server to login to?.....I know i can probably
> specify that in that in the login script, if so, What command do I use?
> Or a registry setting in Win2k/9x
<snip>
I assume that you are using NT 4 servers in the backend? If you are using
Win2K servers, you can make the NT/9x clients Active Directory aware by
installing DSClient.exe, which will 'encourage' the clients to authenticate
with their local DC before running over the WAN to a random DC.
There is no real way to control what DC authenticates a client in the NT 4
world, and you can't block a logon script 'port' as the client runs the
logon script using a UNC path (ie. \\DCNAME\netlogon\yourscript.bat). The
only way to stop this would be to block all file sharing traffic over the
link (which I assume you don't).
A way around the problem is to use a batch file that allows initial
authentication to occur at any DC, but then forces the logon script to
execute from a local DC. The basic idea is to run ipconfig on the client,
which will output the IP address, network mask and default router. These
settings are saved to a text file and can be searched the matches on the
default router value can be made to determine the LAN that the user is
logging in from.
Sample script:
@echo off
rem The CFG_SVR is your 'default' DC, probably the PDC or at least a DC
rem closest to the 'centre' of your NT network. This is an initial value to
rem ensure that the script always has a server to contact.
set CFG_SVR=DEFDC
rem If Windows 95 - need to copy down ipconfig.exe in order to
rem complete the following task. Always do the initial copy
rem from CFG_SVR. All other OS's have a compatible copy of
rem ipconfig.exe installed with their TCP/IP stack.
ver | find /I "95"
if not errorlevel 1 goto 95_98
goto ALL_SYS
:95_98
if not exist %windir%\ipconfig.exe copy \\LOGON5\netlogon\bin\ipconfig.exe
%windir%\ipconfig.exe
:ALL_SYS
net use /persistent:no > NUL
rem Find the current subnetwork by checking the output from ipconfig
rem against a list of known default router addresses
ipconfig > %windir%\ipconfig.logon
type %windir%\ipconfig.logon | find /I "10.1.1.254" > NUL
if not errorlevel 1 goto SITE1
type %windir%\ipconfig.logon | find /I "10.1.1.254" > NUL
if not errorlevel 1 goto SITE2
goto SLOW_NET
:SITE1
rem In this section you set the CFG_SVR variable to a DC at the specific
site
rem that you are trying to control the logon script for. Then once you have
rem set the variable, you can execute a logon script on a specific server
that
rem has been created for this site only. Remember that the CFG_SVR
rem variable will be available to the new batch file (in this case
SITE1.bat)
rem so you can use it to launch other processes on a specific server in a
rem controlled fashion.
set CFG_SVR=SITE1DC echo.
echo Current LAN: SITE1
echo LAN Logon Server: %CFG_SVR%
start /wait \\%CFG_SVR%\netlogon\SITE1.bat
goto RUN_MAIN
:SITE2
set CFG_SVR=SITE2DC
echo Current LAN: SITE2
echo LAN Logon Server: %CFG_SVR%
start /wait \\%CFG_SVR%\netlogon\SITE1.bat
goto RUN_MAIN
:SLOW_NET
rem This part of the script is just a handler for unknown
rem networks or in the event of an error.
set CFG_SVR=DEFDC
echo.
echo Current LAN: Remote or Unknown
echo LAN Logon Server: %CFG_SVR%
echo
echo NOTICE:
echo.
echo You have connected to the network
echo from an unknown or undefined location
echo.
echo Please call the Help Desk for Assistance.
echo.
pause
goto RUN_MAIN
:RUN_MAIN
echo Script Completed
set CFG_SVR=
Hope this helps.
Regards
Adam Burgess
Brisbane, Australia
_________________________________
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
