Can you ping the domain controllers from the web server subnet?
-----Original Message-----
From: Jason Gauthier [mailto:[EMAIL PROTECTED]]
Sent: Monday, August 27, 2001 10:42 AM
To: NT System Admin Issues
Subject: Authenticating from a subnet without a BDC.
A recent change in my network has caused some interesting issues, and I
wanted to get some advice.
We've recently added a 3rd interface to our PIX 520 firewall. We stuck our
web servers on it. (We only have one domain, and kept these part of it)
I've allowed traffic from the web servers to the domain controllers for
authentication purposes. (There is no BDC on the subnet with the web
servers. The other subnets do have BDC's)
Last week things "appeared" to be working correctly. I could log into the
servers (not using a cached profile) and from my "inside" subnet I could
browse the machines. (The PIX does some funky things with IP address
aliasing on a DMZ like this.)
Now, I come in monday morning, the machines are no longer getting
authentication information from the domain controllers. (This could have
occurred last week too, I suppose). A user changed their password, and no
cannot log onto the web server. I understand the web server broadcasts for
a domain controller to pick it up, but I also realize that they know the IP
addresses (somewhere) of the other domain controllers. I know this because
of the firewalling logging when it was closed off. The machine attempted
connections to every one of my domain controllers. So, it doesn't seem to
be authenticating to the domain anymore...
I entered an entry in the lmhosts file pointing out the domain and PDC, but
alas, no go.
Anything that can be offered, I'd appreciate. One other small tidbit. The
web servers are 2000 systems, everything else is NT4.
Thanks,
Jason
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
