>I've allowed traffic from the web servers to the domain controllers for
authentication purposes.
VERY dangerous. I suggest that you move authentication to a database if
possible. If you can't, then you may want to add a new domain in the DMZ
that will not have a trust to the domain in the inside network.
If you can't get hardare for a new domain, then I suggest that you look at
your PIX config. Make sure your conduits are setup correctly. Get a copy of
WS_Ping ProPack from www.ipswitch.com (or a similer tool) to see if your
webservers can connect to the ports on the DC's. See if you can even ping
the DC's.
hth,
~Seth
Jason Gauthier writes:
> A recent change in my network has caused some interesting issues, and I
> wanted to get some advice.
>
> We've recently added a 3rd interface to our PIX 520 firewall. We stuck our
> web servers on it. (We only have one domain, and kept these part of it)
>
> I've allowed traffic from the web servers to the domain controllers for
> authentication purposes. (There is no BDC on the subnet with the web
> servers. The other subnets do have BDC's)
>
> Last week things "appeared" to be working correctly. I could log into the
> servers (not using a cached profile) and from my "inside" subnet I could
> browse the machines. (The PIX does some funky things with IP address
> aliasing on a DMZ like this.)
>
> Now, I come in monday morning, the machines are no longer getting
> authentication information from the domain controllers. (This could have
> occurred last week too, I suppose). A user changed their password, and no
> cannot log onto the web server. I understand the web server broadcasts for
> a domain controller to pick it up, but I also realize that they know the IP
> addresses (somewhere) of the other domain controllers. I know this because
> of the firewalling logging when it was closed off. The machine attempted
> connections to every one of my domain controllers. So, it doesn't seem to
> be authenticating to the domain anymore...
>
> I entered an entry in the lmhosts file pointing out the domain and PDC, but
> alas, no go.
>
> Anything that can be offered, I'd appreciate. One other small tidbit. The
> web servers are 2000 systems, everything else is NT4.
>
> Thanks,
>
> Jason
>
> http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
>
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
