Question - Can I force a machine to use a specific DC for Authentication

[Guest Clubsprint]

G'day all

my proxy/internet server (2003 service pack 2) runs a product called

Clearswift Mimesweeper that uses NT authentication to validate user data for

instigation of rulesets and reporting. We seemm to have a problem with some

users the proxy server is using a different DC to the users PC to

authenticate and this is then stopping the users from surfing the web when

authentication fails. The prtoblem appears to be that the proxy server is

using a remote (WAN) DC to Authenticate.

Does anyone know how I can force the proxy to authenticate to a particular

or is there some software that will work?

Thanks

[Guest Meinolf Weber]

Re: Question - Can I force a machine to use a specific DC for Authentication

 

Hello Clubsprint,

 

Normally it doesn't matter which DC's is used, when your replication between

the DC's is running correctly. Please describe your network setup, how many

sites, how are they connected, how many DC per site and how you setup your

DNS.

 

Did you check replication between the DC's with replmon GUI or repadmin /showrepl

from command line?

 

Did you configure AD sites and services with the subnets and move the DC

to the belonging sites?

 

Best regards

 

Meinolf Weber

Disclaimer: This posting is provided "AS IS" with no warranties, and confers

no rights.

** Please do NOT email, only reply to Newsgroups

** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

 

> G'day all

> my proxy/internet server (2003 service pack 2) runs a product called

> Clearswift Mimesweeper that uses NT authentication to validate user

> data for

> instigation of rulesets and reporting. We seemm to have a problem with

> some

> users the proxy server is using a different DC to the users PC to

> authenticate and this is then stopping the users from surfing the web

> when

> authentication fails. The prtoblem appears to be that the proxy server

> is

> using a remote (WAN) DC to Authenticate.

> Does anyone know how I can force the proxy to authenticate to a

> particular

> or is there some software that will work?

> Thanks

[alynhockey]

Re: Question - Can I force a machine to use a specific DC for Authentication

 

Can you not deploy another MIMEsweeper for Web in the other location where the users are having issues ? It's a bit heavy handed, but if your replication isn't working properly then it's a solution.

 

You could log a support call with your Clearswift partner network who I am sure would be happy to discuss options with you

 

Rgds

 

Alyn Hockey

Director Product Management

Clearswift

[Guest Clubsprint]

Re: Question - Can I force a machine to use a specific DC for Authentication

 

We have a central site with 2 DC's and six regional sites all with a DC.

HODC1 is Schema owner, Domain role owner, PDC role ,RID pool manager and GC

server

HODC2 is Infrastructure owner

 

I've checked the replication and all is OK

 

AD sites and services setup is fine and all replication is working (our AD

site is about 7 years old)

 

Links for regional sites are between 20Mb and 2Mb per site.

 

The problem will generally effect users after they change their passwords

but will sometimes just appear out of the blue.

 

Clearswift verdor and local office have said it's a problem when the

authentication of the user and the proxy server happens at different boxes,

hence I want to force the proxy to authenticate to HODC1.

 

Thanks

Mark

 

 

 

"Meinolf Weber" <meiweb(nospam)@gmx.de> wrote in message

news:ff16fb6692f48caf735b63c89e3@msnews.microsoft.com...

> Hello Clubsprint,

>

> Normally it doesn't matter which DC's is used, when your replication

> between the DC's is running correctly. Please describe your network setup,

> how many sites, how are they connected, how many DC per site and how you

> setup your DNS.

>

> Did you check replication between the DC's with replmon GUI or repadmin

> /showrepl from command line?

>

> Did you configure AD sites and services with the subnets and move the DC

> to the belonging sites?

>

> Best regards

>

> Meinolf Weber

> Disclaimer: This posting is provided "AS IS" with no warranties, and

> confers no rights.

> ** Please do NOT email, only reply to Newsgroups

> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

>

>> G'day all

>> my proxy/internet server (2003 service pack 2) runs a product called

>> Clearswift Mimesweeper that uses NT authentication to validate user

>> data for

>> instigation of rulesets and reporting. We seemm to have a problem with

>> some

>> users the proxy server is using a different DC to the users PC to

>> authenticate and this is then stopping the users from surfing the web

>> when

>> authentication fails. The prtoblem appears to be that the proxy server

>> is

>> using a remote (WAN) DC to Authenticate.

>> Does anyone know how I can force the proxy to authenticate to a

>> particular

>> or is there some software that will work?

>> Thanks

>

>

[Guest Meinolf Weber]

Re: Question - Can I force a machine to use a specific DC for Authentication

 

Hello Clubsprint,

 

If they are in one site passwords are updated immediately between the DC's,

if they in different sites the lowest replication time is 15 minutes configurable

in ADSS. So depending on which site the password will be changed the new

password needs time for replication. So even to set the proxy to one fixed

DC will not help if the user is in a different site then that DC.

 

Best regards

 

Meinolf Weber

Disclaimer: This posting is provided "AS IS" with no warranties, and confers

no rights.

** Please do NOT email, only reply to Newsgroups

** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

 

> We have a central site with 2 DC's and six regional sites all with a

> DC.

> HODC1 is Schema owner, Domain role owner, PDC role ,RID pool manager

> and GC

> server

> HODC2 is Infrastructure owner

> I've checked the replication and all is OK

>

> AD sites and services setup is fine and all replication is working

> (our AD site is about 7 years old)

>

> Links for regional sites are between 20Mb and 2Mb per site.

>

> The problem will generally effect users after they change their

> passwords but will sometimes just appear out of the blue.

>

> Clearswift verdor and local office have said it's a problem when the

> authentication of the user and the proxy server happens at different

> boxes, hence I want to force the proxy to authenticate to HODC1.

>

> Thanks

> Mark

> "Meinolf Weber" <meiweb(nospam)@gmx.de> wrote in message

> news:ff16fb6692f48caf735b63c89e3@msnews.microsoft.com...

>

>> Hello Clubsprint,

>>

>> Normally it doesn't matter which DC's is used, when your replication

>> between the DC's is running correctly. Please describe your network

>> setup, how many sites, how are they connected, how many DC per site

>> and how you setup your DNS.

>>

>> Did you check replication between the DC's with replmon GUI or

>> repadmin /showrepl from command line?

>>

>> Did you configure AD sites and services with the subnets and move the

>> DC to the belonging sites?

>>

>> Best regards

>>

>> Meinolf Weber

>> Disclaimer: This posting is provided "AS IS" with no warranties, and

>> confers no rights.

>> ** Please do NOT email, only reply to Newsgroups

>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

>>> G'day all

>>> my proxy/internet server (2003 service pack 2) runs a product called

>>> Clearswift Mimesweeper that uses NT authentication to validate user

>>> data for

>>> instigation of rulesets and reporting. We seemm to have a problem

>>> with

>>> some

>>> users the proxy server is using a different DC to the users PC to

>>> authenticate and this is then stopping the users from surfing the

>>> web

>>> when

>>> authentication fails. The prtoblem appears to be that the proxy

>>> server

>>> is

>>> using a remote (WAN) DC to Authenticate.

>>> Does anyone know how I can force the proxy to authenticate to a

>>> particular

>>> or is there some software that will work?

>>> Thanks

[Guest Clubsprint]

Re: Question - Can I force a machine to use a specific DC for Authentication

 

 

"Meinolf Weber" <meiweb(nospam)@gmx.de> wrote in message

news:ff16fb6697148caf8c8f7dd5961@msnews.microsoft.com...

> Hello Clubsprint,

>

> If they are in one site passwords are updated immediately between the

> DC's, if they in different sites the lowest replication time is 15 minutes

> configurable in ADSS. So depending on which site the password will be

> changed the new password needs time for replication. So even to set the

> proxy to one fixed DC will not help if the user is in a different site

> then that DC.

>

 

Here's my problem. You check replication and there are no errors however

we will get a replication problem for a number of days. It's the weirdest

thing.

It's annoying enough mangement that there a noises about removing the

product altogether.

[Guest Meinolf Weber]

Re: Question - Can I force a machine to use a specific DC for Authentication

 

Hello Clubsprint,

 

Plese post an unedited dcdiag /v, netdiag /v and repadmin /show repl from

all DC's here. If the output is to big pipe to a textfile like this:

 

dcdiag /v >C:\dcdiag.log

 

Best regards

 

Meinolf Weber

Disclaimer: This posting is provided "AS IS" with no warranties, and confers

no rights.

** Please do NOT email, only reply to Newsgroups

** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

 

> "Meinolf Weber" <meiweb(nospam)@gmx.de> wrote in message

> news:ff16fb6697148caf8c8f7dd5961@msnews.microsoft.com...

>

>> Hello Clubsprint,

>>

>> If they are in one site passwords are updated immediately between the

>> DC's, if they in different sites the lowest replication time is 15

>> minutes configurable in ADSS. So depending on which site the password

>> will be changed the new password needs time for replication. So even

>> to set the proxy to one fixed DC will not help if the user is in a

>> different site then that DC.

>>

> Here's my problem. You check replication and there are no errors

> however

> we will get a replication problem for a number of days. It's the

> weirdest

> thing.

> It's annoying enough mangement that there a noises about removing the

> product altogether.

[Guest Clubsprint]

Re: Question - Can I force a machine to use a specific DC for Authentication

 

Hi Meinolf

Don't know as I'm all that comfortable posting all that info to the web.

Can I email it to you? My emal is clubsprint at gmail dot com

Thanks

 

 

"Meinolf Weber" <meiweb(nospam)@gmx.de> wrote in message

news:ff16fb669fb38cafbecbcac0bcf@msnews.microsoft.com...

> Hello Clubsprint,

>

> Plese post an unedited dcdiag /v, netdiag /v and repadmin /show repl from

> all DC's here. If the output is to big pipe to a textfile like this:

>

> dcdiag /v >C:\dcdiag.log

>

> Best regards

>

> Meinolf Weber

> Disclaimer: This posting is provided "AS IS" with no warranties, and

> confers no rights.

> ** Please do NOT email, only reply to Newsgroups

> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

>

>> "Meinolf Weber" <meiweb(nospam)@gmx.de> wrote in message

>> news:ff16fb6697148caf8c8f7dd5961@msnews.microsoft.com...

>>

>>> Hello Clubsprint,

>>>

>>> If they are in one site passwords are updated immediately between the

>>> DC's, if they in different sites the lowest replication time is 15

>>> minutes configurable in ADSS. So depending on which site the password

>>> will be changed the new password needs time for replication. So even

>>> to set the proxy to one fixed DC will not help if the user is in a

>>> different site then that DC.

>>>

>> Here's my problem. You check replication and there are no errors

>> however

>> we will get a replication problem for a number of days. It's the

>> weirdest

>> thing.

>> It's annoying enough mangement that there a noises about removing the

>> product altogether.

>

>

[Guest Meinolf Weber]

Re: Question - Can I force a machine to use a specific DC for Authentication

 

Hello Clubsprint,

 

I think you will use private ip ranges like 10..x.x.x 192..x.x.x or 172.x.x.x

so with this ip's nobody can reach you. Your server/domain name you can replace

like server1 or domain.local.

 

Best regards

 

Meinolf Weber

Disclaimer: This posting is provided "AS IS" with no warranties, and confers

no rights.

** Please do NOT email, only reply to Newsgroups

** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

 

> Hi Meinolf

> Don't know as I'm all that comfortable posting all that info to the

> web.

> Can I email it to you? My emal is clubsprint at gmail dot com

> Thanks

> "Meinolf Weber" <meiweb(nospam)@gmx.de> wrote in message

> news:ff16fb669fb38cafbecbcac0bcf@msnews.microsoft.com...

>

>> Hello Clubsprint,

>>

>> Plese post an unedited dcdiag /v, netdiag /v and repadmin /show repl

>> from all DC's here. If the output is to big pipe to a textfile like

>> this:

>>

>> dcdiag /v >C:\dcdiag.log

>>

>> Best regards

>>

>> Meinolf Weber

>> Disclaimer: This posting is provided "AS IS" with no warranties, and

>> confers no rights.

>> ** Please do NOT email, only reply to Newsgroups

>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

>>> "Meinolf Weber" <meiweb(nospam)@gmx.de> wrote in message

>>> news:ff16fb6697148caf8c8f7dd5961@msnews.microsoft.com...

>>>

>>>> Hello Clubsprint,

>>>>

>>>> If they are in one site passwords are updated immediately between

>>>> the DC's, if they in different sites the lowest replication time is

>>>> 15 minutes configurable in ADSS. So depending on which site the

>>>> password will be changed the new password needs time for

>>>> replication. So even to set the proxy to one fixed DC will not help

>>>> if the user is in a different site then that DC.

>>>>

>>> Here's my problem. You check replication and there are no errors

>>> however

>>> we will get a replication problem for a number of days. It's the

>>> weirdest

>>> thing.

>>> It's annoying enough mangement that there a noises about removing

>>> the

>>> product altogether.

[Guest Meinolf Weber]

Re: Question - Can I force a machine to use a specific DC for Authentication

 

Hello Clubsprint,

 

I can not find your posting's here with the results.

 

Best regards

 

Meinolf Weber

Disclaimer: This posting is provided "AS IS" with no warranties, and confers

no rights.

** Please do NOT email, only reply to Newsgroups

** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

 

> Hi Meinolf

> Don't know as I'm all that comfortable posting all that info to the

> web.

> Can I email it to you? My emal is clubsprint at gmail dot com

> Thanks

> "Meinolf Weber" <meiweb(nospam)@gmx.de> wrote in message

> news:ff16fb669fb38cafbecbcac0bcf@msnews.microsoft.com...

>

>> Hello Clubsprint,

>>

>> Plese post an unedited dcdiag /v, netdiag /v and repadmin /show repl

>> from all DC's here. If the output is to big pipe to a textfile like

>> this:

>>

>> dcdiag /v >C:\dcdiag.log

>>

>> Best regards

>>

>> Meinolf Weber

>> Disclaimer: This posting is provided "AS IS" with no warranties, and

>> confers no rights.

>> ** Please do NOT email, only reply to Newsgroups

>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

>>> "Meinolf Weber" <meiweb(nospam)@gmx.de> wrote in message

>>> news:ff16fb6697148caf8c8f7dd5961@msnews.microsoft.com...

>>>

>>>> Hello Clubsprint,

>>>>

>>>> If they are in one site passwords are updated immediately between

>>>> the DC's, if they in different sites the lowest replication time is

>>>> 15 minutes configurable in ADSS. So depending on which site the

>>>> password will be changed the new password needs time for

>>>> replication. So even to set the proxy to one fixed DC will not help

>>>> if the user is in a different site then that DC.

>>>>

>>> Here's my problem. You check replication and there are no errors

>>> however

>>> we will get a replication problem for a number of days. It's the

>>> weirdest

>>> thing.

>>> It's annoying enough mangement that there a noises about removing

>>> the

>>> product altogether.