Sorry for the OT post here, but I expect if the answer is known, it will be found here.
We have a third party hardware/software solution that runs Windows CE, and has the capability to dial in, authenticate and communicate to a server application via RAS. The security of this CE device is non-existent (it saves authentication params in an .ini file in clear text), so we've locked things down on the server side as follows: * W2K Server runs a server application and RRAS. RRAS is set up to not route (local access only, not network). We've done some other things with IP addressing to further ensure no access to the network. * Accounts used by the CE devices are set up on the local (member) server only, not in the domain. * Accounts are not members of any groups except a single group that allows it RAS access, and denies access to everything else except the server application. This all works without problems, but our issue is with Disaster Recovery. The plan is to have an identically configured server on the network at another location. In the event of a disaster, the 1-800 numbers used by the CE devices to dial in would be re-pointed to the appropriate local phone number for the DR Server RAS pool, and things could continue uninterrupted. The only problem is that the DR server has a different name, and because we are using local accounts, the server name is part of the credentials used by the CE device. We of course have the following options: * Use domain instead of local accounts. For security and dependency reasons, we don't want to do this. * Run around the country to reconfigure the CE devices. Not at all practical given the time critical nature of the application. * On the DR server, configure RAS to allow unauthenticated access. Not my favorite idea, and I can't seem to get this to work (allowed this in both the server config and RAS policy, and set the CE device to provide no credentials. It connects but fails authentication - what am I missing?) * In the event of a disaster, rename the DR server to the name of the current production server. While possible, this opens up another can of worms that I won't trouble you with. I've tried dropping the domain (server name) portion of the credentials completely in the client configuration, but this won't work. Does anyone know of a way of defining a (local) domain without being specific? In other words, any way to specify that the name of the server being dialed into should be used for the domain portion of the credentials without specifying what that domain is? If it makes any difference, RAS is allowing both MS-CHAP and MS-CHAPv2, and I believe the CE device uses MS-CHAP exclusively. I expect a resounding NO to this question, but I've been surprised before. Thanks for reading. Linton List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
