RE: Authenticating from a subnet without a BDC.

Mon, 27 Aug 2001 07:26:57 -0700 


Theoretically.
I only allow echo-replies. But the PDC can ping the web servers.

> -----Original Message-----
> From: Correa, Andre [mailto:[EMAIL PROTECTED]]
> Sent: Monday, August 27, 2001 10:51 AM
> To: NT System Admin Issues
> Subject: RE: Authenticating from a subnet without a BDC.
> 
> 
> Can you ping the domain controllers from the web server subnet?
> 
> 
>  -----Original Message-----
> From:         Jason Gauthier [mailto:[EMAIL PROTECTED]] 
> Sent: Monday, August 27, 2001 10:42 AM
> To:   NT System Admin Issues
> Subject:      Authenticating from a subnet without a BDC.
> 
> A recent change in my network has caused some interesting 
> issues, and I
> wanted to get some advice.
> 
> We've recently added a 3rd interface to our PIX 520 firewall. 
> We stuck our
> web servers on it. (We only have one domain, and kept these 
> part of it)
> 
> I've allowed traffic from the web servers to the domain 
> controllers for
> authentication purposes.  (There is no BDC on the subnet with the web
> servers. The other subnets do have BDC's) 
> 
> Last week things "appeared" to be working correctly. I could 
> log into the
> servers (not using a cached profile) and from my "inside" 
> subnet I could
> browse the machines. (The PIX does some funky things with IP address
> aliasing on a DMZ like this.)
> 
> Now, I come in monday morning, the machines are no longer getting
> authentication information from the domain controllers. (This 
> could have
> occurred last week too, I suppose).  A user changed their 
> password, and no
> cannot log onto the web server.  I understand the web server 
> broadcasts for
> a domain controller to pick it up, but I also realize that 
> they know the IP
> addresses (somewhere) of the other domain controllers. I know 
> this because
> of the firewalling logging when it was closed off. The 
> machine attempted
> connections to every one of my domain controllers.   So, it 
> doesn't seem to
> be authenticating to the domain anymore...
> 
> I entered an entry in the lmhosts file pointing out the 
> domain and PDC, but
> alas, no go.
> 
> Anything that can be offered, I'd appreciate. One other small 
> tidbit. The
> web servers are 2000 systems, everything else is NT4.
> 
> Thanks,
> 
> Jason
> 
> http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
> 
> 
> http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
> 

http://www.sunbelt-software.com/ntsysadmin_list_charter.htm

Reply via email to