I have seen similar problems with Firewall 1, we didn't find the real cause,
not controlling the Firewall will do that. Here's what we did.
Create an LMHOSTS file on the WINS server, carefully format it to stuff in
the 16th character that indicates who your PDC is, then go into WINSadmin
and import the file, it creates a static WINS entry with the extra bit to
define the service.
This will let your authentication be unicast instead of broadcast, it's a
lot cleaner and is the only way I've found to force WINS to know who has the
function.
Good luck.
+-------------------------------------------------------------------+
Kevin Flanagan
C/S Planning Engineer III
I/T Implementation Department
Branch Banking & Trust Company
3261 Atlantic Avenue, Suite 116
MC: 172-85-01-00
Raleigh, NC 27604
Voice: 919-716-6209
-----Original Message-----
From: Jason Gauthier [mailto:[EMAIL PROTECTED]]
Sent: Monday, August 27, 2001 11:19 AM
To: NT System Admin Issues
Subject: RE: Authenticating from a subnet without a BDC.
I've not changed anything in my PIX configuration. I have been watching the
logs while attempted logins have been made. I've not gotten a single denial
logged yet. (I have fairly verbose logging)
I downloaded WS_Ping ProPack, and it can gather limited information, but
since it's on a DMZ, most ports are blocked. The methodology involved is
that all can get to the DMZ, and only initiated connections can be used,
unless I've created a conduit through the PIX. Which I've done for my PDC,
TCP/UDP on ports 137-139. I *thought* this was all that was needed. Thanks
for the advice, I'll continue plugging away.
> -----Original Message-----
> From: Seth M. Kusiak [mailto:[EMAIL PROTECTED]]
> Sent: Monday, August 27, 2001 10:52 AM
> To: NT System Admin Issues
> Subject: Re: Authenticating from a subnet without a BDC.
>
>
> >I've allowed traffic from the web servers to the domain
> controllers for
> authentication purposes.
>
> VERY dangerous. I suggest that you move authentication to a
> database if
> possible. If you can't, then you may want to add a new domain
> in the DMZ
> that will not have a trust to the domain in the inside network.
>
> If you can't get hardare for a new domain, then I suggest
> that you look at
> your PIX config. Make sure your conduits are setup correctly.
> Get a copy of
> WS_Ping ProPack from www.ipswitch.com (or a similer tool) to
> see if your
> webservers can connect to the ports on the DC's. See if you
> can even ping
> the DC's.
>
> hth,
>
> ~Seth
>
> Jason Gauthier writes:
>
> > A recent change in my network has caused some interesting
> issues, and I
> > wanted to get some advice.
> >
> > We've recently added a 3rd interface to our PIX 520
> firewall. We stuck our
> > web servers on it. (We only have one domain, and kept these
> part of it)
> >
> > I've allowed traffic from the web servers to the domain
> controllers for
> > authentication purposes. (There is no BDC on the subnet
> with the web
> > servers. The other subnets do have BDC's)
> >
> > Last week things "appeared" to be working correctly. I
> could log into the
> > servers (not using a cached profile) and from my "inside"
> subnet I could
> > browse the machines. (The PIX does some funky things with IP address
> > aliasing on a DMZ like this.)
> >
> > Now, I come in monday morning, the machines are no longer getting
> > authentication information from the domain controllers.
> (This could have
> > occurred last week too, I suppose). A user changed their
> password, and no
> > cannot log onto the web server. I understand the web
> server broadcasts for
> > a domain controller to pick it up, but I also realize that
> they know the IP
> > addresses (somewhere) of the other domain controllers. I
> know this because
> > of the firewalling logging when it was closed off. The
> machine attempted
> > connections to every one of my domain controllers. So, it
> doesn't seem to
> > be authenticating to the domain anymore...
> >
> > I entered an entry in the lmhosts file pointing out the
> domain and PDC, but
> > alas, no go.
> >
> > Anything that can be offered, I'd appreciate. One other
> small tidbit. The
> > web servers are 2000 systems, everything else is NT4.
> >
> > Thanks,
> >
> > Jason
> >
> > http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
> >
>
>
> http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
>
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
