IS Forum
Forum Index Register Members List Events Mark Forums Read Help

Go Back   International Skeptics Forum » General Topics » Computers and the Internet
 


Welcome to the International Skeptics Forum, where we discuss skepticism, critical thinking, the paranormal and science in a friendly but lively way. You are currently viewing the forum as a guest, which means you are missing out on discussing matters that are of interest to you. Please consider registering so you can gain full use of the forum features and interact with other Members. Registration is simple, fast and free! Click here to register today.
Reply
Old 19th February 2021, 12:34 PM   #1
twinstead
Penultimate Amazing
 
twinstead's Avatar
 
Join Date: Apr 2005
Posts: 12,374
AD Question

Folks, I have a question. I'm having bad luck googling it because of the difficulty in explaining it in just a few words.

We have 2 trusted domains with 2 DCs in each and connected by a point-to-point VPN. We have an Exchange Server in my domain, and have linked mail users use my Exchange Server, but need to authenticate to their local domain in theirs.

Sometimes, when the point-to-point VPN is down, they are unable to log into their email because the exchange server in my domain can't authenticate them on their domain--it of course can't find their domain controllers. That includes OWA from their homes, which is a big hassle during longer outages.

one solution I was thinking about was adding a domain controller for their domain in my domain, so that when they have internet access at least but the point-to-point is down, my exchange server can authenticate them from their DC on my domain.

1. Does my situation make any sense?
2. Is it possible? (I know how to add DCs to an existing domain, just never like this)
3. If possible, is it stupid?
__________________
You are not entitled to your opinion. You are entitled to your INFORMED opinion. No one is entitled to be ignorant. -- Harlan Ellison
twinstead is online now   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 19th February 2021, 01:18 PM   #2
theprestige
Penultimate Amazing
 
Join Date: Aug 2007
Location: Hong Kong
Posts: 50,616
My gut tells me this setup or something like it is probably illustrated somewhere in a Microsoft AD manual. Probably under a heading like "distributed authentication" or "HA domain controllers" or some such. But that's about.
theprestige is offline   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 19th February 2021, 03:12 PM   #3
Blue Mountain
Resident Skeptical Hobbit
 
Blue Mountain's Avatar
 
Join Date: Jul 2005
Location: Waging war on woo-woo in Winnipeg
Posts: 6,520
Please keep in mind that when it comes to Active Directory, I'm like a Catholic priest giving marriage advice. I'm relying on some 40 years of experience in IT but have no experience with AD.

Having said that, is it possible to configure your DC to delegate some authentication to the other other DC, and temporarily cache the result? That is,
  • If user is not on your DC, ask the other DC if it can authenticate the user
  • If the other DC is available, use and cache its result
  • If the other DC is not available, check the cache
  • If user is in the cache, authentication succeeds
  • If user is not in the cache, authentication fails

I'm assuming the cache is not permanent, but expires after a few hours.
__________________
The social illusion reigns to-day upon all the heaped-up ruins of the past, and to it belongs the future. The masses have never thirsted after truth. They turn aside from evidence that is not to their taste, preferring to deify error, if error seduce them. Gustav Le Bon, The Crowd, 1895 (from the French)
Canadian or living in Canada? PM me if you want an entry on the list of Canadians on the forum.
Blue Mountain is offline   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 19th February 2021, 07:25 PM   #4
plague311
Great minds think...
 
plague311's Avatar
 
Join Date: Dec 2011
Location: North Dakota
Posts: 8,788
Originally Posted by Blue Mountain View Post
Please keep in mind that when it comes to Active Directory, I'm like a Catholic priest giving marriage advice. I'm relying on some 40 years of experience in IT but have no experience with AD.

Having said that, is it possible to configure your DC to delegate some authentication to the other other DC, and temporarily cache the result? That is,
  • If user is not on your DC, ask the other DC if it can authenticate the user
  • If the other DC is available, use and cache its result
  • If the other DC is not available, check the cache
  • If user is in the cache, authentication succeeds
  • If user is not in the cache, authentication fails

I'm assuming the cache is not permanent, but expires after a few hours.
The credentials are only cached for login, and they don't expire. If I login to my domain at work and take my lappy somewhere else, I can always login using the last credentials I used to login with. Even if I change my password on my work domain the old PW will work until I connect to the network again.

I think the issue here is the email clients aren't able to connect back to the exchange server to update the emails. If OWA isn't working either does that means the exchange server isn't syncing with OWA? I'm a little confused on that.

By point-to-point VPN are the routers managing the VPN or is it a client you're using?

ETA: Does each location have its own domain name?
__________________
"Circumcision and death threats go together like milk and cookies." - William Parcher

“There are times when the mind is dealt such a blow it hides itself in insanity. While this may not seem beneficial, it is. There are times when reality is nothing but pain, and to escape that pain the mind must leave reality behind.” - Patrick Rothfuss

Last edited by plague311; 19th February 2021 at 07:26 PM.
plague311 is offline   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 21st February 2021, 03:05 PM   #5
twinstead
Penultimate Amazing
 
twinstead's Avatar
 
Join Date: Apr 2005
Posts: 12,374
Originally Posted by plague311 View Post
The credentials are only cached for login, and they don't expire. If I login to my domain at work and take my lappy somewhere else, I can always login using the last credentials I used to login with. Even if I change my password on my work domain the old PW will work until I connect to the network again.

I think the issue here is the email clients aren't able to connect back to the exchange server to update the emails. If OWA isn't working either does that means the exchange server isn't syncing with OWA? I'm a little confused on that.
That is correct. It doesn't use cached credentials; when the client requests to log in their log in must be authenticated with their own AD. If the point-to-point is down, nobody gets that authentication

Quote:
By point-to-point VPN are the routers managing the VPN or is it a client you're using?
Yes it is a permanent VPN with the firewalls managing them

Quote:
ETA: Does each location have its own domain name?
Yes, each domain is a separate domain with its own name and its own DCs. They are trusted.
__________________
You are not entitled to your opinion. You are entitled to your INFORMED opinion. No one is entitled to be ignorant. -- Harlan Ellison
twinstead is online now   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 22nd February 2021, 01:08 PM   #6
plague311
Great minds think...
 
plague311's Avatar
 
Join Date: Dec 2011
Location: North Dakota
Posts: 8,788
Originally Posted by twinstead View Post
That is correct. It doesn't use cached credentials; when the client requests to log in their log in must be authenticated with their own AD. If the point-to-point is down, nobody gets that authentication

Yes it is a permanent VPN with the firewalls managing them

Yes, each domain is a separate domain with its own name and its own DCs. They are trusted.
Man, I got nothing. It seems pretty intricate and I mostly work on simple networks. A few DC's, maybe an app server, and a router on a stick type of configuration.

Have you tried a place like Spiceworks? They get really granular with where you post your questions, and some of those people are just insane with their knowledge. They've helped me out of a few database jams because I suck with SQL
__________________
"Circumcision and death threats go together like milk and cookies." - William Parcher

“There are times when the mind is dealt such a blow it hides itself in insanity. While this may not seem beneficial, it is. There are times when reality is nothing but pain, and to escape that pain the mind must leave reality behind.” - Patrick Rothfuss
plague311 is offline   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 22nd February 2021, 01:29 PM   #7
theprestige
Penultimate Amazing
 
Join Date: Aug 2007
Location: Hong Kong
Posts: 50,616
If we're recommending places like Spiceworks, shouldn't we recommend Microsoft support? It's been a while since I've done any serious work with their products, but my experience was that they provided the same quality of vendor support that I've come to expect from any enterprise product: Hit their support site, provide your license and problem statement, and they get back to you with a followup usually the same day.

If it can be done, Microsoft Support should be able to tell you exactly how to do it (and it's probably documented somewhere in here).

And if it can't be done, Spiceworks won't be able to help you anyway.
theprestige is offline   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 23rd February 2021, 08:00 AM   #8
plague311
Great minds think...
 
plague311's Avatar
 
Join Date: Dec 2011
Location: North Dakota
Posts: 8,788
Originally Posted by theprestige View Post
If we're recommending places like Spiceworks, shouldn't we recommend Microsoft support? It's been a while since I've done any serious work with their products, but my experience was that they provided the same quality of vendor support that I've come to expect from any enterprise product: Hit their support site, provide your license and problem statement, and they get back to you with a followup usually the same day.

If it can be done, Microsoft Support should be able to tell you exactly how to do it (and it's probably documented somewhere in here).

And if it can't be done, Spiceworks won't be able to help you anyway.
To each their own, it was just a suggestion. I generally have had better luck with Spiceworks, but I'm not going to argue either way. Use whatever you want, but if he came here I figured he was more comfortable using forums or the like. Perhaps the tech you get at Microsoft hasn't done it, whereas at Spiceworks several people generally read the topic...but yeah. Whatever gets him there I guess, but since you had already said to check Microsoft, I didn't think it had to be repeated.
__________________
"Circumcision and death threats go together like milk and cookies." - William Parcher

“There are times when the mind is dealt such a blow it hides itself in insanity. While this may not seem beneficial, it is. There are times when reality is nothing but pain, and to escape that pain the mind must leave reality behind.” - Patrick Rothfuss
plague311 is offline   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 23rd February 2021, 01:29 PM   #9
Yalius
Muse
 
Join Date: Dec 2005
Posts: 594
I raised the question with one of our admins here, and he said the best way to do it was using Active Directory Federation Services. He didn't have the time to go in depth on that, but said that a situation like this is what federation services was designed to do. Good luck.
Yalius is offline   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 23rd February 2021, 02:36 PM   #10
plague311
Great minds think...
 
plague311's Avatar
 
Join Date: Dec 2011
Location: North Dakota
Posts: 8,788
Originally Posted by Yalius View Post
I raised the question with one of our admins here, and he said the best way to do it was using Active Directory Federation Services. He didn't have the time to go in depth on that, but said that a situation like this is what federation services was designed to do. Good luck.
I'm going to speak hesitantly here. While this is right, if the remote DC can't "speak" over the VPN connection with the base DC then I'm not sure this would be more of a resolution. I am hoping I'm wrong.
__________________
"Circumcision and death threats go together like milk and cookies." - William Parcher

“There are times when the mind is dealt such a blow it hides itself in insanity. While this may not seem beneficial, it is. There are times when reality is nothing but pain, and to escape that pain the mind must leave reality behind.” - Patrick Rothfuss
plague311 is offline   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 23rd February 2021, 04:23 PM   #11
twinstead
Penultimate Amazing
 
twinstead's Avatar
 
Join Date: Apr 2005
Posts: 12,374
Thank you all for your input!
__________________
You are not entitled to your opinion. You are entitled to your INFORMED opinion. No one is entitled to be ignorant. -- Harlan Ellison
twinstead is online now   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 23rd February 2021, 05:07 PM   #12
theprestige
Penultimate Amazing
 
Join Date: Aug 2007
Location: Hong Kong
Posts: 50,616
Originally Posted by plague311 View Post
I'm going to speak hesitantly here. While this is right, if the remote DC can't "speak" over the VPN connection with the base DC then I'm not sure this would be more of a resolution. I am hoping I'm wrong.
I'm betting Federation includes functions like authority caching and authority failover.

I manage a federated service developed by a third party. In my case, it stores software packages for dependency resolution during builds. Developers build a package and upload it to my service, where it can be retrieved by other developers. To serve a global organization, I have instances of this service in multiple regions.

For consistency, it's important that everyone be using the same versions of these packages. So we cross-replicate between regions. A dev uploads in one place, any other dev can download a copy of the same package from any other place in the mesh.

So what happens if the master instance dies? Turns out the app has provisions for that. Every instance has settings for its replicas. Whether to cache, how often to check for new versions, how long to maintain the cache if the source goes offline.

I would be very very surprised if Microsoft hasn't provided similar functionality for AD. It's a mature product, and distributed fault-tolerant infrastructure is pretty standard stuff these days.
theprestige is offline   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 23rd February 2021, 07:06 PM   #13
Blue Mountain
Resident Skeptical Hobbit
 
Blue Mountain's Avatar
 
Join Date: Jul 2005
Location: Waging war on woo-woo in Winnipeg
Posts: 6,520
Originally Posted by Yalius View Post
I raised the question with one of our admins here, and he said the best way to do it was using Active Directory Federation Services. He didn't have the time to go in depth on that, but said that a situation like this is what federation services was designed to do. Good luck.
Sort of sounds like what I was suggesting.
__________________
The social illusion reigns to-day upon all the heaped-up ruins of the past, and to it belongs the future. The masses have never thirsted after truth. They turn aside from evidence that is not to their taste, preferring to deify error, if error seduce them. Gustav Le Bon, The Crowd, 1895 (from the French)
Canadian or living in Canada? PM me if you want an entry on the list of Canadians on the forum.
Blue Mountain is offline   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 23rd February 2021, 07:17 PM   #14
theprestige
Penultimate Amazing
 
Join Date: Aug 2007
Location: Hong Kong
Posts: 50,616
Sort of sounds like what Microsoft product support would tell a paid up license holder, and help them figure out how to implement, if they ever reached out for product support.
theprestige is offline   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Reply

International Skeptics Forum » General Topics » Computers and the Internet

Bookmarks

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT -7. The time now is 07:00 AM.
Powered by vBulletin. Copyright ©2000 - 2021, Jelsoft Enterprises Ltd.

This forum began as part of the James Randi Education Foundation (JREF). However, the forum now exists as
an independent entity with no affiliation with or endorsement by the JREF, including the section in reference to "JREF" topics.

Disclaimer: Messages posted in the Forum are solely the opinion of their authors.