AD Question

[twinstead]

Folks, I have a question. I'm having bad luck googling it because of the difficulty in explaining it in just a few words.

We have 2 trusted domains with 2 DCs in each and connected by a point-to-point VPN. We have an Exchange Server in my domain, and have linked mail users use my Exchange Server, but need to authenticate to their local domain in theirs.

Sometimes, when the point-to-point VPN is down, they are unable to log into their email because the exchange server in my domain can't authenticate them on their domain--it of course can't find their domain controllers. That includes OWA from their homes, which is a big hassle during longer outages.

one solution I was thinking about was adding a domain controller for their domain in my domain, so that when they have internet access at least but the point-to-point is down, my exchange server can authenticate them from their DC on my domain.

1. Does my situation make any sense?
2. Is it possible? (I know how to add DCs to an existing domain, just never like this)
3. If possible, is it stupid?

[theprestige]

My gut tells me this setup or something like it is probably illustrated somewhere in a Microsoft AD manual. Probably under a heading like "distributed authentication" or "HA domain controllers" or some such. But that's about.

[Blue Mountain]

Please keep in mind that when it comes to Active Directory, I'm like a Catholic priest giving marriage advice. I'm relying on some 40 years of experience in IT but have no experience with AD.

Having said that, is it possible to configure your DC to delegate some authentication to the other other DC, and temporarily cache the result? That is,

• If user is not on your DC, ask the other DC if it can authenticate the user
• If the other DC is available, use and cache its result
• If the other DC is not available, check the cache
• If user is in the cache, authentication succeeds
• If user is not in the cache, authentication fails

I'm assuming the cache is not permanent, but expires after a few hours.

[plague311]

Originally Posted by Blue Mountain

Please keep in mind that when it comes to Active Directory, I'm like a Catholic priest giving marriage advice. I'm relying on some 40 years of experience in IT but have no experience with AD.

Having said that, is it possible to configure your DC to delegate some authentication to the other other DC, and temporarily cache the result? That is,

• If user is not on your DC, ask the other DC if it can authenticate the user
• If the other DC is available, use and cache its result
• If the other DC is not available, check the cache
• If user is in the cache, authentication succeeds
• If user is not in the cache, authentication fails

I'm assuming the cache is not permanent, but expires after a few hours.

The credentials are only cached for login, and they don't expire. If I login to my domain at work and take my lappy somewhere else, I can always login using the last credentials I used to login with. Even if I change my password on my work domain the old PW will work until I connect to the network again.

I think the issue here is the email clients aren't able to connect back to the exchange server to update the emails. If OWA isn't working either does that means the exchange server isn't syncing with OWA? I'm a little confused on that.

By point-to-point VPN are the routers managing the VPN or is it a client you're using?

ETA: Does each location have its own domain name?

[twinstead]

Originally Posted by plague311

The credentials are only cached for login, and they don't expire. If I login to my domain at work and take my lappy somewhere else, I can always login using the last credentials I used to login with. Even if I change my password on my work domain the old PW will work until I connect to the network again.

I think the issue here is the email clients aren't able to connect back to the exchange server to update the emails. If OWA isn't working either does that means the exchange server isn't syncing with OWA? I'm a little confused on that.

That is correct. It doesn't use cached credentials; when the client requests to log in their log in must be authenticated with their own AD. If the point-to-point is down, nobody gets that authentication

Quote:

By point-to-point VPN are the routers managing the VPN or is it a client you're using?

Yes it is a permanent VPN with the firewalls managing them

Quote:

ETA: Does each location have its own domain name?

Yes, each domain is a separate domain with its own name and its own DCs. They are trusted.

[plague311]

Originally Posted by twinstead

That is correct. It doesn't use cached credentials; when the client requests to log in their log in must be authenticated with their own AD. If the point-to-point is down, nobody gets that authentication

Yes it is a permanent VPN with the firewalls managing them

Yes, each domain is a separate domain with its own name and its own DCs. They are trusted.

Man, I got nothing. It seems pretty intricate and I mostly work on simple networks. A few DC's, maybe an app server, and a router on a stick type of configuration.

Have you tried a place like Spiceworks? They get really granular with where you post your questions, and some of those people are just insane with their knowledge. They've helped me out of a few database jams because I suck with SQL

[theprestige]

If we're recommending places like Spiceworks, shouldn't we recommend Microsoft support? It's been a while since I've done any serious work with their products, but my experience was that they provided the same quality of vendor support that I've come to expect from any enterprise product: Hit their support site, provide your license and problem statement, and they get back to you with a followup usually the same day.

If it can be done, Microsoft Support should be able to tell you exactly how to do it (and it's probably documented somewhere in here).

And if it can't be done, Spiceworks won't be able to help you anyway.

[plague311]

Originally Posted by theprestige

If we're recommending places like Spiceworks, shouldn't we recommend Microsoft support? It's been a while since I've done any serious work with their products, but my experience was that they provided the same quality of vendor support that I've come to expect from any enterprise product: Hit their support site, provide your license and problem statement, and they get back to you with a followup usually the same day.

If it can be done, Microsoft Support should be able to tell you exactly how to do it (and it's probably documented somewhere in here).

And if it can't be done, Spiceworks won't be able to help you anyway.

To each their own, it was just a suggestion. I generally have had better luck with Spiceworks, but I'm not going to argue either way. Use whatever you want, but if he came here I figured he was more comfortable using forums or the like. Perhaps the tech you get at Microsoft hasn't done it, whereas at Spiceworks several people generally read the topic...but yeah. Whatever gets him there I guess, but since you had already said to check Microsoft, I didn't think it had to be repeated.

[Yalius]

I raised the question with one of our admins here, and he said the best way to do it was using Active Directory Federation Services. He didn't have the time to go in depth on that, but said that a situation like this is what federation services was designed to do. Good luck.

[plague311]

Originally Posted by Yalius

I raised the question with one of our admins here, and he said the best way to do it was using Active Directory Federation Services. He didn't have the time to go in depth on that, but said that a situation like this is what federation services was designed to do. Good luck.

I'm going to speak hesitantly here. While this is right, if the remote DC can't "speak" over the VPN connection with the base DC then I'm not sure this would be more of a resolution. I am hoping I'm wrong.

[twinstead]

Thank you all for your input!

[theprestige]

Originally Posted by plague311

I'm going to speak hesitantly here. While this is right, if the remote DC can't "speak" over the VPN connection with the base DC then I'm not sure this would be more of a resolution. I am hoping I'm wrong.

I'm betting Federation includes functions like authority caching and authority failover.

I manage a federated service developed by a third party. In my case, it stores software packages for dependency resolution during builds. Developers build a package and upload it to my service, where it can be retrieved by other developers. To serve a global organization, I have instances of this service in multiple regions.

For consistency, it's important that everyone be using the same versions of these packages. So we cross-replicate between regions. A dev uploads in one place, any other dev can download a copy of the same package from any other place in the mesh.

So what happens if the master instance dies? Turns out the app has provisions for that. Every instance has settings for its replicas. Whether to cache, how often to check for new versions, how long to maintain the cache if the source goes offline.

I would be very very surprised if Microsoft hasn't provided similar functionality for AD. It's a mature product, and distributed fault-tolerant infrastructure is pretty standard stuff these days.

[Blue Mountain]

Originally Posted by Yalius

I raised the question with one of our admins here, and he said the best way to do it was using Active Directory Federation Services. He didn't have the time to go in depth on that, but said that a situation like this is what federation services was designed to do. Good luck.

Sort of sounds like what I was suggesting.

[theprestige]

Sort of sounds like what Microsoft product support would tell a paid up license holder, and help them figure out how to implement, if they ever reached out for product support.