Re: Domain authentication problem
- From: "Brian Edwards" <BrianEdwards@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 1 Jun 2005 15:35:01 -0700
FWIW...I was thinking that I had read somewhere that it's better to put your
DNS server[s] in the DMZ ("perimeter" in the case of ISA). So I did it, and
then directed all clients to use the DNS/webserver in the perimeter network.
I also made that change on the domain controller.
Oh well. I'm sure I'm going to have about six million other questions to
ask in this newsgroup in the coming months. I'll definitely do my best to
try to solve my own problems, but answers come so quickly in these newsgroups
that it's hard to force yourself to learn on your own.
I most greatly appreciate all of the assistance I receive here, and do my
best to help others when I can. Mostly over in the Exchange groups.
Hopefully I can help at least one person as much as y'all help me. Thanks
again.
"Phillip Windell" wrote:
>
> "Brian Edwards" <BrianEdwards@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> news:06E56C4E-E70C-4C48-9E60-03166A55CD52@xxxxxxxxxxxxxxxx
> > First, let me say that I am an untrained professional working in an
> > environment that allows me great range to learn on the fly. Which is what
> I
> > am doing with ISA 2004.
> ..
> > I have created a policy that allows all Kerberos, LDAP and DNS traffic
> from
> > "Internal" to "Internal".
>
> You don't need that. Get rid of it.
>
> > The clients that need to authenticate with Active
> > Directory are all on the Internal network, as is our domain controller. I
> > had thought that traffic from internal clients to other internal
> > clients/servers would not be filtered by ISA but it appears I was
> incorrect.
>
> You were correct the first time. ISA does not filter them,...unless it is
> misconfigured
>
> > Whenever ISA is "turned on" (firewall service enabled) our client
> computers
> > cannot authenticate new users with Active Directory. Any accounts that
> > already existed in the client machine are not affected, the user can still
> > log on. With ISA enabled, new users get an error message saying that the
> > domain cannot be contacted. With ISA disabled, they can log in just fine.
>
> The "Networks" configuration on ISA is incorrect,..at least that is the
> most likely suspect.
>
> The Internal Network should contain the entire IP# Range used on the LAN.
> It should also contain the FQDN of the Active Directory Domain Name.
> (example: *.domain.loc).
>
> The next most likely suspect is DNS. *All* machines (and I mean *ALL*
> machines) must use *only* the Active Directory DNS in their network
> settings. The AD/DNS machine itself should point to itself or can use
> 127.0.0.1 which is always valid in case something conflicted with the real
> ip#. Inside the configuration of the DNS Server you will find a Forwarders
> List,...this is where you place the ISP's DNS and this is the only place it
> should appear.
>
> On the ISA you must create an Anonymous Rule (uses "All Users") that allows
> the IP# of the AD/DNS machine to access the IP# of the ISP's DNS using the
> "DNS Protocol" ,...or you can just let it use DNS to "External" if you don't
> want to use the ISP's DNS IP# specifically.
>
> It is still a good idea to run WINS as well but that has nothing to do with
> ISA.
>
> --
>
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>
>
>
>
.
- References:
- Domain authentication problem
- From: Brian Edwards
- Domain authentication problem
- Prev by Date: Re: Domain authentication problem
- Next by Date: Fix OUTGOING IP number for a service?
- Previous by thread: Re: Domain authentication problem
- Next by thread: RE: server proxy isa latency
- Index(es):
Relevant Pages
|
Loading
