Kerberos Authentication

Guest · Dec 16, 2005

I am working in a WAN environment. We have a root domain and dozens of child
domains with transitive trusts in place. As of late, when the WAN link to
any of the child domains goes down, the child domain users do not get
authenticated for local devices. For example, a user in the child domain
attempts to print and it times out saying the user has no authentication. My
understanding of our configuration suggests we have DC's at each office which
would replicate with the parent domain. So, if a WAN link goes down, the
local domain should work indipendently, but this does not happen. Has anyone
seen this type of issue?

Thank You for your thoughts.

Dmitry Korolyov [MVP] · Dec 16, 2005

Basically it depends on the way your printers are set up. If they are all
installed on a single print server that is a member of the parent domain,
then printing will fail because no DC will be available to authenticate
those users trying to print.

Herb Martin · Dec 16, 2005

Sal said:
I am working in a WAN environment. We have a root domain and dozens of
child
domains with transitive trusts in place. As of late, when the WAN link to
any of the child domains goes down, the child domain users do not get
authenticated for local devices. For example, a user in the child domain
attempts to print and it times out saying the user has no authentication.
My
understanding of our configuration suggests we have DC's at each office
which
would replicate with the parent domain. So, if a WAN link goes down, the
local domain should work indipendently, but this does not happen. Has
anyone
seen this type of issue?

Sure, you understand it and that is exactly as expected.

Access to domain resources requires domain authentication.

If (all of) the DC(s) for a User are inaccessible that user cannot
authenticate and access to domain resources (and any trusting
domain resources) is lost.

If you have users in a remote location whose access to resources
is critical to your business you have a practical requirement for
a DC (or more) located locally to those users.

KEY POINT:

Access to domain resources requires domain authentication.

Guest · Dec 16, 2005

I appreciate the response, all local printers are set on a Print Server which
resides and is a member of the local domain.

Dmitry Korolyov said:
Basically it depends on the way your printers are set up. If they are all
installed on a single print server that is a member of the parent domain,
then printing will fail because no DC will be available to authenticate
those users trying to print.

--
Dmitry Korolyov [[email protected]]
MVP: Windows Server - Directory Services

Sal said:

I am working in a WAN environment. We have a root domain and dozens of
child
domains with transitive trusts in place. As of late, when the WAN link to
any of the child domains goes down, the child domain users do not get
authenticated for local devices. For example, a user in the child domain
attempts to print and it times out saying the user has no authentication.
My
understanding of our configuration suggests we have DC's at each office
which
would replicate with the parent domain. So, if a WAN link goes down, the
local domain should work indipendently, but this does not happen. Has
anyone
seen this type of issue?

Thank You for your thoughts.

Click to expand...

Dmitry Korolyov [MVP] · Dec 16, 2005

Ah, so you don't have DCs for the child domain in the site when your users
reside. Then it is correct behavior. You need a DC to authenticate.

--
Dmitry Korolyov [[email protected]]
MVP: Windows Server - Directory Services

Sal said:
I appreciate the response, all local printers are set on a Print Server
which
resides and is a member of the local domain.

Dmitry Korolyov said:

Basically it depends on the way your printers are set up. If they are all
installed on a single print server that is a member of the parent domain,
then printing will fail because no DC will be available to authenticate
those users trying to print.

--
Dmitry Korolyov [[email protected]]
MVP: Windows Server - Directory Services

Sal said:

I am working in a WAN environment. We have a root domain and dozens of
child
domains with transitive trusts in place. As of late, when the WAN link
to
any of the child domains goes down, the child domain users do not get
authenticated for local devices. For example, a user in the child
domain
attempts to print and it times out saying the user has no
authentication.
My
understanding of our configuration suggests we have DC's at each office
which
would replicate with the parent domain. So, if a WAN link goes down,
the
local domain should work indipendently, but this does not happen. Has
anyone
seen this type of issue?

Thank You for your thoughts.

Click to expand...

Click to expand...

Jorge de Almeida Pinto · Dec 16, 2005

Are the DCs in the child domains also GC? (or do you have at least one GC in
them?)

Ace Fekay [MVP] · Dec 18, 2005

In

Sal said:
I am working in a WAN environment. We have a root domain and dozens
of child domains with transitive trusts in place. As of late, when
the WAN link to any of the child domains goes down, the child domain
users do not get authenticated for local devices. For example, a
user in the child domain attempts to print and it times out saying
the user has no authentication. My understanding of our
configuration suggests we have DC's at each office which would
replicate with the parent domain. So, if a WAN link goes down, the
local domain should work indipendently, but this does not happen.
Has anyone seen this type of issue?

Thank You for your thoughts.

Sal, I didn't see anywhere in your network description if you've created
Active Directory Sites for each location. Did you create Sites and the
appropriate subnet objects associated with those Sites? Sites will control
authentication, especially if you have designated a GC for each Site.

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

If you are having difficulty in reading or finding responses to your post,
instead of the website you are using, I would suggest to use OEx (Outlook
Express or any other newsreader of your choosing), and configure a newsgroup
account, pointing to news.microsoft.com. This is a direct link into the
Microsoft Public Newsgroups, and it is FREE and DOES NOT require a Usenet
account with your ISP. With OEx , you can easily find your post and watch &
track threads, sort by date, poster's name, watched threads or subject.

Not sure how? It's easy and you'll enjoy it
How to Configure OEx for Internet News
http://support.microsoft.com/?id=171164

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft MVP - Windows Server Directory Services
Microsoft Certified Trainer
Assimilation Imminent. Resistance is Futile.
Infinite Diversities in Infinite Combinations.
=================================

Guest · Dec 19, 2005

Thank you all for the information, you have provided some different items to
validate.

Ace Fekay [MVP] · Dec 20, 2005

In

Sal said:
Thank you all for the information, you have provided some different
items to validate.

I hope we were helpful in coming up with a resolution.

As for Sites and authentication, I would like to post the following links
for your review.

Managing Sites:
http://www.microsoft.com/technet/pr...irectory/maintain/opsguide/part1/adogd06.mspx

247811 - How Domain Controllers Are Located in Windows:
http://support.microsoft.com/?id=247811

314861 - How Domain Controllers Are Located in Windows XP:
http://support.microsoft.com/?id=314861

Ace

Kerberos Authentication

Guest

Dmitry Korolyov [MVP]

Herb Martin

Guest

Dmitry Korolyov [MVP]

Jorge de Almeida Pinto

Ace Fekay [MVP]

Guest

Ace Fekay [MVP]