User Authentication Problems

OK This is a bit long to set up the scenerio so here goes.

"The Customer", has a multi-site network spanning the country. All connected via T-1's. Here is the way traffic routes from outside IN.......

Cisco 1720 Router (Basic Point to Point T1) , Cisco PIX Firewall V6.3 with multiple access-lists and statics, Cisco Router 2600 where all the t's come in. This unit is the Primary (Default) Gateway for all clients on the network. From there it spans into a Ready for this (10mb HUB not a switch A HUB) that connects everyone at the main site together.

OK now for traffic going INSIDE to OUT...

Start at the client go to a cisco 2600 (routed either internally or to the PIX) hits the pix and then the PIX authenticates the client  back to a websense Server to allow or not to allow access (ON PORT's 80,21,and 8080)

Now the FUN Part...  Both servers are DC's within the Active Directory "company-name". previously they only had 1 server and before it cratored it's ADDN was "comapnayname" with out the hyphen. They have rolled out well over 70 PC's nationwide that authenticate to "company-name" and the existing 60-100 with "companyname" THe ones with the "companyname" ADDN are mixed 98/XP Machines.  THe ones with "company-name" are mainly XP.

The problem is, that users that try to access the internet with the filtering turned on, are prompted with a username and password when they are not in the "company-name" Domain.  So the first part of the question is this.  HOW CAN I MERGE THE 2 ADDN's TOGETHER WITHOUT TOUCHING EACH AND EVERY "companyname" PC?

Now on to the second part. and i am sure i know the answer to this.BUT  since this whole network is a ROUTED network and doesn't use any other protocols, I am sure the latency to the servers and to the internet are coming from lost packets from the 10mb HUBS....The question on the second part is this, provided that the 10mb HUBs aren't the problem, is there better performace and response when using the UDP transport for authentication from the PIX to WEBSENSE rather than the TCP?

And Lastly, does anyone know of a logon script that i can use to change a machines domain status and or workgroup membership? I know the 3rd question kinda contradicts the first but i have to get to the point where they can authenticate before i can use login scripts.

I know this is a bit to decode, so i am starting this one out with 500 points (hope i can go higher)..  

Thanks Experts!!!!!!!
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

pperry76Author Commented:
ahhhhhhh hell only 1 part of this pretains to firewall...  sorry guys..  should i repost into WIndows 2000 catagory? or do you think i will get answers here?
AFAIK only by using M$'s trusted relationship

> .. is there better performace  ..
as you describe your network, I assume that you have anything setup as M$ default, means: never touched anything except told to do so, P&P == plug&pay
In other words, I assume that you network's main puporse is to route and deliver a huge amount of useless broadcast packets.
If that's true, you get a much better performance when you simply configure your clients, in particular:
  1. stop any browser broadcast like "I want to be the master browser"
  2. use NetBIOS over TCP instead of SMB
pperry76Author Commented:
so your saying i have to touch each machine to stop the master browser broadcast traffic...  the problem with the trusted relationships is that there is now server in companyname only company-name .....  would utilizing the netbios settings in DHCP help any?  

Maybe that would atleast get me able to run login scripts which takes me to changing of the computers domain via login script part.
Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

> .. i have to touch each machine to stop the master browser broadcast traffic
yes. Or if you have logon scripts you can do it there

> would utilizing the netbios settings in DHCP help any?  
i.g. yes, but I know of some w2k, NT, XP which do not accept settings there proper. You have to check yourself
pperry76Author Commented:
My team and I were able to come up with a solution.

Setup a temp NT 4.0 Server to handle all the clients on the "companyname" domain. We chose NT4 rather than 2003 or 2000 incase the windows nt4 and 9x clients didn't have the active directory connector installed. We will then change each machine via login script or some other means to point to the new "company-name" domain.

----is there better performace and response when using the UDP transport for authentication from the PIX to WEBSENSE rather than the TCP?--------------------------------------------------------------------------------------------------------------------
The UDP transport for authentication is better in a large envorment, but the TCP works FINE for less than 200 users.
Websense has the ability to PREPEND the Domain Name of the users as long as they are listed in the Active Directory. So for the clients that are not logging into the "company-name" domain. they recieve a UN&PW box when they attempt to surf a filtered protocol outside the local WAN or LAN.

---------logon script that i can use to change a machines domain status and or workgroup membership?------------------------
We haven't gotten to this part yet.  We have a temp. fix in place now to facilitate what we need. So if anyone knows of a way to do this please leave a post here.--------------------------------------------------------------------------------------------------

Thanks to all for your help
PAQed with points refunded (500)

Community Support Moderator

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.