Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Need help with authentication problem for VPN users

Posted on 2008-06-26
2
Medium Priority
?
268 Views
Last Modified: 2010-05-18
OK, I'll try to be as descriptive as possible here.  I have users that are VPN home users that cannot authenticate to Active Directory.  We are using these Proventia VPN appliances at the users locations.

Our AD topology here is hub and spoke.  With our home office being the hub, and all the remote offices (not the home VPN users) being spokes with DCs at all the spoke locations, as well as DCs at the main office.

Due to security restrictions, these VPN users are only allowed to communicate with the Hub home office location, and all communication to spokes is restricted.

Make sense?

So, here's my understanding of AD authentication.  First a PC looks for a DC on its local subnet (There are none on the VPN users subnets) If it fails to find a local DC, it does an LDAP query to DNS to locate a DC.  Once a non preffered DC responds, it tells the PC its AD site information, and then caches in what preffered DC it should be using.

So the PC successfully queries DNS for a list of DCs, but since communcation to spoke DCs is shut off, these DCs do not respond, and the PC sits forever at a login screen and never receives its site information.

Placing a DC on the local subnet for the VPN users is not possible, since each PC is on its own subnet.

My question is, is there a way to force a PC to only look at specific DCs during initial authentication before it is able to grab its site information from AD?
0
Comment
Question by:achernob
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 30

Accepted Solution

by:
LauraEHunterMVP earned 2000 total points
ID: 21876082
Can you supernet the hub site to include the IP address range that you are providing to your VPN clients?  That's how I usually do it.  HUBSITE contains the IP ranges that physically correspond to that location, as well as the to Class C that I've allocated for incoming VPN connections. That way the VPN clients are -in- the HUBSITE, from AD's perspective.

If this isn't an option, then you're not going to have much luck - there isn't any good way to force an AD client to use a specific DC for auth.  AD expects all DCs to be similarly "available", so if you start muckling around with DENY ACLs on routers and VPN connections, you're going to run into exactly the type of situation that you're describing.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question