[RADIATOR] AuthByLSA group issue if DC controller is unavailable.
Robert Fisher
robert at sitestar.net
Fri Apr 3 13:10:53 CDT 2015
Rereading the code, I see what you're talking about. Although, after
looking
at the Win32::NetAdmin module, I don't see any direct support for DC
failover, or even detecting when a DC is unavailable -- While I do see where
you could use the Win32::NetAdmin::GetServers to list the PDC and BDC --
I don't see how you would have it inform the code to retry against the
second server. Sadly the MSDN pages for the GetDomainController method
does not seem to share any light on this either.
The only thing I've found about reliably testing the availability of a DC
is to make a DNS SRV and LDAP query outside of the Win32 heirarchy.
What comes to mind, is you could try commenting out the second if block
and the references to $self->${controllers}{$domain} to force it to call the
GetAnyDomainControllers each time.
Two real issues with that approach...The first is that since I can't
find the
documentation for the underlying C library, I don't know if that search
would include inactive DCs or not, and I don't have an AD environment
to test it on directly.
The second issue is that it obviously pushes the processing time per
request up; although hopefully not by much.
Robert Fisher
Systems Administrator
Sitestar Internet Services
On 4/3/2015 11:34 AM, Johnson, Neil M wrote:
> No, I do not have it set. We have multiple DCs for redundancy and scaling and I didn’t want to be tied to one particular DC.
>
> However the last two nights when our Server Team performed some DC hardware migrations, users could not authenticate to the Wireless Service while a particular DC was unavailable.
>
> The error in the log was “User Not Found”.
>
>
> -Neil
>
More information about the radiator
mailing list