TZ215 VPN won't connect using backup domain controller/DHCP/DNS server.
jtpryan
Newbie ✭
TZ215 VPN won't connect using backup domain controller/DHCP/DNS server.
I set up a second Domain controller with a fail over DHCP server and DNS server. All works fine in the office. I removed the primary server from the network and people can get IP addresses and surf the web, authenticate to the domain, send/receive email, etc.
The TZ 215 is set up to use AD credentials to connect to the VPN. This has always worked fine using the primary DC. In the user settings it is setup for "LDAP + Local Users". This only provides for adding one LDAP server.
How do I set this up so that if the Primary DC is down it will still authenticate to the Secondary DC? Again, if I change the password for a user on DC1, Wait a few min, disconnect DC1 from the LAN, then login to a system using the new password I created on DC1, the system logs in just fine. This tells me the credentials replicated to DC2 and the client authenticated to it. But the Sonicwall does not seem to be able to find DC2 and there seems to be no where to manually enter it.
Thank you.
Answers
@jtpryan
Did you added the secondary DC in Sonicwall LDAP Servers? If it's not add the secondary DC and do the test.
@jtpryan please check the DNS used in the Firewall as you mentioned you changed the Server on the LAN
If you have not properly decommissioned DC1, user requests dc1 global catalog and PDC.
you should check FSMO roles migrated from DC1 to DC2 and sonicwall ldap settings must be the DC2 properties.
A secondary LDAP refers to a separate domain where authentication will also be done and in most cases will work in together with Authentication Partitioning. To set up a second LDAP server that is for the same domain, you will have to assign it as a Backup / Replica Server.
@AJISHLAL I only see the ability to add one:
@jtpryan
Gen 5 units can add only 1 LDAP server yes you are right. If you have Gen 6 or Gen 7 units, you can add multiple LDAP servers.
Screen shot from Gen 6 unit:
Hi @ jtpryan , set up a dns A record for the base domain so that the servers when going to domain.local (example replace with your internal domain) it resolves to both servers
then instead of using IP in the LDAP settings use the domain.local name instead, you will need to make sure your SonicWall, DNS is pointing to both DNS servers also,
To do this add two A records (one for each server) but leave the name blank and put in the IP address of the servers it should then show them as (same as parent folder) but if you do an NSlookup for just your Domain name it will show both server IPs
see my guide below for multiple domains(without the need for partitioning) but the DNS stuff is in there too.
Ignore the fact the document is for 6.5 and above that is just for the multiple domains bit, as you are using the same domain but for primary and secondary servers the only way to do this is via the name rather than IP so just use the guide for the DNS stuff