Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

TZ215 VPN won't connect using backup domain controller/DHCP/DNS server.

TZ215 VPN won't connect using backup domain controller/DHCP/DNS server.

I set up a second Domain controller with a fail over DHCP server and DNS server. All works fine in the office. I removed the primary server from the network and people can get IP addresses and surf the web, authenticate to the domain, send/receive email, etc.

The TZ 215 is set up to use AD credentials to connect to the VPN. This has always worked fine using the primary DC. In the user settings it is setup for "LDAP + Local Users". This only provides for adding one LDAP server.

How do I set this up so that if the Primary DC is down it will still authenticate to the Secondary DC? Again, if I change the password for a user on DC1, Wait a few min, disconnect DC1 from the LAN, then login to a system using the new password I created on DC1, the system logs in just fine. This tells me the credentials replicated to DC2 and the client authenticated to it. But the Sonicwall does not seem to be able to find DC2 and there seems to be no where to manually enter it.

Thank you.

Category: Entry Level Firewalls
Reply

Answers

  • AjishlalAjishlal Community Legend ✭✭✭✭✭

    @jtpryan

    Did you added the secondary DC in Sonicwall LDAP Servers? If it's not add the secondary DC and do the test.

  • ThKThK Cybersecurity Overlord ✭✭✭

    @jtpryan please check the DNS used in the Firewall as you mentioned you changed the Server on the LAN

  • MitatOngeMitatOnge All-Knowing Sage ✭✭✭✭

    If you have not properly decommissioned DC1, user requests dc1 global catalog and PDC.

    you should check FSMO roles migrated from DC1 to DC2 and sonicwall ldap settings must be the DC2 properties.

  • AjishlalAjishlal Community Legend ✭✭✭✭✭

    A secondary LDAP refers to a separate domain where authentication will also be done and in most cases will work in together with Authentication Partitioning. To set up a second LDAP server that is for the same domain, you will have to assign it as a Backup / Replica Server.

  • AjishlalAjishlal Community Legend ✭✭✭✭✭

    @jtpryan

    Gen 5 units can add only 1 LDAP server yes you are right. If you have Gen 6 or Gen 7 units, you can add multiple LDAP servers.

    Screen shot from Gen 6 unit:


  • prestonpreston Enthusiast ✭✭
    edited June 2022

    Hi @ jtpryan , set up a dns A record for the base domain so that the servers when going to domain.local (example replace with your internal domain) it resolves to both servers

    then instead of using IP in the LDAP settings use the domain.local name instead, you will need to make sure your SonicWall, DNS is pointing to both DNS servers also,

    To do this add two A records (one for each server) but leave the name blank and put in the IP address of the servers it should then show them as (same as parent folder) but if you do an NSlookup for just your Domain name it will show both server IPs



    see my guide below for multiple domains(without the need for partitioning) but the DNS stuff is in there too.

    Ignore the fact the document is for 6.5 and above that is just for the multiple domains bit, as you are using the same domain but for primary and secondary servers the only way to do this is via the name rather than IP so just use the guide for the DNS stuff



Sign In or Register to comment.