Secure Domain Logon and Windows 2000 Active Directory

[roadrunner]

Secure Domain Logon and Windows 2000 Active Directory
A quick step-by-step contributed by Eli Tovbeyn:


Install SR with SDL enabled (don't change product.ini file - it won't work). Reboot.
configure SDL netlogon timeout on fw-mgmt. If you're using dail-up - at least 250 seconds. Refer to How do I configure the Secure Domain Logon Timeout?
create site on SR
enable SDL. Reboot.
you have to add your DC to lmhosts and hosts. (manually or via dnsinfo.C).The problem is that MS has two timeouts. First is resolving the name of the DC(or finding it), the second is waiting to contact the DC. SR SDL doesn't handle the first one. If Windows can't resolve the name of the DC (or find the DC), the logon will fail. In my case (WinNT domain) Wins wasn't enough. I believe that in case of Win2k domain in native mode the DNS won't be enough.
In a case of logon via dial-up, configure the dial-up with corporate DNS and WINS servers.
split DNS configuration. CP document is great, so use it. You need SR to contact internal DNS. This is especially true for AD.
The logon itself will take much more time then a regular logon without SR. I haven't found a way to minimize this time. If I minimize the SDL netlogon timeout, the logon might fail if the dial-up tool too much time. From my experience, SDL works much better in couple with SSO.

We have configure also our lab to use SDL to Win2k domain in native mode. Everything works good until you bring a logon via dial-up. The same problems as with WinNT domain rise again.

-- PhoneBoy - 12 Apr 2004


FAQForm
FAQs.Class: SecureClientFAQs
FAQs.OS:
FAQs.Version: