Eisen

So I work in an enterprise environment with around 800 users. These users are members of domain.com and they all access the web through the smoothwall webproxy. The smoothwall pulls its authentication via usual LDAP from the Active Directory domain.com tree and within this tree I have security groups in place that the smoothwall proxy recognises and assigns a level of internet access to each group. So web access is assigned depending on what security group a user is a member off and it all works great. Great. Smashing. Super. Until of course you bring another domain into the mix. Now the whole company network architecture is getting an overhall and with this was the removal of NDS. Over the last few week I’ve been rebuilding AD and the best way to do this is to add another child domain and use this as the clean slate. For security reasons this is how it should be anyway. We’ll call this cake.domain.com. The smoothwall webproxy can only pull information from one LDAP context, in our case domain.com. I can specify a second ADC however this is for redundancy only. Nightmare. I’ve tried changing the domain.com security group to a universal group and then adding a new global group from cake.domain.com to the primary domain. However as the proxy will pull its user list using a normal ldapsearch it will pull everything back in plain text and will not look to see what members are in the cake.domain.com group. So what’s the way to get this working? In the short run add each user from cake.domain.com to the webaccess security group in domain.com. Now will that become a pain when I start to migrate users across in batches? Hell yeah. In the long run, get another webproxy for the second domain. Pain in the arse to do as I can guarantee when I for clearance to get one for one my IT Director will just say ISA repeatedly till I leave the room. Sigh..

Well yeah you could do this aye. But it certainly wouldn't be best practice. I wouldn't want my dhcp going across my wide area network. Case example: When happens if your service provider has some outage on your WAN link? So unless the machines at site B have been left on overnight and still have there dhcp lease assigned to them they are not going to get an ip and whatever other configuration information from dhcp.. i.e. That sites now unable to work at all. In an ideal situation you want one dhcp server at each LAN on your internetwork. In your case you'll want a dhcp forwarder set up. Type that into the great techno god that is google and you shall have your answer.

Hey Hey, thought I would finally get around to posting. So hello to you all, long time watcher of Hak5 and glad to see you guys on season 6 now. I wish you all the best for the coming season and for the future ones to come. I'm going to post a few of my projects on the site in time and most likely some questions and hopefully answer a few IT questions from some of the users. So Good Job. Keep those episodes coming. Favourite game: Counterstrike:Source Favourite OS: Fedora 11 with ext3 / Windows 7 Favourite console: Amega CD32 - Still works! Nationality: Scottish Accent: Scottish Sex: Male Age:25 Race: Caucasian Height: 5' 11" Status: With Girlfriend Build: Normal.. Favourite band: 2 many DJ's Favourite book: A song of Ice and Fire Favourite director: Harold Ramis Favourite TV Show: The Wire Favourite Comedian: Billy Connolly Other hobbies: Partying, IT, socilising, IT, Drinking.. etc.. Occupation: IT System Administrator