none
Slow DNS Replication Causing Radius Authentication Failure

    שאלה

  • We are a school board that has about 45 sites on a single domain. Each site has a server (Win 2008) which acts as a domain controller, file and printer server, and dhcp server. We use certificate based radius authentication for wireless clients. Our radius server (network policy server, Win 2008 R2) runs centrally at the board office, and it's also a domain controller. We are using high end d-link wireless access points at all locations which point to one of few managed controllers. It's the controller that points to our Radius Server to authenticate the clients.


    The issue is a client tries to join wirelessly and radius authentication fails. It appears like the issue has to do with DNS on the Radius server not being up to date. If we do an nslookup for the client on the Radius server there is no record. If we do an nslookup for the client on it's own site's server it responds with a record. If we force a replication between their server and our central servers things work immediately once DNS updates. The problem is that can sometimes take 10-15 minutes. 


    What I don't fully understand is how/why Radius uses DNS in its authentication. If a machine has never connected to the network before, wireless or wired they wouldn't have a DNS entry. So I am kind of lost as to how they are getting the DNS entries before they actually connect, but they are there! We do know that Radius does seem to rely on DNS though as we ran into issues in the past with duplicate DNS entries for the same IP before we moved to the DHCP Servers doing the DNS updates with supplied credentials, which seemed to have fixed that issue.


    The obvious solution would be to run Radius on each sites DC and point the access points to the local Radius server for authentication. The problem with that is it's not the access points that do the radius authentication, it's the controller they point to, and most sites don't have their own controller. Only the bigger sites do.


    The other option is making the sites without a controller individually managed, and not managed by the controller, and then point them to the local Radius server if we went that route. We really would like to avoid that as it defeats the purpose of having a controller to centrally manage all access points.


    I am hoping this makes sense to people and maybe I can get some advice. We are scratching our heads. 



    • נערך על-ידי colesm יום חמישי 31 מאי 2012 18:36
    יום חמישי 31 מאי 2012 18:33

כל התגובות

  • Hi,

    For NPS server, network policy using AD domain services user and computer accounts for authentication. If a new computer joined domain in remote site, and the new account was not replicated to the main site. So the NPS server located in the main site will fail to authenticate the new computer and user account created in remote site. Because the NPS server still using the main site AD database. Based on this situation, it’s more likely an AD replication topology issue. As you mentioned, you can setup NPS server on each site. For Radius client in these sites, we can specific the local NPS server for authentication. However, if there is no writeable DC in site, the client will try to contact the closet site with first response DC, and update the AD database in there. So make sure the local NPS server connect to the same DC. Or you need to redesign AD replication topology, ensure the AD change can only update in specific DCs and replicate it to separate site. For this issue, I would suggest that you post a new thread at Directory Services forum for further support.

    Directory Services Forum

    http://social.technet.microsoft.com/Forums/en-US/winserverDS/threads

    Active Directory Replication Topology Technical Reference

    http://technet.microsoft.com/en-us/library/cc755326(v=ws.10).aspx

    Best Regards,

    Aiden


    Aiden Cao

    TechNet Community Support


    יום שני 04 יוני 2012 06:52
  • Thanks for your reply and suggestions.

    The clients that are having the issues though are not new computers to the domain. The issue is their DNS record hasn't replicated to the DNS running on the Radius server, and are unable to authenticate. I have sat and refreshed DNS on the Radius server and as soon as that record shows up the client connects wirelessly. So we know it has something to do with DNS not being replicated.

    יום רביעי 06 יוני 2012 12:03
  • Actually, DNS does not replicate, AD does, and if the zone is AD integrated, then that simply means the zone data is being stored in the actual physical AD database (actually in one of the logical "partitions"). Therefore, it's an AD replication issue, as Aiden said, which is why I marked his post as a proposed answer.

    But it's strange that a host record for an existing machine doesn't already exist in the zone, which would already have replicated long ago.

    .

    Since this is an AD question, it's better suited for the DS (Directory Services) forum. Maybe Aiden or Tiger can move the thread for us to the DS forum for better exposure with all the DS folks.

    .

    In the meantime, if you can gather the following and post it to your free Skydrive account (http://skydrive.live.com), it will give us a head start in diagnosing the issues.

    • Number of DCs
    • Number of AD Sites
    • The IP Site Connector replication frequency and when it's allowed to occur. By default, it's allowed to occur 24/7, and the default replication frequency is 180 min (3 hours), but the frequency can be chopped down to 15 minutes, the lowest setting. This is because DCs within a Site replication max time is 15 min. No getting around this. THis can be part of what you're seeing.
    • An unedited ipconfig /all from each DC (assuming the NPS is a DC with DNS on it), and one from the "main" site.
    • Event log errors on the DCs. Please check for any event log errors. check all Event log errors including the Windows Logs - the App & System logs, and under Application and Services Logs, if applicable - the AD Web services, DFS Replication, Directory Services, DNS Server & File Replication Server logs.
    • A screenshot of your DC's NTDS\Connection objects       (to understand which DCs are partnering wtih the one you're having problems with.)
    • repadmin /replsum > c:\rep-replsummary.txt             (on this DC and the one(s) it('s) partnered with.)
    • repadmin /showreps > c:\rep-showreps.txt                 (From each DC in question - This switch shows if the partitions have replicated or not)
    • repadmin /showrepl dc01.domain.local /verbose /all /intersite> c:\rep-showrepl.txt   (From each DC. This helps understand the replication topology and replication failures)

    .


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & Exchange 2010, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    יום חמישי 07 יוני 2012 05:02
  • Of course I know that DNS is part of AD and it's AD that replicates. I was implying that it was the DNS part of the replication that is the issue. I don't know how how or why Radius authentication relies on DNS so heavily. Maybe we have something configured wrong, I don't know.. What I do know is as soon as the Radius server has an up to date DNS that includes the client that is having issues, they connect within seconds. So there obviously is a connection some how. Here are the answers to some of your questions... 

    • Number of DCs - 50
    • Number of AD Sites - 47
    • The IP Site Connector replication frequency and when it's allowed to occur. By default, it's allowed to occur 24/7, and the default replication frequency is 180 min (3 hours), but the frequency can be chopped down to 15 minutes, the lowest setting. This is because DCs within a Site replication max time is 15 min. No getting around this. THis can be part of what you're seeing. Most sites are 30, our faster links are 15 and all are allowed to replicate 24/7.

    The issue with the rest of these questions is there isn't one or two specific sites that have issues. This is an issue at every site from what we can tell.

    • An unedited ipconfig /all from each DC (assuming the NPS is a DC with DNS on it), and one from the "main" site. 
    • Event log errors on the DCs. Please check for any event log errors. check all Event log errors including the Windows Logs - the App & System logs, and under Application and Services Logs, if applicable - the AD Web services, DFS Replication, Directory Services, DNS Server & File Replication Server logs.
    • A screenshot of your DC's NTDS\Connection objects       (to understand which DCs are partnering wtih the one you're having problems with.)
    • repadmin /replsum > c:\rep-replsummary.txt             (on this DC and the one(s) it('s) partnered with.)
    • repadmin /showreps > c:\rep-showreps.txt                 (From each DC in question - This switch shows if the partitions have replicated or not)
    • repadmin /showrepl dc01.domain.local /verbose /all /intersite> c:\rep-showrepl.txt   (From each DC. This helps understand the replication topology and replication failures)
    יום חמישי 07 יוני 2012 12:43
  • Maybe if it's just DNS, there could be a dupe zone. Let's rule this out:

    Using ADSI Edit to Resolve Conflicting or Duplicate AD Integrated DNS zones
    Published by Ace Fekay, MCT, MVP DS on Sep 2, 2009 at 2:34 PM  2313  0
    http://msmvps.com/blogs/acefekay/archive/2009/09/02/using-adsi-edit-to-resolve-conflicting-or-duplicate-ad-integrated-dns-zones.aspx

    .


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & Exchange 2010, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    יום חמישי 07 יוני 2012 19:51
  • Ok so I went through your steps and noticed a few things that may or may not be issues. I am not an expert when it comes to this in depth stuff..

    Our domain is alcdsb.on.ca

    When viewing domaindnszones under CN=MicrosoftDNS I don't have a DC=alcdsb.on.ca. I do have DC=RootDNSServers and few other entrys but nothing like what yours shows.

    In forestdnszones all I have is DC=..TrustAnchors and not _msdcs.alcdsb.on.ca like yours shows.

    I also noticed was when looking at the default view under CN=System, CN=MicrosoftDNS, DC=RootDNSServers, I am missing a and b root servers.

    Does any of this sound like a problem to you?

    יום חמישי 07 יוני 2012 20:16
  • Should I be concerened about any of that Ace?

    יום שלישי 12 יוני 2012 14:20
  • Should I be concerened about any of that Ace?

    YOu mean the missing A and B roots? Nah, no problem there, just any dupes, which are problematic. So you didn't find any?

    And sorry for the late response. I must have missed this reply in my email notification with over 100 emails per day! :-)


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & Exchange 2010, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    יום שלישי 12 יוני 2012 15:39
  • No problem...  I was more wondering about the differences I was seeing in the other areas.

    When viewing domaindnszones under CN=MicrosoftDNS I don't have a DC=alcdsb.on.ca. I do have DC=RootDNSServers and few other entrys but nothing like what yours shows.

    In forestdnszones all I have is DC=..TrustAnchors and not _msdcs.alcdsb.on.ca like yours shows.

    יום שלישי 12 יוני 2012 15:42
  • Nah, you're ok. Just the dupes.

    Maybe the wireless controllers need to be looked at. What brand are they? Did you contact their support department?


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & Exchange 2010, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    יום שלישי 12 יוני 2012 15:49
  • They are D-Link DWL-8600AP.. When we a different type of security such as WEP or WPA there doesn't appear to be issues. Just with radius authentication.
    יום שלישי 12 יוני 2012 15:54
  • I would talk to Dlink about it, and see what they have to offer.

    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & Exchange 2010, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    יום שלישי 12 יוני 2012 16:10