Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 2 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 466 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

AD Authentication with Multiple DCs

Jack Paddock

If multiple DCs are added by IP under the Authentication > Servers section, how does it work exactly?  Will Sophos send all AD authenticattion requests to only one DC among the list of servers or does Sophos round-robin or use some other method to randomly select a DC for the authentication?   What i'm looking for is some sort of round robin rotation or load balancing.



This thread was automatically locked due to age.
  • 0

    Depending on the Request, XG is trying to solve.

    As you will configure a Domain per AD Server, you will give XG the option to filter for the domain. 

     

    Example: 

    DC1: sophos.com

    DC2: test.com

     

    If you login via User@sophos.com on XG, XG will only use DC1, as it already know, DC1 will be responsible for this Domain.

    If you login via user on XG, XG cannot verify the domain, as UPN is missing. Hence it will do following:

    DC1: user@sophos.com DC2: user@test.com - Verify if one DC respond with a bind and use the data. 

     

    If you have Multiple DCs with the same domain, XG will ask all DCs at the same time and take the first respond. ADs should have a Trust to hold the same data, if they cover the same information. The Request will be performed on LDAP level (389/636).  

  • 0

    No need to add individual DCs - just add the FQDN of the domain (e.g. domain.local or whatever domain prefix you're using for your AD).

    Make sure you've got DNS Request Routes set up for this domain pointing to at least two of the DNS servers for this domain if the DNS servers for the XG aren't already pointing to these.

    The FQDN entry for the LDAP service will be looked up via DNS and an appropriate site-specific DC will be returned.