cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
John_Colfer
Nickel

Domain Controller Redundancy

Hi

I was just wondering how domain controller redundancy works in Checpoint policy. You create LDAP Account Unit for a domain and add in your 2 ldap server objects (domain controllers).

Then on the "Objects Management" tab you can only choose 1 of these 2 servers

Today the cert on irbdc04 changed which meant ldaps queries stopped working until the fingerprint was fetched. The customer asked us, "why didnt the other domain controller take over serving authentication queries". 

So I'm wondering even though I have 2 servers defined in the ldap account unit, but only 1 defined Objects management tab does this mean that if irbdc04 is not working there is no ldap server redundancy? At what point will phdc03 take over serving requests?

Thanks in advance

John

Tags (2)
7 Replies

Re: Domain Controller Redundancy

i would use CP Identity Collector here - see sk108235 Identity Collector - Technical Overview for details !

0 Kudos

Re: Domain Controller Redundancy

The question is about authentication, not about Identity Awareness.

0 Kudos
JozkoMrkvicka
Platinum

Re: Domain Controller Redundancy

We had EXACTLY the same issue like you a year ago and it looks that priority does nothing in this case because LDAP is reachable, but cannot fetch anything = no issue at all for Check Point.

in case first LDAP is not reachable (telnet 636 not possible), it will go to the other LDAP in priority list.

In your case first LDAP was reachable (can you confirm ?) and thats all fine accorrding Check Point design.

Kind regards,
Jozko Mrkvicka
0 Kudos
John_Colfer
Nickel

Re: Domain Controller Redundancy

Hi Jozko

Yeah the ldap server was reachable (the server was up), but the fingerprint on the cert had changed so it could not retrieve anything. So does that mean that if the server is up and reachable it will not use the next server in the list, even though it cannot query the directory?

0 Kudos
JozkoMrkvicka
Platinum

Re: Domain Controller Redundancy

Yes, exactly.

Kind regards,
Jozko Mrkvicka
0 Kudos

Re: Domain Controller Redundancy

That’s a big problem of LDAPS configuration in Check Point Account Unit, as there is no check of when certificate expires and a warning upfront. 

That’s why I prefer LDAP in this case (at least if everything is internal traffic), even though we send it in clear.

Highlighted
John_Colfer
Nickel

Re: Domain Controller Redundancy

Thanks Norbert. I suggested this to customer but they prefer not to send usernames/passwords in the clear. Is there any other way around this? Is this issue addressed in a subsequent version?

Thanks again

John