Domain Authentication on Local Server

[NEFJ]

Quick setup.

Have a domain with roughly 70 sites distributed accross the country connected to a colo via VPNs over DSL.

Each site has a win2k3 server providing SQL and File Sharing to the clients at local site. Also at the sites are 10 touch screen terminals that access applications on the server through a file share.


Domain Controllers reside at 3 of the sites, 1 of which is at the colo). All clients authenticate to one of the 3 DCs.

So the problem,

Occasionally the DSL lines go down at the sites. The clients are able to login with cached login info, they all login with one domain account automaticly, however they are unable to access the file shares on the local server.

So short of putting DCs into every site, does anyone have any ideas how to allow them access to the file shares when the domain authentication is not available? When they try to access it they are prompted for login credentials.

Thanks,
NJS

 

[Roadki11]

I would say you would need to create a local account on the local server. they could all use the same account to access the share for simplicity but your company security policies may not allow this. give that new local user authority to access the file shares. then when the users are prompted to authenticate they can give that generic users credentials and goto work. not saying this is the best way but it would do in a pinch. best way would be have a DC at all the sites or redundent internet connections. Could setup a dialup RRAS to a DC also. when the dsl goes down the server dials out to a DC and makes a connection over phone lines.

just some thoughts for you,

RoadKill

 

[WhoKilledKenny]

I agree with Road Kill that you should have DCs running as GC's in those sites. And you said aside from running DCs... again only a local account can access the server if your DSL is down. Since you have file server(s) in the remote location, what would keep you from allowing them to run as DCs as well? Seems like a small wide-spread environment. You can manage the replication to keep from saturating the WAN links.

 

[djtech2k]

I agree. You either have to have a DC with GC at each site or use local accounts to access information on the file server when the link is down.

Ofcourse another option would be to get rid of DSL and get a real solid connection.

 

[NEFJ]

These stations are the red-headed step child of this enviroment, I personally am not against putting DCs at every site, the other admin's however would string me up from the drop ceiling if I tried to implement it.

Security really isn't a concern with those file shares, they are just used to store and launch the applications from. I've got the generic account setup on the servers, the problems are that the stations don't have keyboards to actually enter in the login information. I could use a script to do it but I have reservations about keeping stored passwords in files.

Login to the stations themselves is done automatically with reg settings.

Thanks for everyones responses its greatly appreciated.

 

[Roadki11]

I get around this by compiling the batch file into an .exe, makes it unreadable unless you plan on hex dumping it. This what i use, i purchased it for like $30 but i am pretty sure it has a 30 day trial. Probably could find a free version if you looked around.

http://www.bdargo.com/