Authentication fails after removing old domain controller



  • Hi all.

    We've decommissioned our old primary domain controller (.11) after replacing it with two new domain controllers(.37 and .32). When removing the old one authenticating through OpenVPN stopped working.
    In OpenVPN our new DC ("DC01") that is a RADIUS server is stated in the list of authentication servers and the old one has been removed. I've also checked that the DNS servers used by pfSense are the new servers.
    When doing a DNS lookup on DC01 pfSense cannot resolve the host name to an IP adress, regardless if I use the FQDN.

    Any ideas on how this can be resolved?

    Thanks in advance,

    Pontus



  • by fixing your dns server/entries on dc01 ?
    pfsense has very little todo with your windows-dns-server that is unable to resolve addresses .... or am i missing something?



  • I might have been a bit unclear: It's when I do an DNS lookup within pfSense that the entry "DC01" cannot be resolved. It's like pfSense is not using the DNS server assigned to it.
    If relevant the error message in the OpenVPN part of the pfSense logs are the following:
    X.Y.Z.W:Q WARNING: Failed running command (--auth-user-pass-verify): external program exited with error status: 1
    X.Y.Z.W:Q TLS Auth Error: Auth Username/Password verification failed for peer
    X.Y.Z.W:Q WARNING: cipher with small block size in use, reducing reneg-bytes to 64MB to mitigate SWEET32 attacks.
    X.Y.Z.W:Q Peer Connection Initiated with [AF_INET] X.Y.Z.W:Q

    Thanks again,

    Pontus



  • I also find this under Status / System Logs / System / DNS Resolver:
    using nameserver X.Y.Z.11#53 for domain qwerty.se

    .11 = the old DC that is out of the picture. This should be .37.
    Looking at Services / DNS Resolver / General Settings .37 is stated in domain override for qwerty.se (the internal domain).

    Pontus