Data Loss Prevention

 View Only

  • 1.  Symantec Data Loss Prevention - Secondary Domain Conrollers

    Posted Aug 27, 2017 07:24 PM
    Hello,

    I have a question about domain controllers.
     
    You can add domain controllers in two locations:
    -krb3.ini
    -Directory Connections
     
    In krb3.ini, is it possible to add multiple domain controllers for each domain?
    [libdefaults]
            default_realm = Domain1
    [realms]
            Domain1 = {
                     kdc = DomainController1
            }
     
    For Directory Connections, I can added multiple domain controllers for each domain with the same base DN. Will this break anything?
     
    I guess ulitmately the question is, how do you added multiple domain controllers for each domain for failover?
     
    Cheers
    Cameron Mottus

     



  • 2.  RE: Symantec Data Loss Prevention - Secondary Domain Conrollers
    Best Answer

    Posted Aug 28, 2017 10:44 AM

    **In krb3.ini, is it possible to add multiple domain controllers for each domain?

    Sure.  My kbr5.ini looks like this.

     

     

     

     

     

     

     

     

    **For Directory Connections, I can added multiple domain controllers for each domain with the same base DN. Will this break anything?

    I don't think that will necessarily break anything but it could add to overhead for directory connections.  Each connection is going to index according to it's schedule without regard to any other directory connections.  In other words; you don't get fail-over in the sense of  "If A fails to complete it's task, B will take over".  I think you'll get something more along the lines of "A and B and C and D (etc.) are doing the same thing according to their own schedule".

     

    ...but I don't have any proof of that :)



  • 3.  RE: Symantec Data Loss Prevention - Secondary Domain Conrollers
    Best Answer

    Trusted Advisor
    Posted Aug 29, 2017 09:41 AM

    hello

     you could add several DC in your krb file, and this will be used per domain or as failover (if you have sevral servers available for one domain). This is used each time someone request an authentication to your DLP web interface.

     

    Directory connection are used only based on their schedule and not on real time. so if you have several servers which could be used for indexing same list of people, you could set several directory connection and then you will perform several indexes (which should be the same). Then you have to define several user group (one per directory connection) and add each user group in your policies...then it may looks like a failover (of your DC) but it also means each time you want to perform some update on this part you have to do it in both (Dir con and user groups).

     

     regards



  • 4.  RE: Symantec Data Loss Prevention - Secondary Domain Conrollers

    Trusted Advisor
    Posted Aug 31, 2017 02:12 PM

    Here is the format for a multiple DC in a single domain..

     

    [libdefaults]
               default_realm =MYDOMAIN.COM
               default_tkt_enctypes = RC4-HMAC, DES-CBC-CRC, DES3-CBC-SHA1,DES-CBC-MD5
               default_tgs_enctypes = RC4-HMAC, DES-CBC-CRC, DES3-CBC-SHA1, DES-CBC-MD5
               
    [realms]
      DDPV.COM = {
                               kdc = DC01.MYDOMAIN.COM
                               kdc = DC02.MYDOMAIN.COM
                    }