Forum Discussion

Jrogers08's avatar
Jrogers08
Copper Contributor
Feb 28, 2020

Windows Server 2019 issues

We are using a palo alto 3050 firewall with the integrated user identification feature. It probes our DC's and client workstations to map usernames to IP addresses to appropriately assign security po...
Active Directory
networking
Windows Server
adam_schildmeyer's avatar
adam_schildmeyer
Brass Contributor
Mar 04, 2020

Jrogers08 

 

Do you by chance have the user agent configured to look at the read only DC? Is it deployed on every DC in your environment? Is the sites and services subnets configured for the users to go towards the read only DCs (RODC)? How did you do your upgrade? Did anything change infrastructure wise during the upgrade, like new IP ranges?

 

On the Palo side did they validate everything on this https://docs.paloaltonetworks.com/compatibility-matrix/user-id-agent/which-servers-can-the-user-id-agent-monitor to insure you are in alignment for supported config? Also do you use the credential service functionality? If yes, it https://docs.paloaltonetworks.com/compatibility-matrix/user-id-agent/where-can-i-install-the-user-id-credential-service.html like that is only supported on 2012/2012R2 RODC. Maybe if it's deployed on RODC's not for credential service maybe remove the agent from the RODC and see if behavior changes? 

 

In my environment I have it with server 2016 with no RODC in my environment and everything works great.

Resources