Windows Server 2019 issues

%3CLINGO-SUB%20id%3D%22lingo-sub-1200912%22%20slang%3D%22en-US%22%3EWindows%20Server%202019%20issues%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1200912%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20are%20using%20a%20palo%20alto%203050%20firewall%20with%20the%20integrated%20user%20identification%20feature.%20It%20probes%20our%20DC's%20and%20client%20workstations%20to%20map%20usernames%20to%20IP%20addresses%20to%20appropriately%20assign%20security%20policies%20on%20the%20firewall.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPreviously%2C%20I%20was%20running%20server%202012%20with%20no%20issues%20on%20the%20user%20to%20ip%20mapping.%20I%20am%20now%20running%20server%202019%20version%201809%20on%20all%20DC's%20and%20I%20am%20running%20into%20some%20issues.%20Any%20time%20a%20new%20user%20signs%20into%20the%20network%2C%20they%20are%20mapped%20to%20the%20computer%20they%20signed%20in%20on%2C%20and%20they%20are%20also%20mapped%20to%20the%20domain%20controllers%20IP.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20users%20are%20only%20mapped%20to%20DC's%20that%20are%20Read%20Only%20dc's.%20I%20know%20the%20firewall%20probes%20the%20DC's%20and%20client%20workstation%20using%20WMI%20to%20extract%20event%20logging%20information.%20Did%20something%20change%20from%202012%20to%202019%20on%20how%20events%20are%20logged%20for%20login%3F%20I%20am%20completely%20stumped%20and%20palo%20alto%20support%20has%20done%20more%20than%20enough%20digging%20on%20their%20end.%20It%20is%20receiving%20that%20information%20from%20my%20DC%2C%20so%20the%20issue%20has%20to%20be%20there.%20The%20strange%20thing%20that%20I%20also%20found%20is%20when%20the%20user%20is%20mapped%20to%20the%20DC%2C%20it%20is%20almost%20always%20DNS%20traffic%20being%20sent%20out%20first.%20Sometimes%20they%20stay%20mapped%20long%20enough%20to%20be%20able%20to%20use%20the%20policy%20for%20other%20traffic%2C%20but%20like%20I%20said%2C%20when%20a%20new%20user%20on%20the%20network%20logs%20in%2C%20the%20new%20user%20is%20then%20mapped%20to%20the%20IP%20of%20my%20rodc.%20It%20is%20occuring%20on%203%20seperate%20RODC's.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20ideas%3F%20If%20I%20left%20out%20important%20information%2C%20excuse%20me%20as%20I%20am%20rushing%20to%20try%20to%20get%20this%20sorted%20out.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1200912%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EActive%20Directory%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ENetworking%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EWindows%20Server%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1209871%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%20Server%202019%20issues%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1209871%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F570678%22%20target%3D%22_blank%22%3E%40Jrogers08%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDo%20you%20by%20chance%20have%20the%20user%20agent%20configured%20to%20look%20at%20the%20read%20only%20DC%3F%20Is%20it%20deployed%20on%20every%20DC%20in%20your%20environment%3F%20Is%20the%20sites%20and%20services%20subnets%20configured%20for%20the%20users%20to%20go%20towards%20the%20read%20only%20DCs%20(RODC)%3F%20How%20did%20you%20do%20your%20upgrade%3F%20Did%20anything%20change%20infrastructure%20wise%20during%20the%20upgrade%2C%20like%20new%20IP%20ranges%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOn%20the%20Palo%20side%20did%20they%20validate%20everything%20on%20this%20%3CA%20href%3D%22https%3A%2F%2Fdocs.paloaltonetworks.com%2Fcompatibility-matrix%2Fuser-id-agent%2Fwhich-servers-can-the-user-id-agent-monitor%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Epage%3C%2FA%3E%26nbsp%3Bto%20insure%20you%20are%20in%20alignment%20for%20supported%20config%3F%20Also%20do%20you%20use%20the%20credential%20service%20functionality%3F%20If%20yes%2C%20it%20%3CA%20href%3D%22https%3A%2F%2Fdocs.paloaltonetworks.com%2Fcompatibility-matrix%2Fuser-id-agent%2Fwhere-can-i-install-the-user-id-credential-service.html%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Elooks%3C%2FA%3E%20like%20that%20is%20only%20supported%20on%202012%2F2012R2%20RODC.%20Maybe%20if%20it's%20deployed%20on%20RODC's%20not%20for%20credential%20service%20maybe%20remove%20the%20agent%20from%20the%20RODC%20and%20see%20if%20behavior%20changes%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20my%20environment%20I%20have%20it%20with%20server%202016%20with%20no%20RODC%20in%20my%20environment%20and%20everything%20works%20great.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Visitor

We are using a palo alto 3050 firewall with the integrated user identification feature. It probes our DC's and client workstations to map usernames to IP addresses to appropriately assign security policies on the firewall.

 

Previously, I was running server 2012 with no issues on the user to ip mapping. I am now running server 2019 version 1809 on all DC's and I am running into some issues. Any time a new user signs into the network, they are mapped to the computer they signed in on, and they are also mapped to the domain controllers IP.

 

The users are only mapped to DC's that are Read Only dc's. I know the firewall probes the DC's and client workstation using WMI to extract event logging information. Did something change from 2012 to 2019 on how events are logged for login? I am completely stumped and palo alto support has done more than enough digging on their end. It is receiving that information from my DC, so the issue has to be there. The strange thing that I also found is when the user is mapped to the DC, it is almost always DNS traffic being sent out first. Sometimes they stay mapped long enough to be able to use the policy for other traffic, but like I said, when a new user on the network logs in, the new user is then mapped to the IP of my rodc. It is occuring on 3 seperate RODC's. 

 

Any ideas? If I left out important information, excuse me as I am rushing to try to get this sorted out.

1 Reply
Highlighted

@Jrogers08 

 

Do you by chance have the user agent configured to look at the read only DC? Is it deployed on every DC in your environment? Is the sites and services subnets configured for the users to go towards the read only DCs (RODC)? How did you do your upgrade? Did anything change infrastructure wise during the upgrade, like new IP ranges?

 

On the Palo side did they validate everything on this page to insure you are in alignment for supported config? Also do you use the credential service functionality? If yes, it looks like that is only supported on 2012/2012R2 RODC. Maybe if it's deployed on RODC's not for credential service maybe remove the agent from the RODC and see if behavior changes? 

 

In my environment I have it with server 2016 with no RODC in my environment and everything works great.