Hello I use redundant-load-balance for ldap user auth to authenticate users to a pool of active directory servers for one service. That seems to work well. I'm trying to think why I don't do that for ntlmauth (used inside mschap inner-tunnel) for another other service. I've knocked that up to test it with mschap modules like (with N being 1,2,3,4,5) mschap mschapadN { with_ntdomain_hack = yes ntlm_auth = "/usr/local/bin/mschap-ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} --configfile=/etc/samba/smb-adN.conf" } where /etc/samba/smb-adN.conf is the same as the others except for "password server = adN.domain" and then in the inner-tunnel site I have authenticate { Auth-Type MS-CHAP { redundant-load-balance { mschapad1 mschapad2 .. mschapadN } } } Is this along the lines that others follow? if not how does ntlmauth handle the AD server being down. Does ntlmauth/winbind handle AD being down so freeradius does not have to? Thanks, Neil