Ahh - that's a better description. I see where the confusion comes in. But from what I read below, it looks like the registration has to be done manually? Specifically, section 3.
Still, I don't get why one would create a site without a DC - you build sites to control replication and authentication traffic. Help me understand why anyone would build a site without a DC. ------------------------------------------------------ Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA > -----Original Message----- > From: Tucker, Mark [mailto:MTucker@;aelita.com] > Sent: Tuesday, October 29, 2002 4:20 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Sites with no DC > > > Gil, you are correct. I think Roger is confusing not having > a the client's subnet defined in AD with auto-site coverage. > If the client's subnet is not defined in AD then the process > Stuart outlined is followed. > > If you have an empty site (a site without a DC) the following > algorithm is used per the Resource Kit. A client will them > authenticate with one of the DCs in the site determined by > the auto-site covergae algorithm. It has been my experience > that this works correclty, and can easily be verified by > ensuring there are site-specivic SRV records registered in > DNS for the empty site. > > -Mark > > > Site Coverage Algorithm > > During registration of SRV records in DNS, the > following algorithm is used to determine which domain > controllers register site SRV records that designate them as > preferred domain controllers in sites that do not have a > specific domain represented. > > For every domain controller in the forest, follow this > procedure: > > 1. Build a list of target sites - sites that > have no domain controllers for this domain (the domain of the > current domain controller). > > 2. Build a list of candidate sites - sites that > have domain controllers for this domain. > > 3. For every target site, follow these steps: > > * Build a list of candidate sites of > which this domain is a member. (If none, do nothing.) > > * Of these, build a list of sites that > have the lowest site link cost to the target site. (If none, > do nothing.) > > * If more than one, break ties (reduce > this list to one candidate site) by choosing the site with > the largest number of domain controllers. > > * If more than one, break ties by > choosing the site that is first alphabetically. > > * Register target-site-specific SRV > records for the domain controllers for this domain in the > selected site. > > -----Original Message----- > From: Gil Kirkpatrick > Sent: Tue 10/29/2002 1:10 PM > To: '[EMAIL PROTECTED]' > Cc: > Subject: RE: [ActiveDir] Sites with no DC > > > > But NETLOGON does create SRV recs to cover DC-less > sites if there are sites > and subnets defined, which is what the original post > indicated ("to create > an empty site (no DCs)for you [sic] subnets") > > At least that's how I read it... > > -gil > > -----Original Message----- > From: Roger Seielstad [mailto:roger.seielstad@;inovis.com] > Sent: Tuesday, October 29, 2002 11:19 AM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] Sites with no DC > > > Site coverage works exactly as Stuart Kwan explained - > without manual > intervention of the RR records, the actual logins are > processed fairly > randomly - they don't necessarily authenticate to the > closeest site. It just > doesn't happen. > > ------------------------------------------------------ > Roger D. Seielstad - MCSE > Sr. Systems Administrator > Inovis - Formerly Harbinger and Extricity > Atlanta, GA > > > > -----Original Message----- > > From: Gil Kirkpatrick [mailto:gilk@;netpro.com] > > Sent: Tuesday, October 29, 2002 12:27 PM > > To: '[EMAIL PROTECTED]' > > Subject: RE: [ActiveDir] Sites with no DC > > > > > > Really? What part is not the case? That clients don't > > authenticate, or that > > DCs don't publish SRV recs to cover DC-less sites > based on cost? > > > > My experience has been that site coverage works as advertised. > > > > -gil > > > > -----Original Message----- > > From: Roger Seielstad [mailto:roger.seielstad@;inovis.com] > > Sent: Tuesday, October 29, 2002 7:43 AM > > To: '[EMAIL PROTECTED]' > > Subject: RE: [ActiveDir] Sites with no DC > > > > > > > If you decide "to create an empty site (no DCs)for > you subnets", the > > > autosite coverage algorithm will ensure that clients in > > that site are > > > authenticated with a DC in a nearby site. The DCs in the > > closest site > > > based on cost will register site-specific SRV > records for the empty > > > site. > > > > >From experience, I can tell you unequivocally that > this is NOT the > > >case. As > > recently as Win2k SP2. > > > > ------------------------------------------------------ > > Roger D. Seielstad - MCSE > > Sr. Systems Administrator > > Inovis - Formerly Harbinger and Extricity > > Atlanta, GA > > > > > > > -----Original Message----- > > > From: Tucker, Mark [mailto:MTucker@;aelita.com] > > > Sent: Thursday, October 24, 2002 3:20 PM > > > To: [EMAIL PROTECTED] > > > Subject: RE: [ActiveDir] Sites with no DC > > > > > > > > > I would agree that you want to register the subnets > in Sites and > > > Services. > > > > > > If a client attempts to authenticate from a subnet > that is not > > > registered, AD has no way to determine what site the client > > is in. It > > > this case, I believe the client will query DNS for all of > > the DCs in > > > the domain and then attempt to contact each one in > turn. The first > > > one that replies will be used for authentication. > > > > > > If you decide to create an empty site (no DCs)for > you subnets, the > > > autosite coverage algorithm will ensure that clients in > > that site are > > > authenticated with a DC in a nearby site. The DCs in the > > closest site > > > based on cost will register site-specific SRV > records for the empty > > > site. > > > > > > -Mark > > > -----Original Message----- > > > From: Roger Seielstad [mailto:roger.seielstad@;inovis.com] > > > Sent: Thursday, October 24, 2002 9:39 AM > > > To: '[EMAIL PROTECTED]' > > > Subject: RE: [ActiveDir] Sites with no DC > > > > > > > > > > Oh, and this all does assume that YOUR network engineers > > > TELL you when > > > > they put in a whole 'nother group of networks or > sub-netted > > > something > > > > that you already had defined. No, really - I'm > not bitter.... > > > > > > Glad to know that happens elsewhere, too. > > > > > > ------------------------------------------------------ > > > Roger D. Seielstad - MCSE > > > Sr. Systems Administrator > > > Inovis - Formerly Harbinger and Extricity > > > Atlanta, GA > > > > > > > > > > -----Original Message----- > > > > From: Rick Kingslan [mailto:rkingsla@;cox.net] > > > > Sent: Thursday, October 24, 2002 9:41 AM > > > > To: [EMAIL PROTECTED] > > > > Subject: RE: [ActiveDir] Sites with no DC > > > > > > > > > > > > I'd agree with Roger on this one - unless you don't mind > > machines in > > > > Pnsacola FL. Authenticating in Reno, NV. If we don't have > > > one of our > > > > subnets defined to some site, we see messages > from the Locator > > > > reporting that some machine at some site with the > subnet xx.xx > > > couldn't find an > > > > associated site. It suggests that you might want > to create a > > > > subnet for it. > > > > > > > > If these types of events are rare, or there are a > small number of > > > > un-associated machines, or, if you have boatloads of > > bandwidth, then > > > > it might not be a problem. > > > > > > > > I'd take chance out of the equation and just create the > > subnets and > > > > associate them with your hub until you have a clearer idea > > > of what the > > > > traffic pattern should be. > > > > > > > > Oh, and this all does assume that YOUR network engineers > > > TELL you when > > > > they put in a whole 'nother group of networks or > sub-netted > > > something > > > > that you already had defined. No, really - I'm > not bitter.... > > > > > > > > Rick Kingslan - Microsoft MVP [Windows NT/2000] > > > > Microsoft Certified Trainer > > > > MCSA, MCSE+I - Windows NT / 2000 > > > > > > > > "Any sufficiently advanced technology > > > > is indistinguishable from magic." > > > > --- Arthur C. Clarke > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > From: [EMAIL PROTECTED] > > > > > [mailto:ActiveDir-owner@;mail.activedir.org] On Behalf Of > > > > > Roger Seielstad > > > > > Sent: Thursday, October 24, 2002 6:59 AM > > > > > To: '[EMAIL PROTECTED]' > > > > > Subject: RE: [ActiveDir] Sites with no DC > > > > > > > > > > > > > > > >From experience, I wouldn't trust the locator to get > > > 'close' very > > > > > >often. > > > > > > > > > > During our initial deployment, the WAN team > changed the IP pools > > > > > of our VPN concentrators. After looking through > some of the logs > > > > > on domain controllers, we were seeing a very > random distribution > > > > > of authentication, with some authentication > happening 4 WAN hops > > > > > away, when there were multiple DCs on different > local subnets. > > > > > > > > > > I'd strongly suggest creating a subnet object > for each subnet on > > > > > your network, and associating each of them with a site. > > > > > > > > > > ------------------------------------------------------ > > > > > Roger D. Seielstad - MCSE > > > > > Sr. Systems Administrator > > > > > Inovis - Formerly Harbinger and Extricity > > > > > Atlanta, GA > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > From: Garello, Kenneth [mailto:KGarello@;worcester.edu] > > > > > > Sent: Wednesday, October 23, 2002 5:07 PM > > > > > > To: '[EMAIL PROTECTED]' > > > > > > Subject: RE: [ActiveDir] Sites with no DC > > > > > > > > > > > > > > > > > > How much overhead does leaving it up to the > locator incur? > > > > > > > > > > > > Ken > > > > > > > > > > > > -----Original Message----- > > > > > > From: Gil Kirkpatrick [mailto:gilk@;netpro.com] > > > > > > Sent: Wednesday, October 23, 2002 4:37 PM > > > > > > To: '[EMAIL PROTECTED]' > > > > > > Subject: RE: [ActiveDir] Sites with no DC > > > > > > > > > > > > Hey Don, > > > > > > > > > > > > Is this your first post to the list? If so, welcome. > > > > > > > > > > > > To answer your question, no you don't have to create > > a site for > > > > > > each subnet. You can associate multiple > subnets with a single > > > > > > site. Or you can leave the subnets > unassigned, and the DC > > > > > > locator will do its best to find a DC "close" to the > > > > > > authenticating PC. > > > > > > > > > > > > -gil > > > > > > -----Original Message----- > > > > > > From: Don Murawski (Lenox) > > > > > > [mailto:Don.Murawski@;worldtravel.com] > > > > > > Sent: > > > > > > Wednesday, October 23, 2002 1:02 PM > > > > > > To: [EMAIL PROTECTED] > > > > > > Subject: [ActiveDir] Sites with no DC > > > > > > We have subnets without dc's, do you > need to create a > > > > > > site and subnet in Sites and Services anyway > for those sites? > > > > > > > > > > > > Don L Murawski > > > > > > > > > > > > > > > > > List info : http://www.activedir.org/mail_list.htm > > > > > List FAQ : http://www.activedir.org/list_faq.htm > > > > > List archive: > > > > > http://www.mail-archive.com/activedir%> > 40mail.activedir.org/ > > > > > > > > > > > > > > > > > List info : http://www.activedir.org/mail_list.htm > > > > List FAQ : http://www.activedir.org/list_faq.htm > > > > List archive: > > > > http://www.mail-archive.com/activedir%> > 40mail.activedir.org/ > > > > > > > List info : http://www.activedir.org/mail_list.htm > > > List FAQ : http://www.activedir.org/list_faq.htm > > > List archive: > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/mail_list.htm > > > List FAQ : http://www.activedir.org/list_faq.htm > > > List archive: > > > http://www.mail-archive.com/activedir%> > 40mail.activedir.org/ > > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > List info : > > http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > List info : > http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
