Thanks all for excellent discussion of this - all of this was borne out of clients at a remote site clients not finding the local DC which i assume was under some sort of load causing it not to respond in a timely manner.
GT ----- Original Message ----- From: "GRILLENMEIER,GUIDO (HP-Germany,ex1)" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, February 03, 2004 8:33 AM Subject: RE: [ActiveDir] logon server discovery > Bob pointed out all there was to say to the original post, but some useful > information to add in the whole DC-failover scenario is, how long does a DC > wait itself for calculating additional connection objects, in case the > original replication partner doesn't react and it needs to look for another > partner? > > There are various settings that can be configured to adapt appropriately to > a company's infrastructure, configured in the Registry of each DC: > > KCC site generator fail-over (minutes) => how long after the last ISTG > update > a DC will wait before nominating a new ISTG > > KCC site generator renewal interval (minutes) => how often the ISTG updates > its role information (Not used when in w2k3 forest mode for the new istg > algorithm) > > CriticalLinkFailuresAllowed => number of critical link failures the KCC will > tolerate before recomputing the topology > > MaxFailureTimeForCriticalLink (sec) => time a critical link may be down > before the KCC will recompute the topology > > NonCriticalLinkFailuresAllowed => number of non-critical link failures the > KCC will tolerate before recomputing the topology > > MaxFailureTimeForNonCriticalLink (sec) => time a non-critical link may be > down before the KCC will recompute the topology > > IntersiteFailuresAllowed => number of intersite link failures before the > ISTG will recompute the intersite topology > > MaxFailureTimeForIntersiteLink (sec) => time an intersite link may be down > before the ISTG will recompute the intersite topology > > > I'm actually not sure which key these have to be configured in (believe it's > HKLM\Sys\CCS\Services\Netlogon\Parameters). > > > /Guido > > -----Original Message----- > From: Free, Bob [mailto:[EMAIL PROTECTED] > Sent: Dienstag, 3. Februar 2004 08:36 > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] logon server discovery > > joe <mailto:[EMAIL PROTECTED]> wrote: > > No one seems to be jumping on this with any authoritative answers, I > > was hoping Guido or Dean would nail it as I was looking to learn > > something. :o) > > I'm hardly authoritative but what I've picked up on the subject :-) > > Blatantly plagiarized from Gil's awesome March 2003 Authentication > Topology paper- > http://www.winnetmag.com/Articles/Index.cfm?ArticleID=37935 or > http://www.netpro.com/forum/files/Authentication_Topology.pdf > > The DNS service responds with a list of SRV records that correspond to > all the DCs in the client's domain. The client takes the records with > the lowest-priority value and issues an AD ping (which is actually an > LDAP-over-UDP query) to each DC in turn. If a DC doesn't respond within > a tenth of a second, the client tries the next DC, and so on, until a DC > responds. > > When a DC receives an AD ping from a client, the DC calculates two > crucial pieces of information before sending a response. First, the DC > determines the site closest to the client; to do so, the DC compares the > IP address in the request packet with an in-memory data structure that > contains the site and subnet associations defined in AD's site objects. > The DC also determines whether it's in the site closest (from an IP > topology point of view) to the client's site. The DC sends this > information and the name of the responding DC's site in a UDP response > to the client. > > When the client receives this response, it determines whether the > responding DC is in the site closest to its site. If so, the client > saves the returned client site name in the > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters > registry subkey's DynamicSiteName entry and uses that DC for further > domain-authentication requests. If the DC response indicates that the DC > isn't in the site closest to the client's site, the client returns to > DNS to find a DC in the closest site. This time, because the client > knows its site name, it queries DNS for _ldap SRV records in the > _tcp.sitename.sites.dc._msdcs.domainname domain. DNS responds with a > list of SRV records for DCs in the specified site. The client again > selects those SRV records with the lowest priority and issues AD pings > to each in turn until one responds within a tenth of a second. > > > Sean Deuby had a related article in the December 2003 issue I've been > reading over the weekend- > > Designing for DC Failover- How to create the best AD site topology > possible > http://www.winnetmag.com/Windows/Article/ArticleID/40718/40718.html > > As far as the timeout value, he repeats the 100ms value for W2K and goes > on to say that in 2003 the client waits 400ms between queries for the > first 5 DC's, then 200ms between the next 5 then 100ms for the remaining > DC's in the list. > He further explains the various site coverage scenarios quite well in > the article. > > Between the two articles the subjects are covered very handsomely... > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner > > Sent: Monday, February 02, 2004 8:33 AM > > To: [EMAIL PROTECTED] > > Subject: [ActiveDir] logon server discovery > > > > As we all know to death by now, local logon server discovery is by > > determination of the DNS RR's for a DC in a computers own site. > > > > qu. how does the client resolve the scenario of a response not being > > received in a timely fashion. ? > > > > what is the timeout value for a client not to receive a response from > > a local DC before it then goes "elsewhere" ? > > > > have read about concept of an AD "ping" - does this use ICMP ? > > > > GT > > > > > > > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
