RE: [ActiveDir] Need to confirm a behavior in AD Sites as it pertains to authenti cation.

[Eric Fleischman]

A few things Joe didn’t mention that I bet are very related or that I’d slightly correct: 0) Once a domain is upgraded from NT4 to Windows 200X (0 or 3), even in 2k mixed mode, 2k+ clients will preferentially select 2k+ DCs. I mention this as you used the term BDC to describe DCs in the hub sites, and that tells me they are NT4. If they are NT4, the 2k+ clients will prefer 2k+ DCs. For info on this, search KB for piling on scenarios or some other such terms. It is referred to as PDCe piling on scenarios typically. 1) When a domain goes from 2k mixed to either 2k native or 2k03 functional we have a GC dependency on logon. That is, even if you have a remote 2k DC in the hub site that is not a GC, a GC elsewhere will be consulted to crack group memberships. This is why you would either want to a) make it a gc b) go to 2k03 and use universal group caching c) set nogclogon. That’s my order of preference for those choices. 2) You explicitly used the term “secure channel” which has nothing to do with Exchange’s DSAccess DC selection methodology. So that should be unrelated, unless you used the term secure channel when you didn’t mean secure channel. ;)   This should all be documented in KB, somewhere.....   ~Eric     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, May 12, 2004 9:37 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Need to confirm a behavior in AD Sites as it pertains to authenti cation.   I see it looks like you have your answers but I wanted to put this in fairly short hopefully simple terms.   The client really isn't too involved in selecting the DC it should use, it follows a basic system.   If the client knows its site, it will simply query for the proper SRV records for that site. It will UDP ping what is returned and if the response back is, hey you are from a different site, it will readjust and ask for the SRV records for its correct site. If it can't find any responding DCs in its site, it will ask for the global domain records and take ANY DC in the domain.   All the hard work is in the DCs figuring out which sites to register DNS records for, this is based on site link metrics and other things that you associate with replication topology. You have the deep tech answers there but the basics here are if a site isn't covered for a specific domain, the closest DC for that domain based on site link costs will publish records to get it covered. This can be impacted I believe if you have site link bridging disabled though. Your assumptions on what does the coverage when all things being equal is the alphabetical sorting of things matches with experience I have had.     Keep in mind Exchange does some interesting things too though. For secure channel it *should* do the normal stuff like any W2K+ machine, but for DSACCESS all bets are off. IT does its own figuring of things out based on reading the config container. This should work out to be the same (or very close) to what you get with normal means through DNS but you can't guarantee it. For instance if you have a scavenging issue in AD, DCs that should no longer be in a DNS List for a site could still be but that wouldn't impact Exchange because it doesn't look much at DNS for DSACCESS.      joe   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CIT) Sent: Friday, May 07, 2004 9:51 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Need to confirm a behavior in AD Sites as it pertains to authenti cation. I am searching for an article that identifies the behavior that of how authentication DC’s are selected based on AD sites.   Here is why.   Our default site cost for all our sites in the hub and spoke architecture is 10.     We had a situation where we have a BDC “Domain H that is in Mixed mode” on the same network as our Hosted Exchange Servers on “Domain N that is in Native Mode”. The Exchange Servers managed to establish a secure channel with the DC’s of “Domain H” AD PDC which is located in a different site from the Hosted Exchange Servers and “Domain H’s BDC”. When the “Domain Admin of H moved one of there servers to a Site starting with A, we saw the secure channel get changed to the site with an A in it.   So our suspicions are as follows.   We believe authentication is served locally if possible (Meaning on the same subnet). If there are no local DC’s and the domain is in mixed mode, it will use sites based on cost. If there are multiple sites to chose from. It will then select a site based on its order is AD Sites & Services.   The reason why is that we moved the DC back to a site lower in the site list and it changed to secure channel.   Thanks,   Todd