|
After hearing issues with GC Craching I would set my
my preferences with c,a,b - a,c,b if you use Uni's heavily. If you use
Uni's for deny, you must do a or limit the Uni's you are doing deny's with to
the domain the user is actually in.
I agree with the others though with Exchange, the stuff
DSACCESS picks is extremely important, probably more so than what the Exchange
server picks for a secure channel as a majority of the chatter will be through
what DSACCESS has chosen.
joe
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Wednesday, May 12, 2004 10:52 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Need to confirm a behavior in AD Sites as it pertains to authenti cation. A few things Joe didn’t mention that I bet
are very related or that I’d slightly correct: 0) Once a domain is upgraded from NT4 to
Windows 200X (0 or 3), even in 2k mixed mode, 2k+ clients will preferentially
select 2k+ DCs. I mention this as you used the term BDC to describe DCs in the
hub sites, and that tells me they are NT4. If they are NT4, the 2k+ clients will
prefer 2k+ DCs. For info on this, search KB for piling on scenarios or some
other such terms. It is referred to as PDCe piling on scenarios
typically. 1) When a domain goes from 2k mixed to
either 2k native or 2k03 functional we have a GC dependency on logon. That is,
even if you have a remote 2k DC in the hub site that is not a GC, a GC elsewhere
will be consulted to crack group memberships. This is why you would either want
to a) make it a gc b) go to 2k03 and use universal group caching c) set
nogclogon. That’s my order of preference for those
choices. 2) You explicitly used the term “secure
channel” which has nothing to do with Exchange’s This should all be documented in KB,
somewhere..... ~Eric From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of joe I see it looks like you
have your answers but I wanted to put this in fairly short hopefully simple
terms. The client really isn't
too involved in selecting the DC it should use, it follows a basic
system. If the client knows its
site, it will simply query for the proper SRV records for that site. It will UDP
ping what is returned and if the response back is, hey you are from a different
site, it will readjust and ask for the SRV records for its correct site. If it
can't find any responding DCs in its site, it will ask for the global domain
records and take ANY DC in the domain. All the hard work is in
the DCs figuring out which sites to register DNS records for, this is based on
site link metrics and other things that you associate with replication topology.
You have the deep tech answers there but the basics here are if a site isn't
covered for a specific domain, the closest DC for that domain based on site link
costs will publish records to get it covered. This can be impacted I believe if
you have site link bridging disabled though. Your assumptions on what does the
coverage when all things being equal is the alphabetical sorting of things
matches with experience I have had. Keep in mind Exchange
does some interesting things too though. For secure channel it *should* do the
normal stuff like any W2K+ machine, but for DSACCESS all bets are off. IT does
its own figuring of things out based on reading the config container. This
should work out to be the same (or very close) to what you get with normal means
through DNS but you can't guarantee it. For instance if you have a scavenging
issue in AD, DCs that should no longer be in a DNS List for a site could
still be but that wouldn't impact Exchange because it doesn't look much at DNS
for DSACCESS.
joe From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Myrick, Todd
(NIH/CIT) I am searching for an article that
identifies the behavior that of how authentication DC’s are selected based on AD
sites. Here is
why. Our default site cost for all our
sites in the hub and spoke architecture is 10.
We had a situation where we have a
BDC “Domain H that is in Mixed mode” on the same network as our Hosted Exchange
Servers on “Domain N that is in Native Mode”. The Exchange Servers managed to
establish a secure channel with the DC’s of “Domain H” AD PDC which is located
in a different site from the Hosted Exchange Servers and “Domain H’s
BDC”. When the “Domain Admin of H moved
one of there servers to a Site starting with A, we saw the secure channel get
changed to the site with an A in it. So our suspicions are as
follows. We believe authentication is served
locally if possible (Meaning on the same subnet). If there are no local DC’s and the
domain is in mixed mode, it will use sites based on
cost. If there are multiple sites to chose
from. It will then select a site based on its order is AD Sites &
Services. The reason why is that we moved the
DC back to a site lower in the site list and it changed to secure
channel. Thanks, Todd |
- [ActiveDir] Need to confirm a behavior in AD Sites ... Myrick, Todd (NIH/CIT)
- RE: [ActiveDir] Need to confirm a behavior in ... simon.geary
- RE: [ActiveDir] Need to confirm a behavior in ... Darren Mar-Elia
- RE: [ActiveDir] Need to confirm a behavior in ... Eric Fleischman
