RE: [ActiveDir] Need to confirm a behavior in AD Sites as it pertains to authenti cation.

[joe]

Well if they are standard plain jane NT4 (i.e. no dsclient) then they will do everything through some form of pass through authentication like they do in NT4... I.E. The machine comes up, the workstation authenticates its machine account to a DC of the domain it is a member of by looking up the 1C record in WINS, finding it in lmhosts, finding it via broadcast (order could be different depending on node type). Once authenticated, all authentication attempts except for local id logon will be forced through that secure channel. If the user and machine are in the same domain, the authentication attempt will be handled by the DC that authenticated the machine, if they are different the DC will chase through its secure channel to a DC of the trusted domain that it had previously set up a secure channel for.   I am unsure how dsclient will impact the authentication process on an NT4 machine as I have not really dug into it.      joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Wednesday, May 12, 2004 11:33 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Need to confirm a behavior in AD Sites as it pertains to authenti cation. Eric or Joe,   Who do NT4 clients select to log on in a mixed mode environment?   Rocky Habeeb ____________________________________________   -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Eric Fleischman Sent: Wednesday, May 12, 2004 10:52 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Need to confirm a behavior in AD Sites as it pertains to authenti cation. A few things Joe didn’t mention that I bet are very related or that I’d slightly correct: 0) Once a domain is upgraded from NT4 to Windows 200X (0 or 3), even in 2k mixed mode, 2k+ clients will preferentially select 2k+ DCs. I mention this as you used the term BDC to describe DCs in the hub sites, and that tells me they are NT4. If they are NT4, the 2k+ clients will prefer 2k+ DCs. For info on this, search KB for piling on scenarios or some other such terms. It is referred to as PDCe piling on scenarios typically. 1) When a domain goes from 2k mixed to either 2k native or 2k03 functional we have a GC dependency on logon. That is, even if you have a remote 2k DC in the hub site that is not a GC, a GC elsewhere will be consulted to crack group memberships. This is why you would either want to a) make it a gc b) go to 2k03 and use universal group caching c) set nogclogon. That’s my order of preference for those choices. 2) You explicitly used the term “secure channel” which has nothing to do with Exchange’s DSAccess DC selection methodology. So that should be unrelated, unless you used the term secure channel when you didn’t mean secure channel. ;)   This should all be documented in KB, somewhere.....   ~Eric     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, May 12, 2004 9:37 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Need to confirm a behavior in AD Sites as it pertains to authenti cation.   I see it looks like you have your answers but I wanted to put this in fairly short hopefully simple terms.   The client really isn't too involved in selecting the DC it should use, it follows a basic system.   If the client knows its site, it will simply query for the proper SRV records for that site. It will UDP ping what is returned and if the response back is, hey you are from a different site, it will readjust and ask for the SRV records for its correct site. If it can't find any responding DCs in its site, it will ask for the global domain records and take ANY DC in the domain.   All the hard work is in the DCs figuring out which sites to register DNS records for, this is based on site link metrics and other things that you associate with replication topology. You have the deep tech answers there but the basics here are if a site isn't covered for a specific domain, the closest DC for that domain based on site link costs will publish records to get it covered. This can be impacted I believe if you have site link bridging disabled though. Your assumptions on what does the coverage when all things being equal is the alphabetical sorting of things matches with experience I have had.     Keep in mind Exchange does some interesting things too though. For secure channel it *should* do the normal stuff like any W2K+ machine, but for DSACCESS all bets are off. IT does its own figuring of things out based on reading the config container. This should work out to be the same (or very close) to what you get with normal means through DNS but you can't guarantee it. For instance if you have a scavenging issue in AD, DCs that should no longer be in a DNS List for a site could still be but that wouldn't impact Exchange because it doesn't look much at DNS for DSACCESS.      joe   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CIT) Sent: Friday, May 07, 2004 9:51 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Need to confirm a behavior in AD Sites as it pertains to authenti cation. I am searching for an article that identifies the behavior that of how authentication DC’s are selected based on AD sites.   Here is why.   Our default site cost for all our sites in the hub and spoke architecture is 10.     We had a situation where we have a BDC “Domain H that is in Mixed mode” on the same network as our Hosted Exchange Servers on “Domain N that is in Native Mode”. The Exchange Servers managed to establish a secure channel with the DC’s of “Domain H” AD PDC which is located in a different site from the Hosted Exchange Servers and “Domain H’s BDC”. When the “Domain Admin of H moved one of there servers to a Site starting with A, we saw the secure channel get changed to the site with an A in it.   So our suspicions are as follows.   We believe authentication is served locally if possible (Meaning on the same subnet). If there are no local DC’s and the domain is in mixed mode, it will use sites based on cost. If there are multiple sites to chose from. It will then select a site based on its order is AD Sites & Services.   The reason why is that we moved the DC back to a site lower in the site list and it changed to secure channel.   Thanks,   Todd