RE: [ActiveDir] Need to confirm a behavior in AD Sites as it pertains to authenti cation.

[simon.geary]

If the DC locator process used the site link costs it would actually make things 
easier, but it doesn't, it uses the DC's SRV record in DNS.
 
Depending on your subnet that you have defined in Sites & Services, the DC's record 
will be added into a site specific SRV record and also a domain wide SRV record. When 
a client tries to authenticate, it searches the site wide SRV records for a DC in it's 
own subnet. If it can find one, then great, if not, it tries to contact every DC in 
that site wide SRV list until there are none left. When this happens, it will pick a 
DC at random from the domain wide list which could be on the other side of the world 
or it could be one hop away, the process here is random.
 
So if the DC locator process did use site link costs it would rationalise the process 
a bit and take some of the randomness away. Here is the kb article that explains all. 
http://support.microsoft.com/?id=247811

        -----Original Message----- 
        From: [EMAIL PROTECTED] on behalf of Myrick, Todd (NIH/CIT) 
        Sent: Fri 07/05/2004 14:50 
        To: [EMAIL PROTECTED] 
        Cc: 
        Subject: [ActiveDir] Need to confirm a behavior in AD Sites as it pertains to 
authenti cation.
        
        

        I am searching for an article that identifies the behavior that of how 
authentication DCâs are selected based on AD sites.

         

        Here is why.

         

        Our default site cost for all our sites in the hub and spoke architecture is 
10.  

         

        We had a situation where we have a BDC âDomain H that is in Mixed modeâ on 
the same network as our Hosted Exchange Servers on âDomain N that is in Native 
Modeâ.

        The Exchange Servers managed to establish a secure channel with the DCâs of 
âDomain Hâ AD PDC which is located in a different site from the Hosted Exchange 
Servers and âDomain Hâs BDCâ.

        When the âDomain Admin of H moved one of there servers to a Site starting 
with A, we saw the secure channel get changed to the site with an A in it.

         

        So our suspicions are as follows.

         

        We believe authentication is served locally if possible (Meaning on the same 
subnet).

        If there are no local DCâs and the domain is in mixed mode, it will use 
sites based on cost.

        If there are multiple sites to chose from. It will then select a site based on 
its order is AD Sites & Services.

         

        The reason why is that we moved the DC back to a site lower in the site list 
and it changed to secure channel.

         

        Thanks,

         

        Todd

.+-Šwè†Ûiÿü0Á-Š÷+ƒùšŠYb²Øm˜¸¬´P†Ûiÿü0Á-Š÷+ƒùb²×Úf.+-j·!Š÷¡¶Úÿ
0™¨¥j·!Š÷œ¢oÚrØyØãIšŠVœ¶+Þv*è®