RE: LIKELY ADV: RE: [ActiveDir] Need to confirm a behavior in AD Sites as it pertains to authenti cation.

[Myrick, Todd (NIH/CIT)]

Do you know of a way to use a GPO (Possibly through and ADM addin) to enable
this setting?



-----Original Message-----
From: Fugleberg, David A [mailto:[EMAIL PROTECTED] 
Sent: Friday, May 07, 2004 12:22 PM
To: [EMAIL PROTECTED]
Subject: RE: LIKELY ADV: RE: [ActiveDir] Need to confirm a behavior in AD
Sites as it pertains to authenti cation.

In a hub/spoke situation, you can always tell the DCs in the 'spoke' sites
to NOT register  "domain-wide" SRV records.  That way, if a machine is
unable to find a DC in the site-wide SRV records for its site, and goes to
the domain-wide list, it will find only DCs in the 'hub' site, which is
probably what one would want.  This has worked very well for us.

This config is detailed very well in the Branch Office Deployment Guide (at
least in the Win2K version - I haven't read through the W2K3 one yet).
Dave

-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of
[EMAIL PROTECTED]
Sent: Friday, May 07, 2004 9:08 AM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: LIKELY ADV: RE: [ActiveDir] Need to confirm a behavior in AD
Sites as it pertains to authenti cation.


If the DC locator process used the site link costs it would actually make
things easier, but it doesn't, it uses the DC's SRV record in DNS.
 
Depending on your subnet that you have defined in Sites & Services, the DC's
record will be added into a site specific SRV record and also a domain wide
SRV record. When a client tries to authenticate, it searches the site wide
SRV records for a DC in it's own subnet. If it can find one, then great, if
not, it tries to contact every DC in that site wide SRV list until there are
none left. When this happens, it will pick a DC at random from the domain
wide list which could be on the other side of the world or it could be one
hop away, the process here is random.
 
So if the DC locator process did use site link costs it would rationalise
the process a bit and take some of the randomness away. Here is the kb
article that explains all. http://support.microsoft.com/?id=247811

        -----Original Message----- 
        From: [EMAIL PROTECTED] on behalf of Myrick, Todd
(NIH/CIT) 
        Sent: Fri 07/05/2004 14:50 
        To: [EMAIL PROTECTED] 
        Cc: 
        Subject: [ActiveDir] Need to confirm a behavior in AD Sites as it
pertains to authenti cation.
        
        

        I am searching for an article that identifies the behavior that of
how authentication DCâs are selected based on AD sites.

         

        Here is why.

         

        Our default site cost for all our sites in the hub and spoke
architecture is 10.  

         

        We had a situation where we have a BDC âDomain H that is in Mixed
modeâ on the same network as our Hosted Exchange Servers on âDomain N that
is in Native Modeâ.

        The Exchange Servers managed to establish a secure channel with the
DCâs of âDomain Hâ AD PDC which is located in a different site from the
Hosted Exchange Servers and âDomain Hâs BDCâ.

        When the âDomain Admin of H moved one of there servers to a Site
starting with A, we saw the secure channel get changed to the site with an A
in it.

         

        So our suspicions are as follows.

         

        We believe authentication is served locally if possible (Meaning on
the same subnet).

        If there are no local DCâs and the domain is in mixed mode, it will
use sites based on cost.

        If there are multiple sites to chose from. It will then select a
site based on its order is AD Sites & Services.

         

        The reason why is that we moved the DC back to a site lower in the
site list and it changed to secure channel.

         

        Thanks,

         

        Todd

.+-wi0-+YbmPi0-+bÚf.+-j!
0j!orØyØIV+v*
.+-wi0-+YbmPi0-+bÚf.+-j!
0j!orØyØIV+v*
List info   : http://www.activedir.org/mail_list.htm
List FAQ    : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/