JCS,
Yes there sure is, but I guess the real question is, why is that server
talking to a remote DC vs. a more local one? That could point to a site or
DNS issue you may want to investigate.
In any event, you can use simple tools like NLTEST to control which domain
controller a member server has a secure session channel to. The (remote
use) command is:
NLTEST /SERVER:MY_MEMBER_SERVER /SC_RESET:DOMAIN\MY_DOMAIN_CONTROLLER_NAME
(NOTE: To interrogate where a particular host has it's secure channel set
to, you can use the /SC_QUERY:DOMAIN_NAME option in place of the /SC_RESET)
Just so you know, Host's will periodically use DsGetDCName calls to
interrogate for an available DC, so if you reset a host and it reset's to
another DC again (affinity), that could be the earlier issue mentioned
influencing selection, or the host returned is the first responding to the
query. In any even, this behavior is also configurable via the registry
(see last article referenced below), but may not be something you wish to
tinker with.
We've also used an API variation of this to periodically load balance AAA
servers across multiple Domain Controllers in a single site (Perl's
Win32::Lanman has the I_NetLogonControl2 function in it which is pretty
handy - see below example).
undef(%params);
$params{server} = $server;
$params{flags} = &NETLOGON_CONTROL_REDISCOVER;
$params{domain} = "$domain\\$srvmap{$server}";
&manage_ssc(\%params, \%info, \$retval);
# manage secure session channel settings
# _________________________________________________________________________
sub manage_ssc {
my ($params, $data, $error) = @_;
if (!Win32::Lanman::I_NetLogonControl2("\\\\$$params{server}",
$$params{flags},
$$params{domain},
\%$data)){
$$error = Win32::GetLastError;
$OUTPUT .= " - unable to retrieve secure channel information
for $$params{server}, error $error: ".
Win32::FormatMessage($error)."\n";
} else {
$$error = 0;
$OUTPUT .= " - successfully retrieved secure channel
information for $$params{server}\n";
}
return;
}
Below is some additional MS-related information that may be helpful.
Regards,
Richard
How to Optimize the Location of a Domain Controller or Global Catalog That
Resides Outside of a Client's Site
Article ID: 306602
http://support.microsoft.com/default.aspx?scid=kb;en-us;306602
How to Use NLTEST to Force a New Secure Channel
Article ID: 156684
http://support.microsoft.com/default.aspx?scid=kb;en-us;156684
Secure Channel Manipulation with TCP/IP
Article ID: 181171
http://support.microsoft.com/default.aspx?scid=kb;en-us;181171
Windows 2000 Member Runs Discovery Every 15 Minutes with Possible High
Dial-on-Demand Line Costs
Article ID: 265395
(NOTE: ignore the article's purpose, interesting part is the NETLOGON
registry control values for how often a host queries for a DC)
http://support.microsoft.com/kb/265395/EN-US/
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Sanz
> de Leon, Juan Carlos
> Sent: Wednesday, January 26, 2005 10:30 AM
> To: [email protected]
> Subject: [ActiveDir] Selecting a particular DC LOGONSERVER
>
> Dear gurus,
>
> Is there a way to tell a Windows 2000 server to use a
> particular DC for authentication? We have one particular
> server which seems to authenticate using a remote DC. For
> testing purposes we want to specify that the server use a
> particular DC within our forest. Perhaps there is a
> particular KB article that could help.
>
> Thanks in advance,
> JCS
>
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
