If the DC is unreacheable, the client places it in a (temporary?) blacklist and doesn't try it again for a set period of time. Now, what follows next is an informed guess (OK, maybe just a guess)..... the client will receive multiple DCs in the referral and will then move onto the next DC on that list until it finds a responsive one. My guess is predicated on the assumption that the client is not able to reach the first DC. If the client reaches the DC and the DC responds that it couldn't locate the record (because the DC couldn't reach the other network segment, or for other reasons), then that DC is not blacklisted, and the client will accept the negative response as gospel and not move down the list of DCs. Sincerely,
Dèjì Akómöláfé, MCSE+M MCSA+M MCT Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon ________________________________ From: [EMAIL PROTECTED] on behalf of Tony Murray Sent: Mon 12/12/2005 1:09 PM To: [email protected] Subject: [ActiveDir] Cross forest trust and DNS Hi all Need a bit of help with this one. Here's the scenario. Two Windows Server 2003 forests federated with a cross forest trust. Forest A has 4 DCs, all of which are reachable from Forest B. Forest B has approx. 30 DC, of which only those in main site (10) are reachable from Forest A's network. There is no site and subnet synchronisation in place. My concern is that not all the DCs in Forest B are reachable from Forest A ((because network routes are only in place to the main site). DNS secondary zones are being used and these obviously contain information about the unreachable DCs in Forest B. What happens when a client in Forest A need to access a resource in Forest B? The routing of Kerberos authentication requires DNS lookups for DCs in Forest B. If the client in Forest A receives a referral to an unreachable DC in Forest B, does the request simply fail or is there some built-in intelligent retry mechanism? In other words will the client in Forest A eventually be referred to a reachable DC? I realise there are long term solutions to this (site and subnet synchronisation, the addition of network routes), but I am keen to understand the DNS interactions so I can determine whether this will work in the short term. Tony This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
