joeblank
asked on
How Do I Specify a Preferred DC
This should be relatively simple, I just haven't found a way to do it:
The scenario is this - I want to have two Domain Controllers in a Windows 2003 environment. One of the Domain Controllers will be a robust machine and the other will be an old workstation. I want the more robust machine to handle all authentication requests, unless it is unavailable, in which case the old workstation should take over authentication duties, thus basically acting as a backup DC.
Given that technically all DCs are equal, how do I tell my workstations to authenticate to a specific DC, but if it isn't available, authenticate to the other DC?
Also, what command line can I use to see which server my workstations used to login to?
The scenario is this - I want to have two Domain Controllers in a Windows 2003 environment. One of the Domain Controllers will be a robust machine and the other will be an old workstation. I want the more robust machine to handle all authentication requests, unless it is unavailable, in which case the old workstation should take over authentication duties, thus basically acting as a backup DC.
Given that technically all DCs are equal, how do I tell my workstations to authenticate to a specific DC, but if it isn't available, authenticate to the other DC?
Also, what command line can I use to see which server my workstations used to login to?
ASKER
kristinaw,
That sounds like it would work. Could you lay the process out in more of a step-by-step manner?
Also, I found the answer to part of my question: Type "set" at command prompt and it will list the server that logged one in.
That sounds like it would work. Could you lay the process out in more of a step-by-step manner?
Also, I found the answer to part of my question: Type "set" at command prompt and it will list the server that logged one in.
for this to work the only thing you would need is an internal router. do you have one?
ASKER
I have one router
that connects you to the internet?
Hi joeblank,
Use the #pre and #dom and dc's static ip address to name in lmhosts files, with 15th character netbios entry added to name
http:Q_20735962.html
Best of luck.
Use the #pre and #dom and dc's static ip address to name in lmhosts files, with 15th character netbios entry added to name
http:Q_20735962.html
Best of luck.
ASKER
yes, that router connects us to the internet
Is you're DNS set up correctly. AD relies on DNS but it is also possible, if DNS is hosted on Windows, can be made AD integrated, so can use AD methods of syncronising information. To make one DC used in preference to the other use sites and services and put the depreciated dc in another site.
Hello,
1. If you have DNS running which you shoudl by default on the 2 DC the primary DNS server which is the bigger better machine will handle the DC authentication requests.
2. The primary DNS is the one that pushes the zones to the other DNS server called the secondary DNS server. You can find all this in the properties dialog of each DC.
3. If you are running DHCP on your network from the windows machines, whatever the primary DNS is set when you installed the DHCP server, that one handles most requests.
4. It really doesnt matter how big and powerful the machines are since all the DC does during logons are run some kerbos and make sure you are who you say, so theres not really a huge processor or memory load.
5. Just make sure file and print storage is on the big machine and just have the little one standing by in case the big one goes out users can authenticate to the domain and get to printer, and the Internet,
Let me know if you need more info!
Thanks and Good Luck
BindSucksAss
1. If you have DNS running which you shoudl by default on the 2 DC the primary DNS server which is the bigger better machine will handle the DC authentication requests.
2. The primary DNS is the one that pushes the zones to the other DNS server called the secondary DNS server. You can find all this in the properties dialog of each DC.
3. If you are running DHCP on your network from the windows machines, whatever the primary DNS is set when you installed the DHCP server, that one handles most requests.
4. It really doesnt matter how big and powerful the machines are since all the DC does during logons are run some kerbos and make sure you are who you say, so theres not really a huge processor or memory load.
5. Just make sure file and print storage is on the big machine and just have the little one standing by in case the big one goes out users can authenticate to the domain and get to printer, and the Internet,
Let me know if you need more info!
Thanks and Good Luck
BindSucksAss
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Defining a second site with the other DC in it would work, however it does mean that the second DC has to be on a separate subnet. I'm guessing from the wording of the question that it is just a small LAN with a single subnet.
Sorry Kris, didn't read your response properly.
It sounds like a good solution although i reckon you would have problems with the DC to DC replication if you add it to a site with a subnet that's not relevant to the IP address of the DC.
It sounds like a good solution although i reckon you would have problems with the DC to DC replication if you add it to a site with a subnet that's not relevant to the IP address of the DC.
my thinking was just not assinging the second DC to a subnet at all. i would definitely recommend he check dcdiag and replmon after setting this up to make sure replication is working properly. i'm curious to hear back from him to see if this works out...
kris.
kris.
Kris, it just so happens that I am in the middle of a W2k3 rollout for a customer and as they are not live yet I tried what you suggested. It works great and the clients always seem to go to the one in the main site.
So there you go joeblank Kris has your answer, I would suggest though that once you've done this keep an eye on replication as she suggests and also use "gpresult" at the clients to verify it's having the desired results.
Steve
So there you go joeblank Kris has your answer, I would suggest though that once you've done this keep an eye on replication as she suggests and also use "gpresult" at the clients to verify it's having the desired results.
Steve
By the way don't start using Host/LMHost files. They will cause you more trouble in the long run than they are worth
ASKER
I'd prefer to do this without using an additional subnet, is that possible?
yes, that's what i was suggesting in my last post. the backup DC will not have a subnet assigned to it. in your subnet lists you'll have only one defined and it will belong to the primary DC.
ASKER
OK, thanks.
My testlab is being used for something else for the next few days, so I am going to have to hold off on testing this out in my environment. Thanks for the help and I'll let you know if it works and assign points accordingly at that time.
My testlab is being used for something else for the next few days, so I am going to have to hold off on testing this out in my environment. Thanks for the help and I'll let you know if it works and assign points accordingly at that time.
Yes, as Kris said just go to Sites & Services and create a new Site, but don't assign a subnet to it. Move the "old" DC into this site through the Site & Services MMC and that should solve your problem. The KCC will regenerate a link in "NTDS Settings" to show replication between the DC's in each site and then all your clients should authenticate against the "good" DC in the original "Default first Site"
also, go ahead and make the backup DC a global catalog server after you put it in it's new site.
Another method is to use the #PRE and #DOM entries in LMHOSTS
see c:\windows\system32\driver s\etc\lmho sts.sam
see c:\windows\system32\driver
ASKER
Sorry this hasn't been closed yet. I am near the end of my migration and will be tested the solution soon.
To find out the authenticating server on a machine you can type at command line
echo %logonserver% (will return \\servername)
also, you can set logon scripts to map directories such as
net use x: %logonserver%\sharename if you wanted.
I am having the same issues with setting the preferred logon server, hopefully some of the above will help.
Mike
echo %logonserver% (will return \\servername)
also, you can set logon scripts to map directories such as
net use x: %logonserver%\sharename if you wanted.
I am having the same issues with setting the preferred logon server, hopefully some of the above will help.
Mike
hth,
kris.