Control which DC authenticates a logon request

We have 12 offices connected via a frame relay WAN.  Each office has a local 2k3 DC.   When users log in, I notice that the logon server can be any of the DCs in the WAN.  How can I control which servers authenticate which offices?  Do I have to use sites to do this?  
shanna1017Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

marc_nivensCommented:
Using sites will accomplish this.  Make sure that at least one DC in each site is a GC as well.
0
shanna1017Author Commented:
Thanks for the quick response marc.  So without using sites there's no way to do this?  

Also how do I make a server a global catalog server?
0
marc_nivensCommented:
Sites are the only way to do this natively.  To make a server a GC, open AD Sites and Services, go under the site in question, and expand the server until you see NTDS Settings.  Right click on NTDS Settings and go to properties, check the Global Catalog box.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
shanna1017Author Commented:
I'll give that a try.  Thanks!
0
jberg69Commented:
Also, you need to create site links.  My personal opinion is to create a a site link that connects just two sites.  That way you can assign a cost to the link and control where users will login to if their GC is done.

For example, let's say that I have several offices around the state, one in Portland, one in Salem, one in Eugene, and one in Bend.  The Salem site may have WAN lines connecting it to Bend and Portland, but the bandwidth is better to Portland.  I would create a site link that connects Salem to Portland and assign it a cost of 50 and create a site link that connects Salem and Bend and assign it a cost of 100.  That way your users would always go to Portland for authentication if the Salem GC was down (unless the Portland link was also down)

Also, don't make your infrastructe master the GC.  To view your infrastructure master, open AD Users and Computer and right click the domain container and select Operations Masters.  You will have replication issues if you make the infrastructure master a GC.

Depending on how large your sites are, you can also use the new Universal Group Caching feature.  If your sites are less than 75 users, write back and I'll tell you more about that.

Good luck.

Jason
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.