Solved

Need to force users to use local AD only for authentication

Posted on 2007-11-16
5
323 Views
Last Modified: 2009-07-29
I have a branch site with a WIN2003 AD Server that will at times have high CPU load because of other applications that are installed on it. It seems that at times it will timeout during authentication and go to the next hop at the AD controller at headquarters to authenticate. I would like to prevent this from happening.

Is there a way to force this specific location to ONLY authenticate with their local site AD Server?

Even if the server is timed out, perhaps there might be a way to have it keep retrying the same local AD server during authentication, can this be done through a policy?
0
Comment
Question by:syndev
5 Comments
 
LVL 58

Accepted Solution

by:
tigermatt earned 500 total points
ID: 20300571
It is obviously maxing out and is saying it can't process the authentication request, so going to the next server along the line which happens to be at head office. The first thing I would be asking is what are you running on a server in a branch office? Generally, you would just install it as DC, DNS server for the branch office, DHCP for the branch office, WINS and possibly print and file server. You shouldn't be putting critical applications such as databases on a branch office server, these would be better suited to be locked away in your head office server room on a dedicated machine if they need such a high level of system resources.

You shouldn't really be trying to work around a high CPU load issue either, particularly if it is happening regularly as this will degrade the performance of your network. You would be much better looking at alternative solutions, which may be to:

a) change out the CPU in the existing server, upgrade RAM etc. to give some more system resources to this machine
b) move some of the high CPU level applications off this server to a dedicated server if necessary at your head office
c) install another server at the branch office and move the high CPU consuming applications onto that

As I've said, don't try to work around a serious issue such as low levels of CPU idle time, implement a fix which has provision for the future as your network expands.

-tigermatt
0
 
LVL 5

Expert Comment

by:JohnDemerjian
ID: 20300781
more thoughts from http://technet2.microsoft.com/windowsserver/en/library/5b752370-7106-44c7-8d70-dbaf8d6038fd1033.mspx?mfr=true

Client affinity
Domain controllers use site information to inform Active Directory clients about domain controllers present within the closest site as the client. For example, consider a client in the Seattle site that does not know its site affiliation and contacts a domain controller from the Atlanta site. Based on the IP address of the client, the domain controller in Atlanta determines which site the client is actually from and sends the site information back to the client. The domain controller also informs the client whether the chosen domain controller is the closest one to it. The client caches the site information provided by the domain controller in Atlanta and queries for the site-specific service (SRV) resource record (a DNS resource record used to locate domain controllers for Active Directory) and thereby finds a domain controller within the same site.

By finding a domain controller in the same site, the client avoids communications over WAN links. If no domain controllers are located at the client site, a domain controller that has the lowest cost connections relative to other connected sites advertises itself (registers a site-specific SRV resource record in DNS) in the site that does not have a domain controller. The domain controllers that are published in DNS are those from the closest site as defined by the site topology. This process ensures that every site has a preferred domain controller for authentication.


0
 

Author Comment

by:syndev
ID: 20301694
Well, the problem is that the AD server applications that are peaking the cpu load at times cannot be removed. I basically need a solution, possibly policy based that will make sure that workstations authentication with the local AD Server only. And if the communication time's out cause of CPU load, I would like the workstation to retry again within another few seconds rather then hop to the next AD server over the WAN.
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 20303001
you need to configure sites and assign subnets....its the crux of all control for localised authentication.....

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/adsrv.mspx
0

Join & Write a Comment

On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now