• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 337
  • Last Modified:

Need to force users to use local AD only for authentication

I have a branch site with a WIN2003 AD Server that will at times have high CPU load because of other applications that are installed on it. It seems that at times it will timeout during authentication and go to the next hop at the AD controller at headquarters to authenticate. I would like to prevent this from happening.

Is there a way to force this specific location to ONLY authenticate with their local site AD Server?

Even if the server is timed out, perhaps there might be a way to have it keep retrying the same local AD server during authentication, can this be done through a policy?
1 Solution
It is obviously maxing out and is saying it can't process the authentication request, so going to the next server along the line which happens to be at head office. The first thing I would be asking is what are you running on a server in a branch office? Generally, you would just install it as DC, DNS server for the branch office, DHCP for the branch office, WINS and possibly print and file server. You shouldn't be putting critical applications such as databases on a branch office server, these would be better suited to be locked away in your head office server room on a dedicated machine if they need such a high level of system resources.

You shouldn't really be trying to work around a high CPU load issue either, particularly if it is happening regularly as this will degrade the performance of your network. You would be much better looking at alternative solutions, which may be to:

a) change out the CPU in the existing server, upgrade RAM etc. to give some more system resources to this machine
b) move some of the high CPU level applications off this server to a dedicated server if necessary at your head office
c) install another server at the branch office and move the high CPU consuming applications onto that

As I've said, don't try to work around a serious issue such as low levels of CPU idle time, implement a fix which has provision for the future as your network expands.

more thoughts from http://technet2.microsoft.com/windowsserver/en/library/5b752370-7106-44c7-8d70-dbaf8d6038fd1033.mspx?mfr=true

Client affinity
Domain controllers use site information to inform Active Directory clients about domain controllers present within the closest site as the client. For example, consider a client in the Seattle site that does not know its site affiliation and contacts a domain controller from the Atlanta site. Based on the IP address of the client, the domain controller in Atlanta determines which site the client is actually from and sends the site information back to the client. The domain controller also informs the client whether the chosen domain controller is the closest one to it. The client caches the site information provided by the domain controller in Atlanta and queries for the site-specific service (SRV) resource record (a DNS resource record used to locate domain controllers for Active Directory) and thereby finds a domain controller within the same site.

By finding a domain controller in the same site, the client avoids communications over WAN links. If no domain controllers are located at the client site, a domain controller that has the lowest cost connections relative to other connected sites advertises itself (registers a site-specific SRV resource record in DNS) in the site that does not have a domain controller. The domain controllers that are published in DNS are those from the closest site as defined by the site topology. This process ensures that every site has a preferred domain controller for authentication.

syndevAuthor Commented:
Well, the problem is that the AD server applications that are peaking the cpu load at times cannot be removed. I basically need a solution, possibly policy based that will make sure that workstations authentication with the local AD Server only. And if the communication time's out cause of CPU load, I would like the workstation to retry again within another few seconds rather then hop to the next AD server over the WAN.
you need to configure sites and assign subnets....its the crux of all control for localised authentication.....

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now