[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now


Need to force users to use local AD only for authentication

Posted on 2007-11-16
Medium Priority
Last Modified: 2009-07-29
I have a branch site with a WIN2003 AD Server that will at times have high CPU load because of other applications that are installed on it. It seems that at times it will timeout during authentication and go to the next hop at the AD controller at headquarters to authenticate. I would like to prevent this from happening.

Is there a way to force this specific location to ONLY authenticate with their local site AD Server?

Even if the server is timed out, perhaps there might be a way to have it keep retrying the same local AD server during authentication, can this be done through a policy?
Question by:syndev
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 58

Accepted Solution

tigermatt earned 2000 total points
ID: 20300571
It is obviously maxing out and is saying it can't process the authentication request, so going to the next server along the line which happens to be at head office. The first thing I would be asking is what are you running on a server in a branch office? Generally, you would just install it as DC, DNS server for the branch office, DHCP for the branch office, WINS and possibly print and file server. You shouldn't be putting critical applications such as databases on a branch office server, these would be better suited to be locked away in your head office server room on a dedicated machine if they need such a high level of system resources.

You shouldn't really be trying to work around a high CPU load issue either, particularly if it is happening regularly as this will degrade the performance of your network. You would be much better looking at alternative solutions, which may be to:

a) change out the CPU in the existing server, upgrade RAM etc. to give some more system resources to this machine
b) move some of the high CPU level applications off this server to a dedicated server if necessary at your head office
c) install another server at the branch office and move the high CPU consuming applications onto that

As I've said, don't try to work around a serious issue such as low levels of CPU idle time, implement a fix which has provision for the future as your network expands.


Expert Comment

ID: 20300781
more thoughts from http://technet2.microsoft.com/windowsserver/en/library/5b752370-7106-44c7-8d70-dbaf8d6038fd1033.mspx?mfr=true

Client affinity
Domain controllers use site information to inform Active Directory clients about domain controllers present within the closest site as the client. For example, consider a client in the Seattle site that does not know its site affiliation and contacts a domain controller from the Atlanta site. Based on the IP address of the client, the domain controller in Atlanta determines which site the client is actually from and sends the site information back to the client. The domain controller also informs the client whether the chosen domain controller is the closest one to it. The client caches the site information provided by the domain controller in Atlanta and queries for the site-specific service (SRV) resource record (a DNS resource record used to locate domain controllers for Active Directory) and thereby finds a domain controller within the same site.

By finding a domain controller in the same site, the client avoids communications over WAN links. If no domain controllers are located at the client site, a domain controller that has the lowest cost connections relative to other connected sites advertises itself (registers a site-specific SRV resource record in DNS) in the site that does not have a domain controller. The domain controllers that are published in DNS are those from the closest site as defined by the site topology. This process ensures that every site has a preferred domain controller for authentication.


Author Comment

ID: 20301694
Well, the problem is that the AD server applications that are peaking the cpu load at times cannot be removed. I basically need a solution, possibly policy based that will make sure that workstations authentication with the local AD Server only. And if the communication time's out cause of CPU load, I would like the workstation to retry again within another few seconds rather then hop to the next AD server over the WAN.
LVL 48

Expert Comment

ID: 20303001
you need to configure sites and assign subnets....its the crux of all control for localised authentication.....


Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let's recap what we learned from yesterday's Skyport Systems webinar.
How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question