Need to force users to use local AD only for authentication

Posted on 2007-11-16
Medium Priority
Last Modified: 2009-07-29
I have a branch site with a WIN2003 AD Server that will at times have high CPU load because of other applications that are installed on it. It seems that at times it will timeout during authentication and go to the next hop at the AD controller at headquarters to authenticate. I would like to prevent this from happening.

Is there a way to force this specific location to ONLY authenticate with their local site AD Server?

Even if the server is timed out, perhaps there might be a way to have it keep retrying the same local AD server during authentication, can this be done through a policy?
Question by:syndev
LVL 58

Accepted Solution

tigermatt earned 2000 total points
ID: 20300571
It is obviously maxing out and is saying it can't process the authentication request, so going to the next server along the line which happens to be at head office. The first thing I would be asking is what are you running on a server in a branch office? Generally, you would just install it as DC, DNS server for the branch office, DHCP for the branch office, WINS and possibly print and file server. You shouldn't be putting critical applications such as databases on a branch office server, these would be better suited to be locked away in your head office server room on a dedicated machine if they need such a high level of system resources.

You shouldn't really be trying to work around a high CPU load issue either, particularly if it is happening regularly as this will degrade the performance of your network. You would be much better looking at alternative solutions, which may be to:

a) change out the CPU in the existing server, upgrade RAM etc. to give some more system resources to this machine
b) move some of the high CPU level applications off this server to a dedicated server if necessary at your head office
c) install another server at the branch office and move the high CPU consuming applications onto that

As I've said, don't try to work around a serious issue such as low levels of CPU idle time, implement a fix which has provision for the future as your network expands.


Expert Comment

ID: 20300781
more thoughts from http://technet2.microsoft.com/windowsserver/en/library/5b752370-7106-44c7-8d70-dbaf8d6038fd1033.mspx?mfr=true

Client affinity
Domain controllers use site information to inform Active Directory clients about domain controllers present within the closest site as the client. For example, consider a client in the Seattle site that does not know its site affiliation and contacts a domain controller from the Atlanta site. Based on the IP address of the client, the domain controller in Atlanta determines which site the client is actually from and sends the site information back to the client. The domain controller also informs the client whether the chosen domain controller is the closest one to it. The client caches the site information provided by the domain controller in Atlanta and queries for the site-specific service (SRV) resource record (a DNS resource record used to locate domain controllers for Active Directory) and thereby finds a domain controller within the same site.

By finding a domain controller in the same site, the client avoids communications over WAN links. If no domain controllers are located at the client site, a domain controller that has the lowest cost connections relative to other connected sites advertises itself (registers a site-specific SRV resource record in DNS) in the site that does not have a domain controller. The domain controllers that are published in DNS are those from the closest site as defined by the site topology. This process ensures that every site has a preferred domain controller for authentication.


Author Comment

ID: 20301694
Well, the problem is that the AD server applications that are peaking the cpu load at times cannot be removed. I basically need a solution, possibly policy based that will make sure that workstations authentication with the local AD Server only. And if the communication time's out cause of CPU load, I would like the workstation to retry again within another few seconds rather then hop to the next AD server over the WAN.
LVL 48

Expert Comment

ID: 20303001
you need to configure sites and assign subnets....its the crux of all control for localised authentication.....


Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question