Need to force users to use local AD only for authentication

Posted on 2007-11-16
Last Modified: 2009-07-29
I have a branch site with a WIN2003 AD Server that will at times have high CPU load because of other applications that are installed on it. It seems that at times it will timeout during authentication and go to the next hop at the AD controller at headquarters to authenticate. I would like to prevent this from happening.

Is there a way to force this specific location to ONLY authenticate with their local site AD Server?

Even if the server is timed out, perhaps there might be a way to have it keep retrying the same local AD server during authentication, can this be done through a policy?
Question by:syndev
LVL 58

Accepted Solution

tigermatt earned 500 total points
ID: 20300571
It is obviously maxing out and is saying it can't process the authentication request, so going to the next server along the line which happens to be at head office. The first thing I would be asking is what are you running on a server in a branch office? Generally, you would just install it as DC, DNS server for the branch office, DHCP for the branch office, WINS and possibly print and file server. You shouldn't be putting critical applications such as databases on a branch office server, these would be better suited to be locked away in your head office server room on a dedicated machine if they need such a high level of system resources.

You shouldn't really be trying to work around a high CPU load issue either, particularly if it is happening regularly as this will degrade the performance of your network. You would be much better looking at alternative solutions, which may be to:

a) change out the CPU in the existing server, upgrade RAM etc. to give some more system resources to this machine
b) move some of the high CPU level applications off this server to a dedicated server if necessary at your head office
c) install another server at the branch office and move the high CPU consuming applications onto that

As I've said, don't try to work around a serious issue such as low levels of CPU idle time, implement a fix which has provision for the future as your network expands.


Expert Comment

ID: 20300781
more thoughts from

Client affinity
Domain controllers use site information to inform Active Directory clients about domain controllers present within the closest site as the client. For example, consider a client in the Seattle site that does not know its site affiliation and contacts a domain controller from the Atlanta site. Based on the IP address of the client, the domain controller in Atlanta determines which site the client is actually from and sends the site information back to the client. The domain controller also informs the client whether the chosen domain controller is the closest one to it. The client caches the site information provided by the domain controller in Atlanta and queries for the site-specific service (SRV) resource record (a DNS resource record used to locate domain controllers for Active Directory) and thereby finds a domain controller within the same site.

By finding a domain controller in the same site, the client avoids communications over WAN links. If no domain controllers are located at the client site, a domain controller that has the lowest cost connections relative to other connected sites advertises itself (registers a site-specific SRV resource record in DNS) in the site that does not have a domain controller. The domain controllers that are published in DNS are those from the closest site as defined by the site topology. This process ensures that every site has a preferred domain controller for authentication.


Author Comment

ID: 20301694
Well, the problem is that the AD server applications that are peaking the cpu load at times cannot be removed. I basically need a solution, possibly policy based that will make sure that workstations authentication with the local AD Server only. And if the communication time's out cause of CPU load, I would like the workstation to retry again within another few seconds rather then hop to the next AD server over the WAN.
LVL 48

Expert Comment

ID: 20303001
you need to configure sites and assign subnets....its the crux of all control for localised authentication.....

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Authentication -ldap 1 21
Home Folder Permissions in Active Directory 2 31
User wants to log with Username or Email 4 47
Powershell query for OU membership 5 28
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question