Solved

how to stop clients crossing across a site to find a logon D.C

Posted on 2007-12-05
4
273 Views
Last Modified: 2010-04-02
hello expert,

How to stop a client from going across a WAN to find a active Domain controller.

I have a windows 2003 active directory domain with 11 sites. (different subnets).

On several occasion clients attempted to crossing subnets to find a nearby D.C when the D.C

within their respective site was up and running.

How can i restrict client(s) to local subnet and not to allow them allowing crossing sites,

I prefer if the a client cannot authenticate in their respective subnet just deny connection

instead of crossing subnets.

Regards
Jomo
0
Comment
Question by:jomfra
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 70

Expert Comment

by:KCTS
ID: 20410707
Yo need to go into Active Directory Sites and Services
First Define your subnets
Then set-up your sites in AD sites and service and associate each site with one or more subnets
Job Done

Clients will then use a DC in their own site in preference to another DC.
0
 

Author Comment

by:jomfra
ID: 20411078
hello KCTS,

>>Then set-up your sites in AD sites and service and associate each site with one or more subnets
Job Done

Clients will then use a DC in their own site in preference to another DC.

I have all the above in place--- but the some clients when their respective

D.C is down temporary will attempt to cross sites to finds a functioning d.c

in a neighboring site.

I would like to prevent this from happen the bandwidth between sites is

only 64kbps.

What i would like is if the d.c within the client's site is not available just

do not allow clients to log in i do not want log on traffic across the WAN.

thanks
0
 
LVL 1

Accepted Solution

by:
tonux earned 250 total points
ID: 20414521
alternatively, you could set up an access list on the WAN router to avoid all AD traffic.
see here for detailed port to restrict : http://technet.microsoft.com/en-us/library/bb727063.aspx
0
 
LVL 70

Assisted Solution

by:KCTS
KCTS earned 250 total points
ID: 20414575
That is the default - if the DC on their own site is not available then the clients will attempt to locate another DC. You can block the traffic as tonux suggests but then users at the remote site will not be able to log on - though cached credentials would work.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …

718 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question