Solved

how to stop clients crossing across a site to find a logon D.C

Posted on 2007-12-05
4
264 Views
Last Modified: 2010-04-02
hello expert,

How to stop a client from going across a WAN to find a active Domain controller.

I have a windows 2003 active directory domain with 11 sites. (different subnets).

On several occasion clients attempted to crossing subnets to find a nearby D.C when the D.C

within their respective site was up and running.

How can i restrict client(s) to local subnet and not to allow them allowing crossing sites,

I prefer if the a client cannot authenticate in their respective subnet just deny connection

instead of crossing subnets.

Regards
Jomo
0
Comment
Question by:jomfra
  • 2
4 Comments
 
LVL 70

Expert Comment

by:KCTS
ID: 20410707
Yo need to go into Active Directory Sites and Services
First Define your subnets
Then set-up your sites in AD sites and service and associate each site with one or more subnets
Job Done

Clients will then use a DC in their own site in preference to another DC.
0
 

Author Comment

by:jomfra
ID: 20411078
hello KCTS,

>>Then set-up your sites in AD sites and service and associate each site with one or more subnets
Job Done

Clients will then use a DC in their own site in preference to another DC.

I have all the above in place--- but the some clients when their respective

D.C is down temporary will attempt to cross sites to finds a functioning d.c

in a neighboring site.

I would like to prevent this from happen the bandwidth between sites is

only 64kbps.

What i would like is if the d.c within the client's site is not available just

do not allow clients to log in i do not want log on traffic across the WAN.

thanks
0
 
LVL 1

Accepted Solution

by:
tonux earned 250 total points
ID: 20414521
alternatively, you could set up an access list on the WAN router to avoid all AD traffic.
see here for detailed port to restrict : http://technet.microsoft.com/en-us/library/bb727063.aspx
0
 
LVL 70

Assisted Solution

by:KCTS
KCTS earned 250 total points
ID: 20414575
That is the default - if the DC on their own site is not available then the clients will attempt to locate another DC. You can block the traffic as tonux suggests but then users at the remote site will not be able to log on - though cached credentials would work.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
managing a small network 6 83
moving away from .local domain 5 26
AD Sites/AD Replication 11 34
Wireless scope on sever with DSL connection 9 21
When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
This article shows how to deploy dynamic backgrounds to computers depending on the aspect ratio of display
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question