?
Solved

how to stop clients crossing across a site to find a logon D.C

Posted on 2007-12-05
4
Medium Priority
?
275 Views
Last Modified: 2010-04-02
hello expert,

How to stop a client from going across a WAN to find a active Domain controller.

I have a windows 2003 active directory domain with 11 sites. (different subnets).

On several occasion clients attempted to crossing subnets to find a nearby D.C when the D.C

within their respective site was up and running.

How can i restrict client(s) to local subnet and not to allow them allowing crossing sites,

I prefer if the a client cannot authenticate in their respective subnet just deny connection

instead of crossing subnets.

Regards
Jomo
0
Comment
Question by:jomfra
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 70

Expert Comment

by:KCTS
ID: 20410707
Yo need to go into Active Directory Sites and Services
First Define your subnets
Then set-up your sites in AD sites and service and associate each site with one or more subnets
Job Done

Clients will then use a DC in their own site in preference to another DC.
0
 

Author Comment

by:jomfra
ID: 20411078
hello KCTS,

>>Then set-up your sites in AD sites and service and associate each site with one or more subnets
Job Done

Clients will then use a DC in their own site in preference to another DC.

I have all the above in place--- but the some clients when their respective

D.C is down temporary will attempt to cross sites to finds a functioning d.c

in a neighboring site.

I would like to prevent this from happen the bandwidth between sites is

only 64kbps.

What i would like is if the d.c within the client's site is not available just

do not allow clients to log in i do not want log on traffic across the WAN.

thanks
0
 
LVL 1

Accepted Solution

by:
tonux earned 750 total points
ID: 20414521
alternatively, you could set up an access list on the WAN router to avoid all AD traffic.
see here for detailed port to restrict : http://technet.microsoft.com/en-us/library/bb727063.aspx
0
 
LVL 70

Assisted Solution

by:KCTS
KCTS earned 750 total points
ID: 20414575
That is the default - if the DC on their own site is not available then the clients will attempt to locate another DC. You can block the traffic as tonux suggests but then users at the remote site will not be able to log on - though cached credentials would work.
0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
This month, Experts Exchange’s free Course of the Month is focused on CompTIA IT Fundamentals.
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
Suggested Courses

800 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question