Solved

how to stop clients crossing across a site to find a logon D.C

Posted on 2007-12-05
4
262 Views
Last Modified: 2010-04-02
hello expert,

How to stop a client from going across a WAN to find a active Domain controller.

I have a windows 2003 active directory domain with 11 sites. (different subnets).

On several occasion clients attempted to crossing subnets to find a nearby D.C when the D.C

within their respective site was up and running.

How can i restrict client(s) to local subnet and not to allow them allowing crossing sites,

I prefer if the a client cannot authenticate in their respective subnet just deny connection

instead of crossing subnets.

Regards
Jomo
0
Comment
Question by:jomfra
  • 2
4 Comments
 
LVL 70

Expert Comment

by:KCTS
ID: 20410707
Yo need to go into Active Directory Sites and Services
First Define your subnets
Then set-up your sites in AD sites and service and associate each site with one or more subnets
Job Done

Clients will then use a DC in their own site in preference to another DC.
0
 

Author Comment

by:jomfra
ID: 20411078
hello KCTS,

>>Then set-up your sites in AD sites and service and associate each site with one or more subnets
Job Done

Clients will then use a DC in their own site in preference to another DC.

I have all the above in place--- but the some clients when their respective

D.C is down temporary will attempt to cross sites to finds a functioning d.c

in a neighboring site.

I would like to prevent this from happen the bandwidth between sites is

only 64kbps.

What i would like is if the d.c within the client's site is not available just

do not allow clients to log in i do not want log on traffic across the WAN.

thanks
0
 
LVL 1

Accepted Solution

by:
tonux earned 250 total points
ID: 20414521
alternatively, you could set up an access list on the WAN router to avoid all AD traffic.
see here for detailed port to restrict : http://technet.microsoft.com/en-us/library/bb727063.aspx
0
 
LVL 70

Assisted Solution

by:KCTS
KCTS earned 250 total points
ID: 20414575
That is the default - if the DC on their own site is not available then the clients will attempt to locate another DC. You can block the traffic as tonux suggests but then users at the remote site will not be able to log on - though cached credentials would work.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now