Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1052
  • Last Modified:

Can a Windows Server 2008 domain controller service multiple Active Directory sites?

I have a AD forest that is 2008 forest functional level.  I'd like to create an AD site for each physical location in the organization that contains only those subnets for the site.  However, I only have domain controllers at a few of those sites.  I thought I had read an article somewhere that mentioned that there was a new feature in Server 2008 that allowed a single domain controller to service multiple AD sites.  This wasn't a reghack, but a published ability that I thought could be managed through the AD Sites and Services snap-in.  However, I'm can not find anything that would let me do this in the tool.

To avoid questions, I'll try to describe the environment:
* Multiple physical locations (let's say 10 for academic reasons)
* Only a few of those locations need domain controllers (let's say 3 for academic reasons)
* The customer wants an AD site for every physical site
* There's a central site in the company that everyone talks to directly.  That site has multiple DC's.
* 2 of the remote physical sites will have a single domain controller
* 7 of the sites will not have a domain controller
* The single hub site should be the authentication source for itself and the 7 sites that do not have domain controllers

I came upon a KB article (200498) that mentions doing this for Windows 2000 and 2003.  It's basically a reghack to add a SiteCoverage value to the following location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters.

Is this still the only way to allow a DC to service multiple sites or is there something new and cool in 2008 that lets us do this another way?  And, I don't remember what article I read that talked about this, so I may have just been smoking something one day and thought I read something that didn't exist.  ;)

Also, I know that we can assign subnets from multiple physical sites into the central hub site, but that's not what I'm asking.  I want a domain controller (or multiple domain controllers) in ADSiteA to also service ADSiteB that does not have a domain controller.

Thanks in advance for your help!
0
DustinHollenback
Asked:
DustinHollenback
1 Solution
 
debuggerauCommented:
There is no reason W2K, W2K3 or even W2K8 wouldn't manage several sites as standard.
Its just the traffic that becomes an issue. And the new AD Stub Controller, allows remote AD servers to contain only their local credentials, so its its stolen, the whole org is not risked.

You will need at least 512K pipes for Group policy rollout, and enough to allow for authentication, apart from that, it will be the other services that make the customer spend the dollars, as it would be challenging to provide a remote fileserver and printserver while maintaining reasonable connection speeds for clients, or you'd better have a big pipe...
0
 
KCTSCommented:
ideally you should have a DC at each site to prevent cross-site logon traffic - but its not essential. The default behaviour is for any client to attemempt to locate a DC in their own site for authentication, however, if no DC is found - or there is no response, then the client will seek another DC - This is the default behaviour - you need not do anything.
0
 
DustinHollenbackAuthor Commented:
debuggerau and KCTS,

I may not have been very clear with my question.  I understand the AD Site structure and when and where to place domain controllers based on bandwidth, latency, number of authenticated users, and all of the other variables.  And, based on the size of some of my locations, there is no way that I'll be placing a DC at those physical sites.

Is there a way in the new AD Sites and Services GUI to assign a single domain controller to service 2 or more defined AD sites?  I know that it is possible with a registry hack on the domain controller, but I wanted to see if this was more refined in Windows Server 2008.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
debuggerauCommented:
Is there a way in the new AD Sites and Services GUI to assign a single domain controller to service 2 or more defined AD sites?

- We started asserted that it is possible, in fact, this is the default..

Which has got me wondering, what hack are you referring too?

The whole idea of which DC to login too is a mute one, as it will authenticate to whatever DC it can see first, and failing that, move onto the next, until it finds a resource to validate itself against...
0
 
matthijssenCommented:
you can force the clients in a site that has no DC's, to look to specific site DC's by weighting the site links.

How Domain Controllers Are Located in Windows XP

http://support.microsoft.com/kb/314861/en-us

How to optimize the location of a domain controller or global catalog that
resides outside of a client's site

http://support.microsoft.com/kb/306602

0
 
DustinHollenbackAuthor Commented:
Hi Matthijssen,

This page is exactly what I was looking for: http://support.microsoft.com/kb/306602.  The KB article does not mention Server 2008, but I'll hope that it hasn't changed in the new OS.  

Thank you!
0

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

Tackle projects and never again get stuck behind a technical roadblock.
Join Now