• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 444
  • Last Modified:

Can I configure DCs to prefer to authenticate within their own subnet?

I have two DCs, both configured to the same site, but connected on different (slow connection) subnets. I want logins to prefer to authenticate to the DC on the local subnet, but to default to the other DC if the local server fails.

I currently have the Sites and Services setup as shown in the image. Both subnets are in the default site.

I am not practiced in AD setup, so please provide step-by-step instructions.

Thank you.


Sites.JPG
0
HilltownHealthCenter
Asked:
HilltownHealthCenter
  • 7
  • 6
  • 4
  • +1
8 Solutions
 
Darius GhassemCommented:
This should give you step by step instructions. Make sure the local clients on the subnets point to their local DNS server for primary so they can find the local server.

http://windowsitpro.com/article/articleid/13380/how-do-i-create-a-new-active-directory-site.html
0
 
Mike KlineCommented:
Take a look at my answer about halfway down this thread
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_24109142.html
That should give you the steps you need.
I'm also going to do a blog entry on setting up a new site as I see the question come up a lot on here.
 
Thanks
Mike
0
 
HilltownHealthCenterAuthor Commented:
Do I have to set up a DNS server on the second site DC? I am happy letting the central DC handle DNS, it does not seem to have any speed issues over a 1.5Mb T1.

Once I have assigned the subnet object to the new site, which will contain the second DC, will DNS requests continue to honor the DHCP assigned address (the main DC's address)?
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
Mike KlineCommented:
You could let the main DC handle DNS but I'd put it on both.  Make the zone active directory integrated and let the information replicate.  With a T1 between sites you are right you shouldn't have issues.
 
Thanks
Mike
0
 
HilltownHealthCenterAuthor Commented:
Assuming no additional configuration on my part, will subnet clients use the default (main server) DNS?
0
 
Mike KlineCommented:
Yes  they will if that is what is listed in their DNS settings
0
 
Mike KlineCommented:
...and just in case anyone comes by this thread in the future and wonders about the "make all DCs GCs advice"
It is not only be that recommends that, see lessons learned from Eric Fleischman
http://adisfun.blogspot.com/2009/04/lessons-learned-from-eric-fleischman.html
A T1 will be fine for that.
Thanks
Mike
0
 
AmericomCommented:
Before you create any AD site, you definitely should make both DC a GC and ADIZ the DNS on both DCs.
0
 
HilltownHealthCenterAuthor Commented:
Americom:,

Can you translate that please?
0
 
Mike KlineCommented:
He is saying what we were saying above, make both Domain controllers global catalog servers too
ADIZ = active directory integrated DNS zone -- i.e. try to run DNS on both boxes.
Thanks
Mike
0
 
AmericomCommented:
Thanks for the clarification Mike.
0
 
HilltownHealthCenterAuthor Commented:
I have replicating DNS servers on both sites, GC enabled on both, replication checked out using dcdiag. I assigned the appropriate subnet to the new site. I added the new DNS server address as the first address to the subnet DHCP.

When I built the DNS server on the new site, it replicated from the existing site. Does that mean that I have acomplished an "ADIZ = active directory integrated DNS zone"?

 I have checked that users can login successfully, and plan to kill the DC next time I'm at the site to be sure logins will succeed in that case.

And one last question: Now that things seem to be working as advertised, is there a test to tell which DC is being used for authentication from a particular workstation?
0
 
Darius GhassemCommented:
Yes, that means AD integrated zones are working.

Look over this to view current DC.

http://www.actividentity.com/support/kbase/cms/display_article.php?kbid=524
0
 
Mike KlineCommented:
Right click on your domain in DNS and go to properties, there under type it will tell you if it is AD integrated (see screenshot)
 
 for the logon server from the command prompt you can type
set L
or
echo %logonserver%
Thanks
Mike
 

ADI-Zone.jpg
0
 
HilltownHealthCenterAuthor Commented:
I just realized that there is a piece I don't know how to deal with. Users' profiles have Logon script specified that is placed (by default I guess) in C:\WINDOWS\SYSVOL\domain\scripts on the original DC.

What happens when users authenticate on the new site DC?
0
 
Darius GhassemCommented:
The logon scripts are replicated over to other DCs don't worry about it.
0
 
Mike KlineCommented:
The info in sysvol will be on both DCs (it replicates using FRS -- file replication service)
Thanks
Mike
0
 
HilltownHealthCenterAuthor Commented:
You guys are great! So the last question:

Is there a test to tell which DC is being used for authentication from a particular workstation, either from the workstation, or by viewing some server log?
0
 
Darius GhassemCommented:
The link I provided shows you how to do it.
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 7
  • 6
  • 4
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now