Can I configure DCs to prefer to authenticate within their own subnet?

I have two DCs, both configured to the same site, but connected on different (slow connection) subnets. I want logins to prefer to authenticate to the DC on the local subnet, but to default to the other DC if the local server fails.

I currently have the Sites and Services setup as shown in the image. Both subnets are in the default site.

I am not practiced in AD setup, so please provide step-by-step instructions.

Thank you.


Sites.JPG
HilltownHealthCenterAsked:
Who is Participating?
 
Darius GhassemConnect With a Mentor Commented:
This should give you step by step instructions. Make sure the local clients on the subnets point to their local DNS server for primary so they can find the local server.

http://windowsitpro.com/article/articleid/13380/how-do-i-create-a-new-active-directory-site.html
0
 
Mike KlineConnect With a Mentor Commented:
Take a look at my answer about halfway down this thread
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_24109142.html
That should give you the steps you need.
I'm also going to do a blog entry on setting up a new site as I see the question come up a lot on here.
 
Thanks
Mike
0
 
HilltownHealthCenterAuthor Commented:
Do I have to set up a DNS server on the second site DC? I am happy letting the central DC handle DNS, it does not seem to have any speed issues over a 1.5Mb T1.

Once I have assigned the subnet object to the new site, which will contain the second DC, will DNS requests continue to honor the DHCP assigned address (the main DC's address)?
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
Mike KlineConnect With a Mentor Commented:
You could let the main DC handle DNS but I'd put it on both.  Make the zone active directory integrated and let the information replicate.  With a T1 between sites you are right you shouldn't have issues.
 
Thanks
Mike
0
 
HilltownHealthCenterAuthor Commented:
Assuming no additional configuration on my part, will subnet clients use the default (main server) DNS?
0
 
Mike KlineCommented:
Yes  they will if that is what is listed in their DNS settings
0
 
Mike KlineConnect With a Mentor Commented:
...and just in case anyone comes by this thread in the future and wonders about the "make all DCs GCs advice"
It is not only be that recommends that, see lessons learned from Eric Fleischman
http://adisfun.blogspot.com/2009/04/lessons-learned-from-eric-fleischman.html
A T1 will be fine for that.
Thanks
Mike
0
 
AmericomCommented:
Before you create any AD site, you definitely should make both DC a GC and ADIZ the DNS on both DCs.
0
 
HilltownHealthCenterAuthor Commented:
Americom:,

Can you translate that please?
0
 
Mike KlineCommented:
He is saying what we were saying above, make both Domain controllers global catalog servers too
ADIZ = active directory integrated DNS zone -- i.e. try to run DNS on both boxes.
Thanks
Mike
0
 
AmericomCommented:
Thanks for the clarification Mike.
0
 
HilltownHealthCenterAuthor Commented:
I have replicating DNS servers on both sites, GC enabled on both, replication checked out using dcdiag. I assigned the appropriate subnet to the new site. I added the new DNS server address as the first address to the subnet DHCP.

When I built the DNS server on the new site, it replicated from the existing site. Does that mean that I have acomplished an "ADIZ = active directory integrated DNS zone"?

 I have checked that users can login successfully, and plan to kill the DC next time I'm at the site to be sure logins will succeed in that case.

And one last question: Now that things seem to be working as advertised, is there a test to tell which DC is being used for authentication from a particular workstation?
0
 
Darius GhassemConnect With a Mentor Commented:
Yes, that means AD integrated zones are working.

Look over this to view current DC.

http://www.actividentity.com/support/kbase/cms/display_article.php?kbid=524
0
 
Mike KlineConnect With a Mentor Commented:
Right click on your domain in DNS and go to properties, there under type it will tell you if it is AD integrated (see screenshot)
 
 for the logon server from the command prompt you can type
set L
or
echo %logonserver%
Thanks
Mike
 

ADI-Zone.jpg
0
 
HilltownHealthCenterAuthor Commented:
I just realized that there is a piece I don't know how to deal with. Users' profiles have Logon script specified that is placed (by default I guess) in C:\WINDOWS\SYSVOL\domain\scripts on the original DC.

What happens when users authenticate on the new site DC?
0
 
Darius GhassemConnect With a Mentor Commented:
The logon scripts are replicated over to other DCs don't worry about it.
0
 
Mike KlineConnect With a Mentor Commented:
The info in sysvol will be on both DCs (it replicates using FRS -- file replication service)
Thanks
Mike
0
 
HilltownHealthCenterAuthor Commented:
You guys are great! So the last question:

Is there a test to tell which DC is being used for authentication from a particular workstation, either from the workstation, or by viewing some server log?
0
 
Darius GhassemCommented:
The link I provided shows you how to do it.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.