Joe_Budden
asked on
Question regarding DC utilisation
Hi All
We are running Windows XP clients in a number of sites, along with Windows 2003 DC's. We have a large HQ which has multiple DC's, and some other medium size sites around Europe.
Some sites don't have their own dedicated DC, espcially ones close to HQ, so their subnet is defined as part of being in the HQ site in Sites and Services.
We have just run a tool that shows the number of authentications on DC's per minute. For some reason, one of the DC's in HQ (one DC out of 6) has a lot more authentications. These aren't peaks either, it's generally uniform across the day.
Is there anyway to check why this is?
Many thanks in advance!
We are running Windows XP clients in a number of sites, along with Windows 2003 DC's. We have a large HQ which has multiple DC's, and some other medium size sites around Europe.
Some sites don't have their own dedicated DC, espcially ones close to HQ, so their subnet is defined as part of being in the HQ site in Sites and Services.
We have just run a tool that shows the number of authentications on DC's per minute. For some reason, one of the DC's in HQ (one DC out of 6) has a lot more authentications. These aren't peaks either, it's generally uniform across the day.
Is there anyway to check why this is?
Many thanks in advance!
One more idea...maybe it would be fine to check if this server in question is not the only (or one of few Global Catalogs).
Martin
Martin
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi All,
Sorry, I should have mentioned that ALL DC's in the HQ site are GC's.
The DNS priority theory sounds interesting - how would I be able to check the priority of that resource record? And what would the resource record be called? I wasn't aware that the DC resource record had a priority setting?
Sorry, I should have mentioned that ALL DC's in the HQ site are GC's.
The DNS priority theory sounds interesting - how would I be able to check the priority of that resource record? And what would the resource record be called? I wasn't aware that the DC resource record had a priority setting?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks, great explanation.
Just one final question - we also have a bunch of apps that carry out LDAP queries, need Kerberos authentication etc. They all need a LDAP server/Kerberos server entered, which is one of the other DC's.
Is there any way to set this up so that they try all the DC's listed in the AD DNS SRV records?
Also, would LDAP queries be classed as "authentications" to a DC, and therefore affect our chart? I am wondering if someone has set up a bunch of apps to use the affected DC as the LDAP server?
Just one final question - we also have a bunch of apps that carry out LDAP queries, need Kerberos authentication etc. They all need a LDAP server/Kerberos server entered, which is one of the other DC's.
Is there any way to set this up so that they try all the DC's listed in the AD DNS SRV records?
Also, would LDAP queries be classed as "authentications" to a DC, and therefore affect our chart? I am wondering if someone has set up a bunch of apps to use the affected DC as the LDAP server?
If the application needs to have configured exact name of LDAP and Kerberos server, I don't think it's possible.
LDAP queries are not classed as authentication themselves, but to perform an LDAP query, you need to be authenticated, so actually yes, it might affect the chart.
LDAP queries are not classed as authentication themselves, but to perform an LDAP query, you need to be authenticated, so actually yes, it might affect the chart.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
it might because of the DNS.
When the client tries to authenticed to a domain, it will ask the DNS server for service records which point to LDAP, DC and GC server. It micht happen that the DNS server taking part in this authentication scenario preferably sends records pointing to this particular DC.
If you want to change it, you can edit the resource records in your DNS zone, so that the "overloaded" server will get less priority.
Martin