Group Policy and domain controller authentication

bpbtech
bpbtech used Ask the Experts™
on
Is there a way to configure Group Policy to specify what domain controller a user will authenticate to? Not sure what the setting would be but, we have remote offices that we want to authenticate to a different set of domain controllers than the main office.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Commented:


It is done by setting up Active directory sites and services properly .
For each physical location, create a site in AD Sites and Services. Also create subnets and assign those subnets to the site. Move your DCs into the correct site.

You configure 2 sites within your domain, than you assign 1 controller to the first site and the other domain controller to the second one. Sites however are build up on base off ip-address ranges. If you make sure that the client is in the same ip-range of the domaincontroller you want him to communicate with first will do so on base of membership of this site.

Check out the link below for more info
http://www.wowworx.com/msactivedirectory/NewtNotesDPT224Ch06.htm

GROUP POLICIES has no roles in this.
-- Dont know if there is any Group Policy like that or not but  following is some thing which you can Try :-

Client machines will locate the Domain Controllers with the help of SRV and LDAP records registered Under the DNS . By default all the domain controller will publish there records under all Sites as a fault Tolerant mechanish also called Auto Site coverage .

If you want a remote site Client to get the authentication from any other domain other then the Local domain then You have to play with these SRV records .

You can disable or enable the autosite converage with the following registry key :-
HK:LM\CCS\Services\Netlogon\Parameters\AutoSiteCoverage (0 = disable, 1 =
enable)

Or you can Use following Group Policy :-

Computer Configuration - Administration Templates - System - Netlogon -
AutositeCoverage (Enabled/Disabled)


-- So all you need to do is to Enable this Group Policy and make sure Under that Remote Site (DNS Settings ) you see only the records of the Domain Controllers from where you want them to get the Authentication .

-- If You see any other records them you can delete them ,After Applying the Policy or registry key accordingly as per plan and after deleting the DNS records restart the DNS and NETLOGON service to see it other DCS are registring the Records or not .

-- Let us know in case you have any issues .
Top Expert 2012

Commented:
Make sure the local clients point to the local DC for primary DNS. Make sure that the local DC is a GC. Create Sites in AD Sites and Services.

The above will make the clients authenticate to their local DCs.

This is how you load balancer DCs.

http://technet.microsoft.com/en-us/library/cc787370(WS.10).aspx

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial