FOR DR - Build a Domain Controller 2012 R2 - place in remote datacentre. Prevent users from authenticating

Hi - We have a L2 10GB connection to the datacentre. Id still like to have the DC there getting the replication as normal. However is there a way to "stop"/Prevent users from authentication against the DC in the remote datacenter HOW?

thanks
LVL 1
philb19Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Cliff GaliherCommented:
Don't make it a global catalog. Make sure your site cost is high. Both would be effective. But for true DR, I'd wonder why block auth at all? Otherwise just make backups? The point of having a replicating DC is go handle a failure in an automated fashion.
philb19Author Commented:
Thanks Cliff - What is significance of "Don't make it a global catalog" I know what GC is - Does this mean no authentication though?  I wouldn't have thought so. As the link is 10GB I was not intending to place new DC in a separate site. Simple domain here 1 site now slow links - just a 10Gb link to a datacenter
philb19Author Commented:
no slow links - just a 10GB link to a datacentere service provider (test VM cluster) - 1 site

I'm thinking it doesn't really matter if they authenticate against the DC in DR than. - its 3-4 KM away link is fast no latency observed fiber connection
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Cliff GaliherCommented:
Even with a 10GB link, always define your sites to match your broadcast (aka layer 2) domains. If it crosses a router, it should be defined.
philb19Author Commented:
I wasn't fully aware of that. Can I please get some insight as to why. We currently have 1 site with 2 subnets. Each dc is in separate subnet. They are both physically local same vm cluster and storage. Separated by layer 3 switch. Everything is running fine.
Toni UranjekConsultant/TrainerCommented:
You should increase priority for the SRV records of domain controller in remote datacenter.

https://technet.microsoft.com/en-us/library/cc787370(WS.10).aspx
http://technet.microsoft.com/en-us/library/cc816793(v=ws.10).aspx
Renato Montenegro RusticiIT SpecialistCommented:
To set a "preferred login server" make the subnet where clients are linked to the subnet where the preferred DC is. You should create every subnet that contains cliente devices in Sites and Services. Then, assign them to the Site where the preferred DC is. That will make that clients logon to that particular DC whenever possible. When it's down, they will find a way to another one.

Here is a procedure that might help:

Step-By-Step: Setting Up Active Directory Sites, Subnets & Site-Links
http://blogs.technet.com/b/canitpro/archive/2015/03/04/step-by-step-setting-up-active-directory-sites-subnets-amp-site-links.aspx

And this is important information on how it works:

Sites Sites Everywhere…
http://blogs.technet.com/b/askds/archive/2011/04/29/sites-sites-everywhere.aspx
philb19Author Commented:
Hi for Cliff

https://technet.microsoft.com/en-us/library/cc782048%28WS.10%29.aspx

"In Active Directory, a site is a set of computers well-connected by a high-speed network, such as a local area network (LAN). All computers within the same site typically reside in the same building, or on the same campus network. A single site consists of one or more Internet Protocol (IP) subnets."
Cliff GaliherCommented:
And that contradicts what I said how? If it were really a single site then you wouldn't be caring which DC users authenticate against. Sometimes what you want to accomplish will point you in the correct topology. And tilting at that windmill only makes YOUR life harder. Others have now also told you defining your sites is the right path. If you don't want to take advice , no skin off my back. I just have to wonder why you asked for advice at all...
philb19Author Commented:
Hi Cliff,

Sorry you have taken this the wrong way. I should have worded my previous comment differently. I was simply wondering how we currently function fine with multiple subnets in the 1 site. I really didnt know if I had screwed things up badly and just "didnt know about the effect" - It would seem from Microsoft - No

I like to keep things simple "if possible" Given that we have a 10GB layer 2 extension of our network I was hoping to stick with just 1 site. In conversation here it was suggested that I prevent authentication to the DC in the remote(10GB connected) site. I was very doubtful as to the requirement/reason to do this -(ie does it matter over a fast 10GB link with no lextra latency) hence I have posted the question on this site to get advice/opinion

I actually marked your comment up as a good 1 - as I think your comment seperate the subnets into sites is sound advice. I was merely pointing out that it does not appear to be an absolute must.

Thanks again for your help - apoligise for any misunderstanding.
Cliff GaliherCommented:
It is t technically a must, but is more scalable and allows an admin eh may need to step in during an emergency to understand the topology "at a glance." It is t so much doing something "wrong" per se as if is forming good habits early so you don't have to retrofit down the road. Thing of MS BPAs. Not all rules are "requirex" but definitely are a "best practice."

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
philb19Author Commented:
Thanks all went smooth - set a reg key to ensure no users authenticate unless only dc availabale
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.