philb19
asked on
FOR DR - Build a Domain Controller 2012 R2 - place in remote datacentre. Prevent users from authenticating
Hi - We have a L2 10GB connection to the datacentre. Id still like to have the DC there getting the replication as normal. However is there a way to "stop"/Prevent users from authentication against the DC in the remote datacenter HOW?
thanks
thanks
Cliff Galiher
Don't make it a global catalog. Make sure your site cost is high. Both would be effective. But for true DR, I'd wonder why block auth at all? Otherwise just make backups? The point of having a replicating DC is go handle a failure in an automated fashion.
ASKER
Thanks Cliff - What is significance of "Don't make it a global catalog" I know what GC is - Does this mean no authentication though? I wouldn't have thought so. As the link is 10GB I was not intending to place new DC in a separate site. Simple domain here 1 site now slow links - just a 10Gb link to a datacenter
ASKER
no slow links - just a 10GB link to a datacentere service provider (test VM cluster) - 1 site
I'm thinking it doesn't really matter if they authenticate against the DC in DR than. - its 3-4 KM away link is fast no latency observed fiber connection
I'm thinking it doesn't really matter if they authenticate against the DC in DR than. - its 3-4 KM away link is fast no latency observed fiber connection
Even with a 10GB link, always define your sites to match your broadcast (aka layer 2) domains. If it crosses a router, it should be defined.
ASKER
I wasn't fully aware of that. Can I please get some insight as to why. We currently have 1 site with 2 subnets. Each dc is in separate subnet. They are both physically local same vm cluster and storage. Separated by layer 3 switch. Everything is running fine.
You should increase priority for the SRV records of domain controller in remote datacenter.
https://technet.microsoft.com/en-us/library/cc787370(WS.10).aspx
http://technet.microsoft.com/en-us/library/cc816793(v=ws.10).aspx
https://technet.microsoft.com/en-us/library/cc787370(WS.10).aspx
http://technet.microsoft.com/en-us/library/cc816793(v=ws.10).aspx
To set a "preferred login server" make the subnet where clients are linked to the subnet where the preferred DC is. You should create every subnet that contains cliente devices in Sites and Services. Then, assign them to the Site where the preferred DC is. That will make that clients logon to that particular DC whenever possible. When it's down, they will find a way to another one.
Here is a procedure that might help:
Step-By-Step: Setting Up Active Directory Sites, Subnets & Site-Links
http://blogs.technet.com/b/canitpro/archive/2015/03/04/step-by-step-setting-up-active-directory-sites-subnets-amp-site-links.aspx
And this is important information on how it works:
Sites Sites Everywhere…
http://blogs.technet.com/b/askds/archive/2011/04/29/sites-sites-everywhere.aspx
Here is a procedure that might help:
Step-By-Step: Setting Up Active Directory Sites, Subnets & Site-Links
http://blogs.technet.com/b/canitpro/archive/2015/03/04/step-by-step-setting-up-active-directory-sites-subnets-amp-site-links.aspx
And this is important information on how it works:
Sites Sites Everywhere…
http://blogs.technet.com/b/askds/archive/2011/04/29/sites-sites-everywhere.aspx
ASKER
Hi for Cliff
https://technet.microsoft.com/en-us/library/cc782048%28WS.10%29.aspx
"In Active Directory, a site is a set of computers well-connected by a high-speed network, such as a local area network (LAN). All computers within the same site typically reside in the same building, or on the same campus network. A single site consists of one or more Internet Protocol (IP) subnets."
https://technet.microsoft.com/en-us/library/cc782048%28WS.10%29.aspx
"In Active Directory, a site is a set of computers well-connected by a high-speed network, such as a local area network (LAN). All computers within the same site typically reside in the same building, or on the same campus network. A single site consists of one or more Internet Protocol (IP) subnets."
And that contradicts what I said how? If it were really a single site then you wouldn't be caring which DC users authenticate against. Sometimes what you want to accomplish will point you in the correct topology. And tilting at that windmill only makes YOUR life harder. Others have now also told you defining your sites is the right path. If you don't want to take advice , no skin off my back. I just have to wonder why you asked for advice at all...
ASKER
Hi Cliff,
Sorry you have taken this the wrong way. I should have worded my previous comment differently. I was simply wondering how we currently function fine with multiple subnets in the 1 site. I really didnt know if I had screwed things up badly and just "didnt know about the effect" - It would seem from Microsoft - No
I like to keep things simple "if possible" Given that we have a 10GB layer 2 extension of our network I was hoping to stick with just 1 site. In conversation here it was suggested that I prevent authentication to the DC in the remote(10GB connected) site. I was very doubtful as to the requirement/reason to do this -(ie does it matter over a fast 10GB link with no lextra latency) hence I have posted the question on this site to get advice/opinion
I actually marked your comment up as a good 1 - as I think your comment seperate the subnets into sites is sound advice. I was merely pointing out that it does not appear to be an absolute must.
Thanks again for your help - apoligise for any misunderstanding.
Sorry you have taken this the wrong way. I should have worded my previous comment differently. I was simply wondering how we currently function fine with multiple subnets in the 1 site. I really didnt know if I had screwed things up badly and just "didnt know about the effect" - It would seem from Microsoft - No
I like to keep things simple "if possible" Given that we have a 10GB layer 2 extension of our network I was hoping to stick with just 1 site. In conversation here it was suggested that I prevent authentication to the DC in the remote(10GB connected) site. I was very doubtful as to the requirement/reason to do this -(ie does it matter over a fast 10GB link with no lextra latency) hence I have posted the question on this site to get advice/opinion
I actually marked your comment up as a good 1 - as I think your comment seperate the subnets into sites is sound advice. I was merely pointing out that it does not appear to be an absolute must.
Thanks again for your help - apoligise for any misunderstanding.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks all went smooth - set a reg key to ensure no users authenticate unless only dc availabale