Active Directory Sites

I would like to understand, in the scenario where there is One AD domain, but with several AD Sites.
in this case, Users in SiteX will always try to authenticate to domain controllers in SiteX, if all Domain Controllers in SiteX are down, then users in SiteX should be able to authenticate with other DCs in other Sites (SiteY, or SiteZ).
Well, my question is what will make users in SiteX  authenticate to DCs in siteY or siteZ? is there any specific configuration that should have been done? other than associating Subnets to Sites in AD Sites and Services ?

Anyone to elaborate on this ?

Thank you
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Basically it is achieved with link costing of the site links.

When you create sites you also create site links between sites. These links have a cost associated with them. The higher the cost the less desirable the route (if there are multiple link paths). You also allocate subnets to sites. AD is constantly aware via site link costings what the best path is for clients to the closest DC. So when a DC is down clients will be provided with the next closest domain controller. This will only work for applications/clients that are site aware. Some applications will just pick a random domain controller, for these we use hardware load balancers with a pool of domain controllers behind it and tell applications that are not site aware to point to that address.

Take this simple example.

Site1 (head office New York - Lots of DCs):
Site2 (head office London - Lots of DCs):
Site3 (Branch office Cambridge - 1DC):

The site links are setup as follows.


So when a client logs on at the Cambridge office, a connection is made to a domain controller which will check its subnet. If it is the closest domain controller to the client it will process the logon/request, otherwise it will redirect the client to the closest domain controller. In this case when it logs on it will talk to a Site3 DC. If the Site3 DC is down the client will be redirected to the next closest domain controller which will be in Site2.

Lets expand on the example above with an extra site link and costings.

Site1-Site2 (cost 100)
Site3-Site2 (cost 110)
Site3-Site1 (cost 100)

In this scenario, if the DC in Site3 is down, AD will check the cost to the nearest DC. It will see that the cost from Site3 to Site2 is 110 and the cost from Site3 to Site1 is 100. Clients in Cambridge will be directed to a DC Site1 which is actually not the closest DC.

I always recommend setting up your site links to follow your network topology. For us we don't have any site links for AD replication redundancy as we rely on the network having redundant links to handle this for us.
And for good measure here's an article I found from Microsoft on the topic.
FOXActive Directory/Exchange EngineerCommented:
Learnctx's explanation is right on the money.  Have you tried to ping a domain controller in either site Y or Z from any of your workstations that is not hitting site X?
Will SzymkowskiSenior Solution ArchitectCommented:
I have created a two part series on Understanding AD Sites and Services. I start with a high level overview and then go into more detail and also point out some key points that you need to follow.

See the link below.

AD Sites and Services Part1

AD Sites and Services Part2

Well, my question is what will make users in SiteX  authenticate to DCs in siteY or siteZ
Site Cost does not control where the users will authenticate if your DC's are down at a particular site. Site Cost for Active Directory controls how the DC's will replicate to and from each other. Sites can also be used to control Mail Flow for Exchange as well if you have multiple sites that host Exchange.

The method for controlling where the users will authenticate is based on Subnets. Subnets Control where users will authenticate to a particular site. If all of the DC's are down at a particular site then that means the clients primary/secondary DNS is down as well. At this point you will need a 3rd DNS server (or Secondary if you only have 1 DC at the site). When the user logs in it will use the DNS settings that are from another site and at that point it will authenticate.

A client will not be able to authenticate period, if they do not have a DNS server in there NIC settings that is online and reachable.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jskfanAuthor Commented:
Thank you
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.