Wednesday, March 06, 2013 3:45 PM
We currently have a domain with multiple sites. Each site has a DC. We are looking to reduce the amount of DC's on the network as not all sites need one, e.g. three users on one site with a DC. We want to set up a DC at our Data Center, and have the users authenticate to that. My question is how do we configure that site to use the DC in the data center?
Wednesday, March 06, 2013 3:51 PM
Well autosite coverage and DClocator will
automatically take care of identifying the nearest DC based on the site link topology
connecting the remote site and the datacenter.<o:p></o:p>
Please refer to defining site links to insure proper
Wednesday, March 06, 2013 4:20 PM
So in sites and services, I would apply a lower cost to the link that attaches the small site to the site that houses the DC?
Wednesday, March 06, 2013 7:36 PM
Well, generally as a rule, a site link contains only 2
sites. And the site link is based on the physical telecom links. So lets say
site B (remote site) has 2 telecom links to 2 different sites, site A being the
datacenter, and site C being a larger remote site that is in turn connected to
Site A. You would make certain the cost of site link (B-A) is less than the
cost of site link (B-C) + (C-A). This favors site A, resulting in the domain
controllers of site A being prioritized.<o:p></o:p>
Wednesday, March 06, 2013 8:14 PM
What you need to do is create subnet for Remote site (Without DC) in sites and services and link those subnets to your Datacenter Sites and make sure below ports are opened between Remote site and Datacenter
The following is the list of services and their ports used for Active Directory communication:
UDP Port 88 for Kerberos authentication
UDP and TCP Port 135 for domain controllers-to-domain controller and client to domain controller operations.
TCP Port 139 and UDP 138 for File Replication Service between domain controllers.
UDP Port 389 for LDAP to handle normal queries from client computers to the domain controllers.
TCP and UDP Port 445 for File Replication Service
TCP and UDP Port 464 for Kerberos Password Change
TCP Port 3268 and 3269 for Global Catalog from client to domain controller.
TCP and UDP Port 53 for DNS from client to domain controller and domain controller to domain controller.
Opening above ports in Firewall between client computers and domain controllers, or between domain controllers, will enable Active Directory to function properly.
Hope it helps __________________________ Best Regards Sarang Tinguria MCP, MCSA, MCTS Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
Friday, March 08, 2013 1:46 PM
There is already a Site for this group of computers, and I am taking the DC away. I have put the cost of the Site link down. Clients are still authenticating to odd servers. How do they know what has the lowest site link?
Tuesday, March 12, 2013 12:06 PMModerator
Remove all sites but the home site and then reassociate all subnets with the home site, nothing else to do. The only way I wouldn't do this is if you had a site aware application that need special sites configured, which I'm guessing you don't have anyways. So I would strongly urge you to remove all sites with the exception of the central site.--
MVP - Directory Services
MCITP: Enterprise Administrator
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, Vista, 2003, 2000 (Early Achiever), NT4
http://www.pbbergs.com Twitter @pbbergs
Please no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights.
- Marked As Answer by K_evin ZhuMicrosoft Contingent Staff, Moderator Thursday, March 21, 2013 2:11 AM
Thursday, March 21, 2013 2:11 AMModerator
As this thread has been quiet for a while, we will mark it as ‘Answered’ as the information provided should be helpful. If you need further help, please feel free to reply this post directly so we will be notified to follow it up. You can also choose to unmark the answer as you wish.
BTW, we’d love to hear your feedback about the solution. By sharing your experience you can help other community members facing similar problems. Thanks for your understanding and efforts.