none
Restrict 2 New 2008 R2

    Question

  • Hi All,

    In mY root domain currently i have 2 2008 R2 DC's which is for AD & application. Due to proxy app slowness we decide to promote 2 New 2008 R2 DC's only for Proxy authen [ validate proxy users request from proxy server]

    My customer want to restrict this 2 new VM dc's only to Proxy Authent and need to restrict all remaining traffics from Netwrok

    Client logon & other apps

    Pls let me know how to perform that?  [ Can we stop the DNS service will workout or we need apply any firewall rule?]


    Monday, February 20, 2012 11:27 AM

All replies

  • Why you want to do that since adding two more DC makes the count to 4, so four DC's can handle the load sufficently well considering the hardware is provided with sufficent RAM and processor speed.

    I don't think its possible to use the two DC just for the authentication for the proxy server not for any other apps. Clicent locate DC using dclocator mechanism(using site/subnet info).

    http://msmvps.com/blogs/acefekay/archive/2010/01/03/the-dc-locator-process-the-logon-process-controlling-which-dc-responds-in-an-ad-site-and-srv-records.aspx

    Regards

    Awinish Vishwakarma

    MY BLOG:  awinish.wordpress.com


    This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Monday, February 20, 2012 11:42 AM
    Moderator
  • Hi Awinish

    Proxy Aplication have 14,000 Users accessing and expect more users to join. As of now  existing dc's not laoded since its very powerful  H/W. But we coudl see the slowness in proxy auth & more no of pending queues at teh Proxy server end.

    So to resolve that problem customer come up with this idea,. How abt if we promote without DNS client will not look the New dc's right?:

    Monday, February 20, 2012 11:49 AM
  • One way to accomplish this would be to create a separate AD site containing two domain controllers and your proxy servers - this way you can leverage DC locator process and use local site DCs only (in other words, you create a new AD site associated with the subnets where these systems reside - and move DC objects in AD Sites and Services to that site).

    Details at http://msmvps.com/blogs/acefekay/archive/2010/01/03/the-dc-locator-process-the-logon-process-controlling-which-dc-responds-in-an-ad-site-and-srv-records.aspx

    hth
    Marcin



    Monday, February 20, 2012 12:07 PM
  • Btw, 15k is not a huge number and two DC should be sufficent provided they are equipped with sufficent RAM and processor and now with x64 bit DC they can perform much better. It is wrong concept. DNS provided name resolution services and DC provided authentication, so the function of DNS is accept the queries from the domain clients and forward to the respective domain controller becasue DC in the site going to authenticate local clients will be defined using site/subnets/sitelinks. When domain client system logs in the domain, during startup using DNS records it checks the site to which system belong and then forward the request to the local or nearest DC, so DNS is overall used for name resolution and locating SRV records.

    Just making DC not a DNS server will not change its default behaviour of the working.

    How DNS Support for Active Directory Works

    http://technet.microsoft.com/en-us/library/cc759550%28v=ws.10%29.aspx


    Regards

    Awinish Vishwakarma

    MY BLOG:  awinish.wordpress.com



    This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Monday, February 20, 2012 12:12 PM
    Moderator
  • Hi marcin,

    The existing site itself having more than 100 subnets and i'm cehcking with Network team to define new subnets for this Dc's. Can we follow the below one to retict the traffics.

    1. Promote New dc's with new subnet on the same site

    2.after promote stop the DNS service & increase the "Weight" to the maximum one [ Ex: 500]

    3. Is it possible to enable the windows firewall and input only the Proxy servers? [ Proxy server is Linux running in same site and in app level they will dedicate only to new dc's]

    Eventhough we do still it have the GC realted trafiic right?

    Tuesday, February 21, 2012 4:32 AM
  • Hello,

    have you also thought about using AD LDS for the application authentication?

    http://technet.microsoft.com/en-us/magazine/2008.12.proxy.aspx


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Tuesday, February 21, 2012 6:30 AM
  • Hi weber,

    Thnaks for the link, I have some queries on that

    1. install LDS on new Member server -> Once LDS setup done will it automatic replicte from AD Database?  In realtime is it two way replication or only from ADDS it will replicate to LDS one way?

    2. Since its using only AD DB no other client traffics right

    Tuesday, February 21, 2012 8:19 AM
  • AD LDS can be installed on workgroup or domain member machine and machine can be either server or Win7 client machine. Ad LDS could be the good option, but you need to first understand basics of AD LDS be referrubg below article and then proxy authentication link posted by Meinolf.

    http://technet.microsoft.com/en-us/library/cc733064%28v=ws.10%29.aspx

    http://technet.microsoft.com/en-us/library/cc754361%28v=ws.10%29.aspx

     

     

    Regards

    Awinish Vishwakarma

    MY BLOG:  awinish.wordpress.com


    This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Tuesday, February 21, 2012 8:25 AM
    Moderator
  • Hi marcin,

    The existing site itself having more than 100 subnets and i'm cehcking with Network team to define new subnets for this Dc's. Can we follow the below one to retict the traffics.

    1. Promote New dc's with new subnet on the same site

    2.after promote stop the DNS service & increase the "Weight" to the maximum one [ Ex: 500]

    3. Is it possible to enable the windows firewall and input only the Proxy servers? [ Proxy server is Linux running in same site and in app level they will dedicate only to new dc's]

    Eventhough we do still it have the GC realted trafiic right?

    It does not really matter how many subnets you currently have. If your intention is to ensure that both proxies and two domain controllers are in the same site. This requires - at the most - creating four subnet objects in AD (corresponding to the IP addresses of the four systems - assuming they are not on the same subnet) - and a single site that will be associated with these subnets

    hth
    Marcin

    Tuesday, February 21, 2012 12:27 PM
  • It seems to me that relying on AD LDS in this case overcomplicates the solution - considering that it should be simply possible to leverage DC locator mechanism to accomplish the objective

    hth
    Marcin

    Tuesday, February 21, 2012 12:29 PM
  • I would still not suggest changing ldap srv/weight priority settings because it can have negative impact either create a separate site or let 4 DC's to handle the load. The size of authentication packet is not large and since its local 4 dc's would suffice your requirements.

    Regards

    Awinish Vishwakarma

    MY BLOG:  awinish.wordpress.com


    This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Wednesday, February 22, 2012 11:34 AM
    Moderator
  • Yes, but client is more specfic on this part.  Something hapenns in the backend authentication btw proxy server & AD [ Around 15 K users] and existing DC's was more pwoerful physical ones.

    can i go one by one to reduce the risk?

    Wednesday, February 22, 2012 11:52 AM
  • I would suggest to test in a lab first to confirm as i haven't implemented any such settings in production so its difficult for me to confirm.

    Regards

    Awinish Vishwakarma

    MY BLOG:  http://awinish.wordpress.com/


    This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Wednesday, February 22, 2012 12:15 PM
    Moderator
  • Modifying weight/priority of the SRV records will affect ALL connections to the target DCs - not just those from specfiic hosts - so I'm not clear how this is supposed to help you accomplish your goal (which, from what I understand, is to ensure that authentication attempts from designated proxy servers are handled by two designated domain controllers).

    Is there a reason you are adverse to using the approach that relies on creating a separate AD site for these systems?

    hth
    Marcin

    Wednesday, February 22, 2012 12:25 PM
  • Hi Marcin,

    My client not agree to go with deiferent site & subnet plan since new proxy servers has been been configured under existing subnet and they want to make all dc's & proxy in same subnet.

    So i'm in the posotion to do the best with DC's part and as i check in net i found priority & weight options can done to reduce the load of DC's, but i;m not sure how to assign the value on those parameters.  

    Thursday, February 23, 2012 7:06 AM
  • You can find the references in the below link but i would stress in carrying the test in a lab first. The setting has to be done on the DC to whom you want to divert the traffic but remember its not going to divert just proxy but other traffic too by modifying the registry.

    LdapSrvWeight & LdapSrvPriority

    http://blogs.dirteam.com/blogs/carlos/archive/2006/05/10/How-to-lessen-your-PDC_1920_s-load.aspx

    http://technet.microsoft.com/en-us/library/cc816793%28WS.10%29.aspx

    Regards

    Awinish Vishwakarma

    MY BLOG:  http://awinish.wordpress.com/


    This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Thursday, February 23, 2012 7:12 AM
    Moderator
  • Hi Awinish,

    Thankd for the link; Let me try to test before going into production but they already inform me complete with in feb 28th. Meanwhile as i said after i promote 2 new VM dc's

    1. Dc05 & Dc06  --> Existing ones and i'll not change anything on this dc's so i assume that this will be in lower priority [ "0"]

    2.Dc07 & Dc08 --> I'll create nw registry key values for Weigt & priority.  --> afer done and intial replication continues will it chnage any existing settings on Dc's?

    Thursday, February 23, 2012 7:31 AM
  • You need to only make changes on new VM and there is nothing going to be modified in existing DC's. My suggestion is testing is very important over here.

    Regards

    Awinish Vishwakarma

    MY BLOG:  http://awinish.wordpress.com/


    This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Thursday, February 23, 2012 8:25 AM
    Moderator
  • Hi Marcin,

    My client not agree to go with deiferent site & subnet plan since new proxy servers has been been configured under existing subnet and they want to make all dc's & proxy in same subnet.

    So i'm in the posotion to do the best with DC's part and as i check in net i found priority & weight options can done to reduce the load of DC's, but i;m not sure how to assign the value on those parameters.  

    I'm not clear how this invalidates the approach that involves creating a new site - can you clarify? It seems that this makes it actually easier - since all you have to do is create a new site with a new subnet (representing the subnet where DCs and proxy servers are on).

    As I mentioned earlier, setting weight/priority will affect ALL connections to the designated DCs - rather than ensure that to these DCs are used exclusively by proxy servers

    hth
    Marcin

    Thursday, February 23, 2012 12:45 PM
  • Awinish,

    can you explain how modifying weight or priority is supposed to deliver the objective in this case?

    Btw. note that setting different priority values effectively leaves some of DCs not being used AT ALL - which, as far as I can tell, is not the intended goal here...

    cheers,
    Marcin

    Thursday, February 23, 2012 12:49 PM
  • Marcin, if you read my comment i have never stated/confirmed that modifying the weight/priority srv records will let you to achieve the objective. Author of the post wanted to try those settings and might get an idea that this may not be feasibly solution only after trying it, so i just referenced him the article.

    My stress was conducting a test in a lab, so he can actually get the real time result with him what will be the impact.

    Regards

    Awinish Vishwakarma

    MY BLOG:  awinish.wordpress.com


    This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Thursday, February 23, 2012 1:01 PM
    Moderator
  • If these are Linux boxes, then you should be able to point them to specific domain controllers.

    Looks like this actually makes the use of priority attribute a feasible option - i.e. if you set the priority of two designated DCs (that are supposed to be used by proxy servers) to be lower, you will effectively prevent all Windows clients from using them for authentication...

    hth
    Marcin

    Thursday, February 23, 2012 1:11 PM
  • Marcin, if you read my comment i have never stated/confirmed that modifying the weight/priority srv records will let you to achieve the objective. Author of the post wanted to try those settings and might get an idea that this may not be feasibly solution only after trying it, so i just referenced him the article.

    My stress was conducting a test in a lab, so he can actually get the real time result with him what will be the impact.

    Regards

    Awinish Vishwakarma

    MY BLOG:  awinish.wordpress.com


    This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Awinish,

    OK - understood. As a matter of fact, it appears that using this approach might be valid after all

    cheers,
    Marcin

    Thursday, February 23, 2012 1:13 PM
  • Set the priority of the SRV records for the DCs to be used by proxies to be lower (i.e. assign to them the higher value). You should not have to modify weight (i.e. it can be the same for all of them) - unless you want to distribute the load between DCs of equal priority unevenly

    hth
    Macin

    Thursday, February 23, 2012 1:31 PM
  • Hi Marcin,

    I'll not change the weights value on old dc's [ 05,06] but for new dc's thinking to make as low as possible. so i can test with one dc weight as "10" or "20" to proceed further,

    Thursday, February 23, 2012 1:51 PM
  • Do post the outcome once you test the configuration.

    Regards

    Awinish Vishwakarma

    MY BLOG:  awinish.wordpress.com


    This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Thursday, February 23, 2012 1:56 PM
    Moderator
  • Unless I'm missing something in reading your objectives, you should be changing priority - not weight.

    Changing priority will prevent domain controllers with lower priority values to be used by Windows systems.

    Changing weight controls distribution of connections to DCs with the same weight value

    hth
    Marcin

    Thursday, February 23, 2012 1:59 PM
  • My objective is enable both [Changing priority & weight] on new dc's and reduce the load as much as possible.

    Thursday, February 23, 2012 2:08 PM
  • As far as I can tell, you have all the info that's needed - proceed in the manner that will meet your objectives

    hth
    Marcin

    Thursday, February 23, 2012 2:17 PM
  • Hi Awinish\Marcin

    i will check both the options in one of the DC's and share the results.

    Thursday, February 23, 2012 2:20 PM