none
how to control sequence of domain controllers a client computer logging on

    Question

  • an office and a far away branch connected by vpn, 2 x domain controllers dc1 and dc2 in office for fault tolerance, plan add 1 x domain controller dc3 in branch for fault tolerance in case vpn down, tested dc3 can added over vpn, how to force client computers at branch logon AD via dc3 first, then dc1/dc2?  Thx.

    Monday, August 01, 2011 7:35 AM

Answers

  • an office and a far away branch connected by vpn, 2 x domain controllers dc1 and dc2 in office for fault tolerance, plan add 1 x domain controller dc3 in branch for fault tolerance in case vpn down, tested dc3 can added over vpn, how to force client computers at branch logon AD via dc3 first, then dc1/dc2?  Thx.


    In addition to the other responses, if the scenario is a simple scenario where there is a DC at a branch, in your case, DC3, and if you have AD Sites properly configured with the Subnet Object assocaited with the AD Site at the branch, then the client will always logon to that DC in their own AD Site. It's basically the way the AD client side CSE (client side extensions) handle it.

    If DC3 goes down, then it will be a round robin to determine the next DC outside of the AD Site. You can alter the weights and priorities as mentioned, between the two DCs at the main site, but that will also affect everyone logging on at the main site, because those weights and priorties will aleter the SRV records so one DC is always the one that respond.

    However, if the client is using DC3 as the first DNS entry in the client's NIC properties, only, and only if DC3's DNS service does not respond, then it will go on to the next DNS address in the NIC to send a query to find the next DC outside of the AD Site. THis behavior is based on the client side's resolver algorithm. Read more on this behavior:

    This article discusses, among other things, the DNS Client Side Resolver algorithm. If one DC or DNS goes down, does a client logon to another DC?
    http://msmvps.com/blogs/acefekay/archive/2009/11/29/dns-wins-netbios-amp-the-client-side-resolver-browser-service-disabling-netbios-direct-hosted-smb-directsmb-if-one-dc-is-down-does-a-client-logon-to-another-dc-and-dns-forwarders-algorithm.aspx

     

    Besides, there will be cached credentials at play, too, if DC3 goes down, and the VPN goes down. However, of course, they won't be able to access resources such as email if there is an Exchange server at the main site, because the VPN would be down. If the VPN is up, and the client logs on to a DC at the main site, then the client will wind up using a GC at the main site for DSAccess and DSProxy.

    That also reminds me to recommend that all DCs are GCs.

    My view on this, is how often do you expect DC3 to go down? Will the server be that unreliable? Network equipement unreliable? If it is a reliable server hardware from a reliable manufacturer with a 2-4 hour response, onsite warranty (not a hand built machine), then I don't see this becoming a huge factor. Make sure you have backups of the DCs.

    If you want to make sure the VPN is reliable, get two ISP services and purchase a Cisco ASA or similar product, that can handle multiple ISPs and has the failover feature.

     

    Here's a summary on the logon process IF AD sites are properly configured:

    AD client DC locator steps

     

     

    And here's how to configure your AD Sites properly:

    Managing Sites, Jan 6, 2003 ...
    Managing sites in Active Directory involves adding new subnet, site, and site link objects when the network grows, as well as configuring a ...
    http://technet.microsoft.com/en-us/library/bb727051.aspx

    Chapter 6, Configuring Sites
    (Apparently this is from a text book. It has a great step by step)
    http://www.wowworx.com/msactivedirectory/NewtNotesDPT224Ch06.htm

    The following appears to be a "Blended MOC" module, meaning it was customized from the original Microsoft Official Curriculum courseware. It focuses on how AD Replication works, how Sites work, how logon and replication traffic is controlled by configuring AD Sites, how to create a Site, etc:
    Module 4: Configuring Active Directory® Domain Sevices Sites and Replication
    http://www.scribd.com/doc/24692216/Module-4-Configuring-Active-Directory%C2%AE-Domain-Sevices-Sites-and-Replication

    The following article starts out as an AD Sites and Subnets Best Practice guide but then jumps into a security best practices doc by the end of the article after discussing the need for an Enterprise CA when using SMTP TLS for replication to secure traffic.
    Best practices for Active Directory Sites and Services
    http://technet.microsoft.com/en-us/library/cc755768(WS.10).aspx

     

     

    Ace


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Monday, August 01, 2011 1:53 PM
  • Using weight/priority of SRV records is NOT the proper way to handle this. In short, you should be able to accomplish your goal by properly configuring your Active Directory - and relying on the optimization built into DC Locator mechanism. This has been explained in details by Ace. However, in addition, you should consider disabling publishing of non-site specific (generic) SRV records by DC3 - for details, refer to http://social.technet.microsoft.com/Forums/en-us/winserverDS/thread/99a6faab-40da-43d7-977f-9c2107854c70

    hth
    Marcin


    Monday, August 01, 2011 3:00 PM

All replies

  • There is nothing special required to configure to get authenticated by other DC, if DC serving authentication request goes down apart from configuring all the DC as DNS & GC(GC not mandate) & specifying each DC dns in clients NIC. Priority will be taken care automatically,you need to understand DCLocator process as well as its working.

    Still, if you wish to implement authenticate by particular DC, you can create ldapsrvweight & ldapsrvpriority registry key to prioritize the DC authentication to clients, but its not required as long as DNS is properly configured & link is available.

    DCLocator process

    http://blogs.technet.com/b/arnaud_jumelet/archive/2010/07/05/domain-controller-locator-an-overview.aspx

    LdapSrvWeight & LdapSrvPriority

    http://blogs.dirteam.com/blogs/carlos/archive/2006/05/10/How-to-lessen-your-PDC_1920_s-load.aspx 

    http://technet.microsoft.com/en-us/library/cc816793%28WS.10%29.aspx


    Regards


    Awinish Vishwakarma

    MVP-Directory Services

    MY BLOG:  http://awinish.wordpress.com

    This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Monday, August 01, 2011 7:52 AM
  • Hello,

    you can try to change Weight and Priority for DNS SRV records of your DCs:

    http://technet.microsoft.com/en-us/library/cc816890(WS.10).aspx

    http://technet.microsoft.com/en-us/library/cc794710(WS.10).aspx

    Note that if the DC with the lowest value of Priority have the priority to be used.

     


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Microsoft Student Partner 2010 / 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified IT Professional: Enterprise Administrator

    Monday, August 01, 2011 8:27 AM
  • Hello,

    beside the given information keep in mind that using the weights and priorities you are limited to that  machines only, so if they are not available logons may not be possible.

    Additional see here about AD sites and services setup: http://technet.microsoft.com/en-us/library/cc730868.aspx


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Monday, August 01, 2011 1:02 PM
  • >>> how to force client computers at branch logon AD via dc3 first, then dc1/dc2?

    If you have proper Site and Subnet configuration in AD, by default clients will look for a DC from the default (local) site.  So make sure to add correct Subnet for your remote office inside AD.  If local DC is not available, DC Locator service will look for another DC in a different site. 


    Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA, Network+ Houston, TX

    Blogs - http://blogs.sivarajan.com/
    Articles - http://www.sivarajan.com/publications.html
    Twitter: @santhosh_sivara - http://twitter.com/santhosh_sivara
    This posting is provided AS IS with no warranties,and confers no rights.
    Monday, August 01, 2011 1:53 PM
  • an office and a far away branch connected by vpn, 2 x domain controllers dc1 and dc2 in office for fault tolerance, plan add 1 x domain controller dc3 in branch for fault tolerance in case vpn down, tested dc3 can added over vpn, how to force client computers at branch logon AD via dc3 first, then dc1/dc2?  Thx.


    In addition to the other responses, if the scenario is a simple scenario where there is a DC at a branch, in your case, DC3, and if you have AD Sites properly configured with the Subnet Object assocaited with the AD Site at the branch, then the client will always logon to that DC in their own AD Site. It's basically the way the AD client side CSE (client side extensions) handle it.

    If DC3 goes down, then it will be a round robin to determine the next DC outside of the AD Site. You can alter the weights and priorities as mentioned, between the two DCs at the main site, but that will also affect everyone logging on at the main site, because those weights and priorties will aleter the SRV records so one DC is always the one that respond.

    However, if the client is using DC3 as the first DNS entry in the client's NIC properties, only, and only if DC3's DNS service does not respond, then it will go on to the next DNS address in the NIC to send a query to find the next DC outside of the AD Site. THis behavior is based on the client side's resolver algorithm. Read more on this behavior:

    This article discusses, among other things, the DNS Client Side Resolver algorithm. If one DC or DNS goes down, does a client logon to another DC?
    http://msmvps.com/blogs/acefekay/archive/2009/11/29/dns-wins-netbios-amp-the-client-side-resolver-browser-service-disabling-netbios-direct-hosted-smb-directsmb-if-one-dc-is-down-does-a-client-logon-to-another-dc-and-dns-forwarders-algorithm.aspx

     

    Besides, there will be cached credentials at play, too, if DC3 goes down, and the VPN goes down. However, of course, they won't be able to access resources such as email if there is an Exchange server at the main site, because the VPN would be down. If the VPN is up, and the client logs on to a DC at the main site, then the client will wind up using a GC at the main site for DSAccess and DSProxy.

    That also reminds me to recommend that all DCs are GCs.

    My view on this, is how often do you expect DC3 to go down? Will the server be that unreliable? Network equipement unreliable? If it is a reliable server hardware from a reliable manufacturer with a 2-4 hour response, onsite warranty (not a hand built machine), then I don't see this becoming a huge factor. Make sure you have backups of the DCs.

    If you want to make sure the VPN is reliable, get two ISP services and purchase a Cisco ASA or similar product, that can handle multiple ISPs and has the failover feature.

     

    Here's a summary on the logon process IF AD sites are properly configured:

    AD client DC locator steps

     

     

    And here's how to configure your AD Sites properly:

    Managing Sites, Jan 6, 2003 ...
    Managing sites in Active Directory involves adding new subnet, site, and site link objects when the network grows, as well as configuring a ...
    http://technet.microsoft.com/en-us/library/bb727051.aspx

    Chapter 6, Configuring Sites
    (Apparently this is from a text book. It has a great step by step)
    http://www.wowworx.com/msactivedirectory/NewtNotesDPT224Ch06.htm

    The following appears to be a "Blended MOC" module, meaning it was customized from the original Microsoft Official Curriculum courseware. It focuses on how AD Replication works, how Sites work, how logon and replication traffic is controlled by configuring AD Sites, how to create a Site, etc:
    Module 4: Configuring Active Directory® Domain Sevices Sites and Replication
    http://www.scribd.com/doc/24692216/Module-4-Configuring-Active-Directory%C2%AE-Domain-Sevices-Sites-and-Replication

    The following article starts out as an AD Sites and Subnets Best Practice guide but then jumps into a security best practices doc by the end of the article after discussing the need for an Enterprise CA when using SMTP TLS for replication to secure traffic.
    Best practices for Active Directory Sites and Services
    http://technet.microsoft.com/en-us/library/cc755768(WS.10).aspx

     

     

    Ace


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Monday, August 01, 2011 1:53 PM
  • Using weight/priority of SRV records is NOT the proper way to handle this. In short, you should be able to accomplish your goal by properly configuring your Active Directory - and relying on the optimization built into DC Locator mechanism. This has been explained in details by Ace. However, in addition, you should consider disabling publishing of non-site specific (generic) SRV records by DC3 - for details, refer to http://social.technet.microsoft.com/Forums/en-us/winserverDS/thread/99a6faab-40da-43d7-977f-9c2107854c70

    hth
    Marcin


    Monday, August 01, 2011 3:00 PM