Announcement

Collapse
No announcement yet.

How can I force a client PC to authenticate its logon against a specific DC

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • How can I force a client PC to authenticate its logon against a specific DC

    There are three domain controllers in one domain. DC1 & DC2 are located in A office and DC3 is located in B office. WAN connections between the A office and B office is very unreliable as it's approx 1.5MB. There is only one Hong Kong site created in our environment.

    Recently, the users in A office always complain they need to spend a very long time for authentication. I suspect the problem causes of low performance of WAN. Bypass the network issue, it's necessary to separate the traffic between two offices. Since the domain administrator right is manages by Paris branch office so I'm not able to create a new site and subnet. Is still has any suggestion?

  • #2
    Re: How can I force a client PC to authenticate its logon against a specific DC

    Need to create separate sites to mimic the WAN connection. Given the limited WAN bandwith available to you, I'd look carefully into the replication schedule.
    Also DNS queries should be resolved on the site itself, so it's a good idea to have clients to point to local DNS as a primary.
    Also since it's a single domain make sure all DC are Global Catalogs as well.

    Ta
    Caesar's cipher - 3

    ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

    SFX JNRS FC U6 MNGR

    Comment


    • #3
      Re: How can I force a client PC to authenticate its logon against a specific DC

      Originally posted by soniayeung View Post
      There are three domain controllers in one domain. DC1 & DC2 are located in A office and DC3 is located in B office. WAN connections between the A office and B office is very unreliable as it's approx 1.5MB. There is only one Hong Kong site created in our environment.

      Recently, the users in A office always complain they need to spend a very long time for authentication. I suspect the problem causes of low performance of WAN. Bypass the network issue, it's necessary to separate the traffic between two offices. Since the domain administrator right is manages by Paris branch office so I'm not able to create a new site and subnet. Is still has any suggestion?
      You need this. Call the Paris office and ask for a new subnet and site - explain your authentication issues.


      Tom
      For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

      Anything you say will be misquoted and used against you

      Comment


      • #4
        Re: How can I force a client PC to authenticate its logon against a specific DC

        Any other way for client to find the closest domain controller? I searched the KB there are two fields of the SRV record let clients determine which server to use when multiple possibilities are retured. The Priority field is used to dictate if a specific server or set of servers should always be contacted over others unless otherwise unavailabe. A server with a higher priority will always be contacted before a server with a lower priority.

        In my case, can the clients attempt to use the DC1 & 2 first if a lower value (i.e. 0) entered for DC1 and DC2's LdapSrvPriority and a higher value (i.e. 100) entered for DC3's LdapSrvPriority? As I know this way is to reduce client referrals in order to let the DC has more resources for other tasks, such as performing the role of PDC emulator. But DC1 & 2 aren't the role of PDC emulator, can I apply to them?

        Comment


        • #5
          Re: How can I force a client PC to authenticate its logon against a specific DC

          Originally posted by soniayeung View Post
          Any other way for client to find the closest domain controller? I searched the KB there are two fields of the SRV record let clients determine which server to use when multiple possibilities are retured. The Priority field is used to dictate if a specific server or set of servers should always be contacted over others unless otherwise unavailabe. A server with a higher priority will always be contacted before a server with a lower priority.

          In my case, can the clients attempt to use the DC1 & 2 first if a lower value (i.e. 0) entered for DC1 and DC2's LdapSrvPriority and a higher value (i.e. 100) entered for DC3's LdapSrvPriority? As I know this way is to reduce client referrals in order to let the DC has more resources for other tasks, such as performing the role of PDC emulator. But DC1 & 2 aren't the role of PDC emulator, can I apply to them?
          Firstly, can you post the KB in question?
          In a single Domain environment it is recomended to leave the FSMO roles where they are, besides you can only have
          And I also think you should report the issues you have to your admin in Paris.
          If AD Sites are configured properly then the clients will query the DC on their site so there is no need to change the priority and wheight.
          Caesar's cipher - 3

          ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

          SFX JNRS FC U6 MNGR

          Comment


          • #6
            Re: How can I force a client PC to authenticate its logon against a specific DC

            "Any other way... ?"

            In a word, no. Not without testing and messing about with configurations which are difficult, messy, unmanageable from a central point, and probably difficult to support.

            The best and only sensible way is to configure an AD site for each of your WAN-linked physical sites. The rest is automatic. Configuring a site will take about ten minutes maximum; you should allow a couple of hours for replication, and then log off clients and log them on again. You should find it "just works".


            Tom
            For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

            Anything you say will be misquoted and used against you

            Comment

            Working...
            X