Announcement

Collapse
No announcement yet.

how to get local PC's to authenticate with local server rather than PDC

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • how to get local PC's to authenticate with local server rather than PDC

    Hi,

    I've got a couple of 2003 R2 servers PDC an BDC separated by a VPN tunnel at two locations. How do I get the PC's at the sattelite office to authenticate with the BDC insitu rather than hogging my WAN link?

    TIA

    A

  • #2
    Re: how to get local PC's to authenticate with local server rather than PDC

    Have you setup sites in AD?

    Comment


    • #3
      Re: how to get local PC's to authenticate with local server rather than PDC

      yep,

      I had all the PC's logging on to domain but they just hogged the WAN link and interfered with the performance of the main SQL app so currently they log on locally. I'd like to have all the PC's on the domain but it seems to interfere with the SQL app on the main server. There's a couple of PC's at the sattelite office that need to log onto domain.

      TIA
      :P

      Comment


      • #4
        Re: how to get local PC's to authenticate with local server rather than PDC

        I take it that the BDC you refer to is a DC in the same domain with no FSMO roles?

        You need to ensure that the DC at the satellite office is in a different site and subnet to the other DC. Universal Group caching then needs to be enabled at the satellite office.

        AD Sites and Services will allow you to configure all of this.

        Comment


        • #5
          Re: how to get local PC's to authenticate with local server rather than PDC

          >I take it that the BDC you refer to is a DC in the same domain with no FSMO roles?
          yep, and I've got them on different subnets.

          thanks so much for your guidance.

          I'll enable UGC but might pop back on if I have any issues otherwise I'll be back to give you some credits.

          There's another Server part of same domain at a CoLo (offsite backup) that I'm having some issues with, I've run replmon and it say it's all OK but when I run dcdiag it's showing issues with this, do you think you might be able to help me with this?

          thanks again

          A

          Comment


          • #6
            Re: how to get local PC's to authenticate with local server rather than PDC

            Glad to help.

            When users logon, they would be authenticating against the PDC all the time unless there was a GC present at the satellite office.

            Make sure the satellite office is in its own site, which sounds as if it is.

            You can then enable the Group Policy caching. If you had Exchange or other services that require a GC lookup, you then need to make it a GC.

            You only have a few computers, so isn't necessary at the moment.
            Last edited by Virtual; 7th June 2009, 22:42.

            Comment


            • #7
              Re: how to get local PC's to authenticate with local server rather than PDC

              Originally posted by armitage View Post
              >I take it that the BDC you refer to is a DC in the same domain with no FSMO roles?
              yep, and I've got them on different subnets.

              thanks so much for your guidance.

              I'll enable UGC but might pop back on if I have any issues otherwise I'll be back to give you some credits.

              There's another Server part of same domain at a CoLo (offsite backup) that I'm having some issues with, I've run replmon and it say it's all OK but when I run dcdiag it's showing issues with this, do you think you might be able to help me with this?

              thanks again

              A
              We can certainly help with this. If you can post it separately with an appropriate title and we'll advice accordingly. If you can more details as well and the output of the dcdiag.

              Comment


              • #8
                Re: how to get local PC's to authenticate with local server rather than PDC

                Originally posted by Virtual View Post
                Glad to help.
                Make sure the satellite office is in its own site, which sounds as if it is.
                .
                I guess it isn't, I attached a jpeg.

                As I haven't added a new site before, is it a straight forward proces, IE new site and add server to this? Anything I should be aware of? I don't want to break anything in AD.

                TIA Virtual! :P
                Attached Files

                Comment


                • #9
                  Re: how to get local PC's to authenticate with local server rather than PDC

                  The important part is the subnet you assign.
                  • If you right click the 'Sites' container and then New Site and follow the wizard.
                  • Opt for the 'Default Site Link'.
                  • Next, expand the Subnet folder. Can't remember where, but either you right lick the Subnets folder or in the white space once expanded and then create a new subnet.
                  The new subnet should be the same as your satellite site. Associate that subnet with the new site. You then move the satellite office DC to the site and place it in the same location as other DCs in the other site. (but within the new site)

                  You then need to cofigure Universal Group Caching. This is carried out via NTDS Settings.

                  http://www.windowsnetworking.com/kba...salGroups.html

                  Comment


                  • #10
                    Re: how to get local PC's to authenticate with local server rather than PDC

                    Just curious, for UGC, how would that affect transferring FSMO roles if the need arises? Does it still have a full copy of the AD db?
                    GoogleFu is strong with this one ^

                    Comment


                    • #11
                      Re: how to get local PC's to authenticate with local server rather than PDC

                      It doesn't have a full copy of the Global Catalog. UGC just saves you having to have a complete GC at a site, so minimises the bandwidth used for the WAN connection as it doesn't need to replicate. After a user has logged on for the first time at a site, the next time they logon, they don't need to contact the GC at another site.

                      If you were transferring FSMO roles to a certain site, you would then be best to make the DC a GC. Some just make it a GC anyway, it all depends on the type of WAN conenction you have, the users/computers you have and the services, such as Exchange, that relies on a GC.

                      Comment


                      • #12
                        Re: how to get local PC's to authenticate with local server rather than PDC

                        >This requirement that a GC server be available when a user logs on particularly become an issue if you have a branch office connected by a slow WAN link to headquarters and you've configured the remote network as a separate site to have more control over replication traffic between the two locations.

                        this is the issue I'm faced with which is why I want to enable UGC.

                        There's no mail server and prolly won't be but should I be enabling UGC or complete GC on the DC also? or Both? PDC and BDC are DNS servers so say if my BDC went down, would the users at sattelite have any probs authenticating?

                        vis a vis below from the link you gave me.

                        >Universal groups have their downside however, especially on networks running Windows 2000. This is because by default only global catalog (GC) servers contain a list of all universal groups in the forest. So, if you're using universal groups and you try to log on to a domain, there needs to be a GC server available to enumerate your universal group membership before you can be authenticated to the domain.

                        Comment


                        • #13
                          Re: how to get local PC's to authenticate with local server rather than PDC

                          this is a 2003 AD site, what implications if I add a 2008 server?

                          Comment


                          • #14
                            Re: how to get local PC's to authenticate with local server rather than PDC

                            UGC is ok in your case.

                            AFAIK, if the BDC (DC with no FSMO roles) is down, clients will automatically be directed to the PDC. You need to make sure that the DNS points to the satellite office DC (that shoiuld have DNS) and the PDC (with DNS).

                            If you add a 2008 server, you could look into using a RODC at the satellite office. This reduces replication traffic and is more secure. You need to make sure the 2008 DC is a direct replication partner with the RODC and also prep the domain prior to DCPROMO of the Windows 2008 Server.
                            Last edited by Virtual; 9th June 2009, 21:26.

                            Comment

                            Working...
                            X