Announcement

Collapse
No announcement yet.

Default logon server 2 DC in 1 site

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Default logon server 2 DC in 1 site

    We currently have two domain controllers in one site. How can I set one of them to be the logon server, but leave the other one there strictly as failover?

  • #2
    Re: Default logon server 2 DC in 1 site

    Does the second DC have Global Catalog enabled?
    1 1 was a racehorse.
    2 2 was 1 2.
    1 1 1 1 race 1 day,
    2 2 1 1 2

    Comment


    • #3
      Re: Default logon server 2 DC in 1 site

      Change the weight/priority in the SRV records
      Tom Jones
      MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
      PhD, MSc, FIAP, MIITT
      IT Trainer / Consultant
      Ossian Ltd
      Scotland

      ** Remember to give credit where credit is due and leave reputation points where appropriate **

      Comment


      • #4
        Re: Default logon server 2 DC in 1 site

        Sorry, I should elaborate. Currently we have two DC's at our main site and one DC at each of our branches, six in total. From what I understand we went with so many DC's due to slow WAN links. Each DC is a global catalog. They are also all Server 2003.

        I'm working on a project plan to update the domain controllers to Server 2012 so we can raise the domain/forest functional level, and at the same time consolidate us down to three DC's, with one being the primary and two for backups. We'll have one physical DC at the main site, one VM at the main site and one more VM at our DR site. All the other DC's will be retired. We recently updated all our WAN links to 100MB or better. Also we're restructuring our organization so that we'll really only have maybe a half dozen employees at each branch.

        I'll look at changing the weight/priority in the SRV records, thanks for the suggestion!

        Comment


        • #5
          Re: Default logon server 2 DC in 1 site

          Okay, so unless I'm reading this wrong if I change the priority as below AD1 should get all the requests if it's up. If it is unavailable then AD2 gets the requests and if both are down then AD3?

          Priority setting:

          CCCU-AD1: 0
          CCCU-AD2: 25
          CCCU-AD3: 50

          Changing the priority for DNS service (SRV) resource records in the registry

          Changing the priority of a domain controller also reduces the number of client referrals to it. However, rather than reducing access to the domain controller proportionally with regard to the other domain controllers, changing the priority causes Domain Name System (DNS) to stop referring all clients to this domain controller unless all domain controllers with a lower priority setting are unavailable.
          To prevent clients from sending all requests to a single domain controller, the domain controllers are assigned a priority value. This value is stored in the LdapSrvPriority registry entry. The default value is 0, but it can range from 0 through 65535. The client uses the priority value to help determine to which domain controller it sends requests. When a client uses DNS to discover a domain controller, the priority for a given domain controller is returned to the client with the rest of the DNS information. Clients always send requests to the domain controller that has the lowest priority value. If more than one domain controller has the same value, the clients randomly choose from the group of domain controllers with the same value. If no domain controllers with the lowest priority value are available, the clients send requests to the domain controller with the next highest priority. Therefore, raising the value of the LdapSrvPriority registry entry on the PDC emulator can reduce its chances of receiving client requests.

          Comment


          • #6
            Re: Default logon server 2 DC in 1 site

            Ok, this doesn't directly answer your question but have you considered RODCs at the branch offices? Each site can still authenticate their clients if the WAN link goes offline.
            1 1 was a racehorse.
            2 2 was 1 2.
            1 1 1 1 race 1 day,
            2 2 1 1 2

            Comment


            • #7
              Re: Default logon server 2 DC in 1 site

              Setup Sites in AD Sites and Services??

              Also remember that all DC's are equal but some are more equal than others. Basically each DC if configured correctly can handle logon requests.

              From what I can gather you want to have a local DC at your branches as a VM, I would personally setup RODC's as Biggles mentions, but have Sites configured and this will tell your clients where to logon.

              Comment


              • #8
                Re: Default logon server 2 DC in 1 site

                There is no concept of primary and backup domain controllers and if you're trying to configure them that way you're doing it wrong. Leave the default weight and priority the way it is and configure AD Sites and Services for your sites and subnets. Then let the DC's do what they do.

                Why do you want to set it up the way you've described? I see no value in tampering with the natural order of the Domain Controller locator process by adjusting the weight and priority of the DNS records for the DC's.

                Comment

                Working...
                X