Petri.com forums Home Forums Start Page Forums Frequently Asked Questions FAQ Member List Members List
Go Back   Petri IT Knowledgebase Forums > Microsoft Networking Services > Active Directory
Petri.com is happy to award RicklesP the title of Most Valuable Member !!!
Register Calendar Calendar Search Petri IT Knowledgebase Forums Search Todays Posts Today's Posts Mark Forums Read
Notices

How can I force a client PC to authenticate its logon against a specific DC

How can I force a client PC to authenticate its logon against a specific DC

this thread has 5 replies and has been viewed 16128 times

Closed Thread
 
Thread Tools Search this Thread Display Modes
  #1  
Old 7th January 2009, 16:52
soniayeung soniayeung is offline
Casual
Casual
 
 Join Date: Jan 2009
  6 month star 12 month star
 Posts: 2
 Reputation: soniayeung is on a distinguished road (10)
Lightbulb How can I force a client PC to authenticate its logon against a specific DC

There are three domain controllers in one domain. DC1 & DC2 are located in A office and DC3 is located in B office. WAN connections between the A office and B office is very unreliable as it's approx 1.5MB. There is only one Hong Kong site created in our environment.

Recently, the users in A office always complain they need to spend a very long time for authentication. I suspect the problem causes of low performance of WAN. Bypass the network issue, it's necessary to separate the traffic between two offices. Since the domain administrator right is manages by Paris branch office so I'm not able to create a new site and subnet. Is still has any suggestion?
  #2  
Old 7th January 2009, 17:42
L4ndy L4ndy is offline
Moderator
 
 Join Date: May 2006
  6 month star 12 month star
 Location: Liverpool, UK
 Posts: 2,634
 Reputation: L4ndy is a glorious beacon of lightL4ndy is a glorious beacon of lightL4ndy is a glorious beacon of lightL4ndy is a glorious beacon of lightL4ndy is a glorious beacon of lightL4ndy is a glorious beacon of light (541)
Default Re: How can I force a client PC to authenticate its logon against a specific DC

Need to create separate sites to mimic the WAN connection. Given the limited WAN bandwith available to you, I'd look carefully into the replication schedule.
Also DNS queries should be resolved on the site itself, so it's a good idea to have clients to point to local DNS as a primary.
Also since it's a single domain make sure all DC are Global Catalogs as well.

Ta
  #3  
Old 7th January 2009, 18:11
Stonelaughter's Avatar
MVM Stonelaughter Stonelaughter is offline
Senior Member
MVM
 
 Join Date: Sep 2004
  6 month star 12 month star
 Location: Nottingham UK
 Posts: 2,159
 Reputation: Stonelaughter is just really niceStonelaughter is just really niceStonelaughter is just really niceStonelaughter is just really niceStonelaughter is just really nice (405)
Default Re: How can I force a client PC to authenticate its logon against a specific DC

Quote:
Originally Posted by soniayeung View Post
There are three domain controllers in one domain. DC1 & DC2 are located in A office and DC3 is located in B office. WAN connections between the A office and B office is very unreliable as it's approx 1.5MB. There is only one Hong Kong site created in our environment.

Recently, the users in A office always complain they need to spend a very long time for authentication. I suspect the problem causes of low performance of WAN. Bypass the network issue, it's necessary to separate the traffic between two offices. Since the domain administrator right is manages by Paris branch office so I'm not able to create a new site and subnet. Is still has any suggestion?
You need this. Call the Paris office and ask for a new subnet and site - explain your authentication issues.
__________________


Tom
For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

Anything you say will be misquoted and used against you
  #4  
Old 8th January 2009, 04:56
soniayeung soniayeung is offline
Casual
Casual
 
 Join Date: Jan 2009
  6 month star 12 month star
 Posts: 2
 Reputation: soniayeung is on a distinguished road (10)
Default Re: How can I force a client PC to authenticate its logon against a specific DC

Any other way for client to find the closest domain controller? I searched the KB there are two fields of the SRV record let clients determine which server to use when multiple possibilities are retured. The Priority field is used to dictate if a specific server or set of servers should always be contacted over others unless otherwise unavailabe. A server with a higher priority will always be contacted before a server with a lower priority.

In my case, can the clients attempt to use the DC1 & 2 first if a lower value (i.e. 0) entered for DC1 and DC2's LdapSrvPriority and a higher value (i.e. 100) entered for DC3's LdapSrvPriority? As I know this way is to reduce client referrals in order to let the DC has more resources for other tasks, such as performing the role of PDC emulator. But DC1 & 2 aren't the role of PDC emulator, can I apply to them?
  #5  
Old 8th January 2009, 17:42
L4ndy L4ndy is offline
Moderator
 
 Join Date: May 2006
  6 month star 12 month star
 Location: Liverpool, UK
 Posts: 2,634
 Reputation: L4ndy is a glorious beacon of lightL4ndy is a glorious beacon of lightL4ndy is a glorious beacon of lightL4ndy is a glorious beacon of lightL4ndy is a glorious beacon of lightL4ndy is a glorious beacon of light (541)
Default Re: How can I force a client PC to authenticate its logon against a specific DC

Quote:
Originally Posted by soniayeung View Post
Any other way for client to find the closest domain controller? I searched the KB there are two fields of the SRV record let clients determine which server to use when multiple possibilities are retured. The Priority field is used to dictate if a specific server or set of servers should always be contacted over others unless otherwise unavailabe. A server with a higher priority will always be contacted before a server with a lower priority.

In my case, can the clients attempt to use the DC1 & 2 first if a lower value (i.e. 0) entered for DC1 and DC2's LdapSrvPriority and a higher value (i.e. 100) entered for DC3's LdapSrvPriority? As I know this way is to reduce client referrals in order to let the DC has more resources for other tasks, such as performing the role of PDC emulator. But DC1 & 2 aren't the role of PDC emulator, can I apply to them?
Firstly, can you post the KB in question?
In a single Domain environment it is recomended to leave the FSMO roles where they are, besides you can only have
And I also think you should report the issues you have to your admin in Paris.
If AD Sites are configured properly then the clients will query the DC on their site so there is no need to change the priority and wheight.
  #6  
Old 8th January 2009, 18:22
Stonelaughter's Avatar
MVM Stonelaughter Stonelaughter is offline
Senior Member
MVM
 
 Join Date: Sep 2004
  6 month star 12 month star
 Location: Nottingham UK
 Posts: 2,159
 Reputation: Stonelaughter is just really niceStonelaughter is just really niceStonelaughter is just really niceStonelaughter is just really niceStonelaughter is just really nice (405)
Default Re: How can I force a client PC to authenticate its logon against a specific DC

"Any other way... ?"

In a word, no. Not without testing and messing about with configurations which are difficult, messy, unmanageable from a central point, and probably difficult to support.

The best and only sensible way is to configure an AD site for each of your WAN-linked physical sites. The rest is automatic. Configuring a site will take about ten minutes maximum; you should allow a couple of hours for replication, and then log off clients and log them on again. You should find it "just works".
__________________


Tom
For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

Anything you say will be misquoted and used against you
Closed Thread


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Manually force user to specific domain to appy gpo Michael19ave GPO 3 5th October 2007 03:27
force interactive logon for network resource in win xp sp2 newandalxa561 Windows 2000 Pro, XP Pro 10 14th March 2007 20:35
Force outbound to be from specific address tnshurtm Exchange 2000 / 2003 11 1st December 2006 20:52
Force an app to open on a specific Citrix server? Wired Terminal Services 5 30th November 2006 18:59
How Force Logon to a computer using a Token USB or Smartcard Eric Windows 2000 Pro, XP Pro 3 9th June 2004 09:00


All times are GMT +3. The time now is 10:51.

Steel Blue 3.5.4 vBulletin Style ©2006 vBEnhanced
Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
 

Valid XHTML 1.0!   Valid CSS!

Copyright 2005 Daniel Petri