AD Client vs Sites and Services

Greetings all,

I have a question about the default client authentication behaviour.

Locations A, B, and C are in a triangle layout, network-wise. Each location
has it's own subnet. All five FSMO roles exist in location A.

Here's the layout vs. config of Sites and Services:

Location A
192.168.1.0 FSMO Roles DCs

Location B
192.168.2.0 No DCs

Location C
192.168.3.0 DCs

Sites and Services:
Site A: 192.168.1.0
Site C: 192.168.2.0, 192.168.3.0

Will the AD Client try to authenticate against Site C because Sites and
Services says it contains location B's subnet? Or will the AD Client
authenticate to Site A defaulting to the PDC Emulator because there's no DCs
on its local subnet?

Any insight is greatly appreciated. TIA!

- SB

A client will authenticate using the DC in its local site. This means that a
client in location B will authenticate using domain controllers in site C...

hth
Marcin

"SB" <SB@discussions.microsoft.com> wrote in message
news:3BA8996A-7887-4D0C-B373-E71EB43AD92A@microsoft.com...
> Greetings all,
>
> I have a question about the default client authentication behaviour.
>
> Locations A, B, and C are in a triangle layout, network-wise. Each
> location
> has it's own subnet. All five FSMO roles exist in location A.
>
> Here's the layout vs. config of Sites and Services:
>
> Location A
> 192.168.1.0 FSMO Roles DCs
>
> Location B
> 192.168.2.0 No DCs
>
> Location C
> 192.168.3.0 DCs
>
> Sites and Services:
> Site A: 192.168.1.0
> Site C: 192.168.2.0, 192.168.3.0
>
> Will the AD Client try to authenticate against Site C because Sites and
> Services says it contains location B's subnet? Or will the AD Client
> authenticate to Site A defaulting to the PDC Emulator because there's no
> DCs
> on its local subnet?
>
> Any insight is greatly appreciated. TIA!
>
> - SB

Hi SB,

Whichever the AD Automatical DC site coverage DC's will be used. You can
also manual admin chosen sites, I use GPO's to set this for consitency over
time, but you can directly edit the registry directly.

Articles are:

How DNS Support for Active Directory Works ---
http://technet.microsoft.com/en-
us/library/cc759550.aspx

Planning Active Directory for Branch Office ---
http://technet.microsoft.com/en-us/l...on126121120120

Download Windows Server 2003 Active Directory Branch Office Guide ---
http://www.microsoft.com/downloads/d...displaylang=en


1st, create a new GPO object via use of the newer more preferred method of
GPEditing" via use of "Group Policy Management Console with Service Pack 1
downloadable at the following link

http://www.microsoft.com/downloads/d...displaylang=en

A Microsoft Best Practice is to not arrange or tamper with the default
"Domain Controllers" OU default state even though it is flat and
lacks geographical separation, Site, or OU's structure. Rather create a GPO
for the DC if you only is to be affected by ensuring to go to the Delegation
tab of the new GPO and go through the advanced menu and removal all other
servers except the desired DC, and ensure that the DC has read/aplly
permission. If all DC's in a site are either AutoSiteCovering or set
manually, then the DC's will register all the covering site DC's to create
DNS records of themselves in the non-dc site.

Something you may wish to try to rather have the site covered by another site:
Also, an optimisation trick to sensure you control the fastest access
possibile at all times to the directory via the closest and fastest wan
connection is to manually setting the DC coverage via GPO of HUB sites, and
further indepth with weighting and prioritising DNS records to ensure the
adjacent sites with the faster link better than others is always used. It's
just a lot more control/sense of knowing what failback steps the name
resolution service will follow.

I followed this

How to optimize the location of a domain controller or global catalog that
resides outside of a client's site --- http://support.microsoft.com/kb/306602

--
Garry Starck
MCITP, MCTS AD, MCSE 2003 Messaging, MCDBA


"SB" wrote:

> Greetings all,
>
> I have a question about the default client authentication behaviour.
>
> Locations A, B, and C are in a triangle layout, network-wise. Each location
> has it's own subnet. All five FSMO roles exist in location A.
>
> Here's the layout vs. config of Sites and Services:
>
> Location A
> 192.168.1.0 FSMO Roles DCs
>
> Location B
> 192.168.2.0 No DCs
>
> Location C
> 192.168.3.0 DCs
>
> Sites and Services:
> Site A: 192.168.1.0
> Site C: 192.168.2.0, 192.168.3.0
>
> Will the AD Client try to authenticate against Site C because Sites and
> Services says it contains location B's subnet? Or will the AD Client
> authenticate to Site A defaulting to the PDC Emulator because there's no DCs
> on its local subnet?
>
> Any insight is greatly appreciated. TIA!
>
> - SB

Hi SB

Also a tip to decrease you SYSVOL size by removing duplicated admin
templates via GPO's: How to minimize SYSVOL size by removing administrative
templates (.adm files) ---http://support.microsoft.com/kb/813338 ---- This
is a huge organisation can cause the sysvol to shrink from 1.2 GB with 143
inividual GPO's down to just a mear 60MB

Regards


--
Garry Starck
MCITP, MCTS AD, MCSE 2003 Messaging, MCDBA


"SB" wrote:

> Greetings all,
>
> I have a question about the default client authentication behaviour.
>
> Locations A, B, and C are in a triangle layout, network-wise. Each location
> has it's own subnet. All five FSMO roles exist in location A.
>
> Here's the layout vs. config of Sites and Services:
>
> Location A
> 192.168.1.0 FSMO Roles DCs
>
> Location B
> 192.168.2.0 No DCs
>
> Location C
> 192.168.3.0 DCs
>
> Sites and Services:
> Site A: 192.168.1.0
> Site C: 192.168.2.0, 192.168.3.0
>
> Will the AD Client try to authenticate against Site C because Sites and
> Services says it contains location B's subnet? Or will the AD Client
> authenticate to Site A defaulting to the PDC Emulator because there's no DCs
> on its local subnet?
>
> Any insight is greatly appreciated. TIA!
>
> - SB

Hello SB,

Clients in location B will authenticate using DCs in Site C unless you
manually change it,

--
Isaac Oben [MCTIP:EA, MCSE]
"SB" <SB@discussions.microsoft.com> wrote in message
news:3BA8996A-7887-4D0C-B373-E71EB43AD92A@microsoft.com...
> Greetings all,
>
> I have a question about the default client authentication behaviour.
>
> Locations A, B, and C are in a triangle layout, network-wise. Each
> location
> has it's own subnet. All five FSMO roles exist in location A.
>
> Here's the layout vs. config of Sites and Services:
>
> Location A
> 192.168.1.0 FSMO Roles DCs
>
> Location B
> 192.168.2.0 No DCs
>
> Location C
> 192.168.3.0 DCs
>
> Sites and Services:
> Site A: 192.168.1.0
> Site C: 192.168.2.0, 192.168.3.0
>
> Will the AD Client try to authenticate against Site C because Sites and
> Services says it contains location B's subnet? Or will the AD Client
> authenticate to Site A defaulting to the PDC Emulator because there's no
> DCs
> on its local subnet?
>
> Any insight is greatly appreciated. TIA!
>
> - SB

Hello SB,

Clients from site B will use the DC's in C. If they are not available they
will search for other available DC's.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Greetings all,
>
> I have a question about the default client authentication behaviour.
>
> Locations A, B, and C are in a triangle layout, network-wise. Each
> location has it's own subnet. All five FSMO roles exist in location
> A.
>
> Here's the layout vs. config of Sites and Services:
>
> Location A
> 192.168.1.0 FSMO Roles DCs
> Location B
> 192.168.2.0 No DCs
> Location C
> 192.168.3.0 DCs
> Sites and Services:
> Site A: 192.168.1.0
> Site C: 192.168.2.0, 192.168.3.0
> Will the AD Client try to authenticate against Site C because Sites
> and Services says it contains location B's subnet? Or will the AD
> Client authenticate to Site A defaulting to the PDC Emulator because
> there's no DCs on its local subnet?
>
> Any insight is greatly appreciated. TIA!
>
> - SB
>