MCSE - Force authentication to a specific DC

10-18-2004, 05:11 PM

In an AD environment with multiple sites, all DC's are 2003, and multiple
DC's at each site, how can I force authentication to a specific domain
controller? The problem is, that our "sites" are comprised of several
different subnets for several different physical locations, so when I logon,
I am authenticating on a DC over 30 miles away when i have a valid dc not 10
feet from my desk.

Is there a registry value I can modify to fix this? Would be an easy matter
to deploy a script or policy to make these changes on a widespread basis if
so. And yes, we should probably break up our sites for site to site AD
replication to resolve the issue, but at this time that is not an option.
--
MCSA 2003:Security
A+, NET+, Security+

=?Utf-8?B?VFR1cm5lcg==?=

10-18-2004, 07:18 PM

I don't know of a registry entry. You could force the issue with an ipsec
filtering policy using permit and block rules to block access to all but the
dc's you want a domain computer to use but then you run the risk that the
user will not be able to authenticate if the "preferred" domain controllers
are not available. Check the preferred dns servers for your domain computers
in tcp/ip settings to make sure that the first dns server in the list is a
"local" domain controller. Using sites is the best solution. The _srv
records for domain controllers can be tweaked for priority and balancing but
I am not sure that will solve your problem. You might also want to post in
the win2000.active_directory newsgroup. Even though it is a W2K newsgroup,
most of the gurus there know Windows 2003 also which is not much different
in most respects.. --- Steve

"TTurner" <> wrote in message
news:5E0C0082-EF56-4288-80A1-...
> In an AD environment with multiple sites, all DC's are 2003, and multiple
> DC's at each site, how can I force authentication to a specific domain
> controller? The problem is, that our "sites" are comprised of several
> different subnets for several different physical locations, so when I
> logon,
> I am authenticating on a DC over 30 miles away when i have a valid dc not
> 10
> feet from my desk.
>
> Is there a registry value I can modify to fix this? Would be an easy
> matter
> to deploy a script or policy to make these changes on a widespread basis
> if
> so. And yes, we should probably break up our sites for site to site AD
> replication to resolve the issue, but at this time that is not an option.
> --
> MCSA 2003:Security
> A+, NET+, Security+

Steven L Umbach

10-18-2004, 07:18 PM	#2
Steven L Umbach Posts: n/a	Re: Force authentication to a specific DC I don't know of a registry entry. You could force the issue with an ipsec filtering policy using permit and block rules to block access to all but the dc's you want a domain computer to use but then you run the risk that the user will not be able to authenticate if the "preferred" domain controllers are not available. Check the preferred dns servers for your domain computers in tcp/ip settings to make sure that the first dns server in the list is a "local" domain controller. Using sites is the best solution. The _srv records for domain controllers can be tweaked for priority and balancing but I am not sure that will solve your problem. You might also want to post in the win2000.active_directory newsgroup. Even though it is a W2K newsgroup, most of the gurus there know Windows 2003 also which is not much different in most respects.. --- Steve "TTurner" <> wrote in message news:5E0C0082-EF56-4288-80A1-... > In an AD environment with multiple sites, all DC's are 2003, and multiple > DC's at each site, how can I force authentication to a specific domain > controller? The problem is, that our "sites" are comprised of several > different subnets for several different physical locations, so when I > logon, > I am authenticating on a DC over 30 miles away when i have a valid dc not > 10 > feet from my desk. > > Is there a registry value I can modify to fix this? Would be an easy > matter > to deploy a script or policy to make these changes on a widespread basis > if > so. And yes, we should probably break up our sites for site to site AD > replication to resolve the issue, but at this time that is not an option. > -- > MCSA 2003:Security > A+, NET+, Security+ Steven L Umbach

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Authentication Problem with Webservice	suddu	Software	0	05-09-2008 02:23 PM
AAA authentication problem for enable mode access	leopard	Hardware	1	07-02-2007 08:08 AM
authentication problem (radius /tacacs)	hh_forum	Software	0	07-07-2006 09:34 AM
Re: Brute Force Cracking Failed, No Vulnerable Blocks, DVD Decrypter	Martino	DVD Video	8	02-01-2006 10:09 PM
"The Force is Back" (from DVDfile.com)	Bill	DVD Video	54	02-19-2004 05:40 PM

10-18-2004, 05:11 PM	#1
	Force authentication to a specific DC In an AD environment with multiple sites, all DC's are 2003, and multiple DC's at each site, how can I force authentication to a specific domain controller? The problem is, that our "sites" are comprised of several different subnets for several different physical locations, so when I logon, I am authenticating on a DC over 30 miles away when i have a valid dc not 10 feet from my desk. Is there a registry value I can modify to fix this? Would be an easy matter to deploy a script or policy to make these changes on a widespread basis if so. And yes, we should probably break up our sites for site to site AD replication to resolve the issue, but at this time that is not an option. -- MCSA 2003:Security A+, NET+, Security+ =?Utf-8?B?VFR1cm5lcg==?=