I don't know of a registry entry. You could force the issue with an ipsec
filtering policy using permit and block rules to block access to all but the
dc's you want a domain computer to use but then you run the risk that the
user will not be able to authenticate if the "preferred" domain controllers
are not available. Check the preferred dns servers for your domain computers
in tcp/ip settings to make sure that the first dns server in the list is a
"local" domain controller. Using sites is the best solution. The _srv
records for domain controllers can be tweaked for priority and balancing but
I am not sure that will solve your problem. You might also want to post in
the win2000.active_directory newsgroup. Even though it is a W2K newsgroup,
most of the gurus there know Windows 2003 also which is not much different
in most respects.. --- Steve
"TTurner" <> wrote in message
news:5E0C0082-EF56-4288-80A1-...
> In an AD environment with multiple sites, all DC's are 2003, and multiple
> DC's at each site, how can I force authentication to a specific domain
> controller? The problem is, that our "sites" are comprised of several
> different subnets for several different physical locations, so when I
> logon,
> I am authenticating on a DC over 30 miles away when i have a valid dc not
> 10
> feet from my desk.
>
> Is there a registry value I can modify to fix this? Would be an easy
> matter
> to deploy a script or policy to make these changes on a widespread basis
> if
> so. And yes, we should probably break up our sites for site to site AD
> replication to resolve the issue, but at this time that is not an option.
> --
> MCSA 2003:Security
> A+, NET+, Security+
|
Similar Threads
