Force authentication to a specific DC

Discussion in 'MCSE' started by =?Utf-8?B?VFR1cm5lcg==?=, Oct 18, 2004.

  1. In an AD environment with multiple sites, all DC's are 2003, and multiple
    DC's at each site, how can I force authentication to a specific domain
    controller? The problem is, that our "sites" are comprised of several
    different subnets for several different physical locations, so when I logon,
    I am authenticating on a DC over 30 miles away when i have a valid dc not 10
    feet from my desk.

    Is there a registry value I can modify to fix this? Would be an easy matter
    to deploy a script or policy to make these changes on a widespread basis if
    so. And yes, we should probably break up our sites for site to site AD
    replication to resolve the issue, but at this time that is not an option.
    --
    MCSA 2003:Security
    A+, NET+, Security+
     
    =?Utf-8?B?VFR1cm5lcg==?=, Oct 18, 2004
    #1
    1. Advertising

  2. I don't know of a registry entry. You could force the issue with an ipsec
    filtering policy using permit and block rules to block access to all but the
    dc's you want a domain computer to use but then you run the risk that the
    user will not be able to authenticate if the "preferred" domain controllers
    are not available. Check the preferred dns servers for your domain computers
    in tcp/ip settings to make sure that the first dns server in the list is a
    "local" domain controller. Using sites is the best solution. The _srv
    records for domain controllers can be tweaked for priority and balancing but
    I am not sure that will solve your problem. You might also want to post in
    the win2000.active_directory newsgroup. Even though it is a W2K newsgroup,
    most of the gurus there know Windows 2003 also which is not much different
    in most respects.. --- Steve


    "TTurner" <> wrote in message
    news:...
    > In an AD environment with multiple sites, all DC's are 2003, and multiple
    > DC's at each site, how can I force authentication to a specific domain
    > controller? The problem is, that our "sites" are comprised of several
    > different subnets for several different physical locations, so when I
    > logon,
    > I am authenticating on a DC over 30 miles away when i have a valid dc not
    > 10
    > feet from my desk.
    >
    > Is there a registry value I can modify to fix this? Would be an easy
    > matter
    > to deploy a script or policy to make these changes on a widespread basis
    > if
    > so. And yes, we should probably break up our sites for site to site AD
    > replication to resolve the issue, but at this time that is not an option.
    > --
    > MCSA 2003:Security
    > A+, NET+, Security+
     
    Steven L Umbach, Oct 18, 2004
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Chris
    Replies:
    1
    Views:
    1,322
    Jack \(MVP-Networking\).
    Mar 10, 2006
  2. Replies:
    0
    Views:
    1,260
  3. Replies:
    0
    Views:
    1,560
  4. Replies:
    0
    Views:
    1,884
  5. Replies:
    2
    Views:
    982
    Bert Hyman
    Dec 31, 2008
Loading...

Share This Page