DC questions

[newsgroups.microsoft.com]

I have a setup with a single Domain with multiple OU's for the various
sites. Each Site has a DC in it. I was wonder if and how to make sure that
the local office authenticates to the local DC and not the main branch off.

Thank you

 

[Herb Martin]

I have a setup with a single Domain with multiple OU's for the various
sites.

While it is perfectly ok for you to create an OU
for each location (usually due to different administrators
or different GPOs needing to be linked) do NOT
automatically create OUs just because you have
those locations.

You also don't want to call those "sites" since the term
Site has a technical meaning, and they are setup in
Sites and Services completely independent from your
OUs or even from your Domains (in a multi-domain
forest.)

Each Site has a DC in it. I was wonder if and how to make sure that
the local office authenticates to the local DC and not the main branch

off.

You (practically) cannot. You don't (really) want to do that.

Don't try, instead....

Make sure your DNS is correct*.

Make sure that every DC is a GC (so that authentications
can always remain local). Make sure you have defined
the Sites in AD Sites and Services (using subnets that
correspond to each location's networks.)

Setup the SiteLinks between sites. Put the correct DC-server
in (each) Site.

If setup correctly, clients will strongly prefer the local
DC-GC but will still work correctly when the DC is
down. (If you really must prevent cross site authentication
you will need to use firewall/WAN/VPN/RRAS filters.)

*DNS for AD
1) Dynamic for the zone supporting AD
2) All internal DNS clients NIC\IP properties must specify SOLELY
that internal, dynamic DNS server (set.)
3) DCs and even DNS servers are DNS clients too -- see #2
4) If you have more than one Domain, every DNS server must
be able to resolve ALL domains (either directly or indirectly)

netdiag /fix

....or maybe:

dcdiag /fix

(Win2003 can do this from Support tools):
nltest /dsregdns /serverC-ServerNameGoesHere
http://support.microsoft.com/kb/q260371/

Ensure that DNS zones/domains are fully replicated to all DNS
servers for that (internal) zone/domain.

Also useful may be running DCDiag on each DC, sending the
output to a text file, and searching for FAIL, ERROR, WARN.

Single Label domain zone names are a problem Google:
[ "SINGLE LABEL" domain names DNS 2000 | 2003 microsoft: ]

 

[Santhosh Sivarajan]

Associate appropriate branch office subnet to the defiened branch office
sites.

--
Santhosh Sivarajan
MCSE(W2K3/W2K/NT4),MCSA(W2K3/W2K/MSG),CCNA,Network+
Houston, TX

I have a setup with a single Domain with multiple OU's for the various
sites.

While it is perfectly ok for you to create an OU
for each location (usually due to different administrators
or different GPOs needing to be linked) do NOT
automatically create OUs just because you have
those locations.

You also don't want to call those "sites" since the term
Site has a technical meaning, and they are setup in
Sites and Services completely independent from your
OUs or even from your Domains (in a multi-domain
forest.)

Each Site has a DC in it. I was wonder if and how to make sure that
the local office authenticates to the local DC and not the main branch

off.

You (practically) cannot. You don't (really) want to do that.

Don't try, instead....

Make sure your DNS is correct*.

Make sure that every DC is a GC (so that authentications
can always remain local). Make sure you have defined
the Sites in AD Sites and Services (using subnets that
correspond to each location's networks.)

Setup the SiteLinks between sites. Put the correct DC-server
in (each) Site.

If setup correctly, clients will strongly prefer the local
DC-GC but will still work correctly when the DC is
down. (If you really must prevent cross site authentication
you will need to use firewall/WAN/VPN/RRAS filters.)

*DNS for AD
1) Dynamic for the zone supporting AD
2) All internal DNS clients NIC\IP properties must specify SOLELY
that internal, dynamic DNS server (set.)
3) DCs and even DNS servers are DNS clients too -- see #2
4) If you have more than one Domain, every DNS server must
be able to resolve ALL domains (either directly or indirectly)

netdiag /fix

...or maybe:

dcdiag /fix

(Win2003 can do this from Support tools):
nltest /dsregdns /serverC-ServerNameGoesHere
http://support.microsoft.com/kb/q260371/

Ensure that DNS zones/domains are fully replicated to all DNS
servers for that (internal) zone/domain.

Also useful may be running DCDiag on each DC, sending the
output to a text file, and searching for FAIL, ERROR, WARN.

Single Label domain zone names are a problem Google:
[ "SINGLE LABEL" domain names DNS 2000 | 2003 microsoft: ]