Use domain controller weight for isolation

  • Thread starter Thread starter Mark
  • Start date Start date
M

Mark

I have been searching the groups and have read a lot about domain
controller weight and priority. Most users want to specify a dc. I
need to omit a dc for normal user authentication. Please tell me if my
logic is correct here. I have an application that acts as a front end
or proxy to AD management. It sometimes overloads a dc requiring us to
reboot the dc to correct the issue.

I would like to be able to omit this dc from all user interaction so
when the server is rebooted there are no problems. If I change the
weight from 0 to 10, will this omit this one dc from rotation as long
as all the other dc's are operating properly?

TIA,
Mark
 
Mark said:
I have been searching the groups and have read a lot about domain
controller weight and priority. Most users want to specify a dc. I
need to omit a dc for normal user authentication. Please tell me if my
logic is correct here. I have an application that acts as a front end
or proxy to AD management. It sometimes overloads a dc requiring us to
reboot the dc to correct the issue.

I would like to be able to omit this dc from all user interaction so
when the server is rebooted there are no problems. If I change the
weight from 0 to 10, will this omit this one dc from rotation as long
as all the other dc's are operating properly?
Click to expand...

Personally, although I know about weight I never fool
with it so someone else may answer your direct question.

More interesting to me is WHY your DC needs rebooting --
that is completely unacceptable and abnormal behavior
(We would NEVER boot our DCs if it weren't for hotfixes,
service packs and update.)

Another occurs to me also: Put the 'special' DC in it's own
Site. As long as you can put it on a subnet with no other
machines (give is a direct connection to a router which can
be one of your existing servers, probably a DC too) then
no client would try to use it by default as long as some other
DC were available on their networks.
 
no, not the weight

the priority with a HIGHER VALUE makes sure that DC is not used as long as
other DCs are available with lower VALUES
logic is correct here. I have an application that acts as a front end
or proxy to AD management. It sometimes overloads a dc requiring us to
reboot the dc to correct the issue.
Click to expand...

then that app is crap

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
 
You don't want to mess with priority or weight then, you want to
actually change whether the records are registered or not.

See

http://technet2.microsoft.com/Windo...6ba0-4f08-b1d9-525bf949fa761033.mspx?mfr=true


I would be a little concerned about an AD Proxy Management app that
overloads a DC... What is the application?

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm
 
I would be a little concerned about an AD Proxy Management app that
overloads a DC... What is the application?
Click to expand...

Sorry about replying so late. I had some pipes rupture at my house and
had to repair some plumbing.

I was trying to avoid bad mouthing the product, but it is ActiveRoles
by Quest. They have a lot of problems with version 5.25. They have
released a new version which is supposed to correct a lot of their
issues. We have not moved to it yet and that is what I was trying to
plan for.

When the 5.25 version goes down, I start getting AD errors from the DC
it is pointing to almost like it corrupts AD. The DC will quit
replicating, stops processing group policy, etc. Once the DC is
rebooted the world is good again. Before anyone asks, yes it is a
software problem as the Quest product flakes out before AD.

My ultimate goal is to have a DC available to this application so that
if it goes down and requires a reboot of a DC, there will not be any
noticeable effects to any clients or other applications.

Any recommendations??
 
I have seen Active Roles Server deployed in quite a few locations
without it taking out DCs. Are you working with Quest to find root cause?

For something like this, consider just putting a DC or two in a special
logical site that is just used for the Quest tools. This shouldn't be
necessary but if you are finding it is causing issues, this could help.
As a general rule, clients should fail over pretty seamlessly when they
encounter a problem. Exchange/Outlook on the other hand do not work so
smoothly and that is why many companies will put Exchange servers in
separate dedicated sites in large orgs.

joe


--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm
 
I have been working with Quest for a while and even went as far as
their Development Manager on a couple of issues. Most of the issues we
have found resulted in a statement saying they will be resolved with
the next release. As far as receiving a definitive root cause, no.

I will look more into sites to seperate this out a little instead of
weight or priority. The thing is that most normal users do not notice
an issue. We just have one application that seems to grab a DC server
and hold onto it. When the DC is rebooted, all users that
authenticated into that application through that particular DC start
getting errors. After the users log on again they are fine. I was
just trying to find a way to avoid that situation if at all possible by
isolating the dc.

Thanks for the help.
 
Oh so there is some app other than ARS that is a problem... I would
seriously look into that app as well, they need to do fault tolerance
better.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm
 
I completely agree with you there. Unfortunately, that app is a
partnership between us and another company that is very unlikely to
change. It is one of those 5 year behind schedule and a huge amount of
money over budget apps that is pure spite just to finish it because
they said they would.

Thanks again for your assistance.
 
Well, it actually uses IIS 6.0 as a front end. From what I have read,
IIS 6 uses kerberos as an underlying authentication which is why I was
heading down the weight and priority method.
 
Mark said:
Well, it actually uses IIS 6.0 as a front end. From what I have read,
IIS 6 uses kerberos as an underlying authentication which is why I was
heading down the weight and priority method.
Click to expand...

IIS has MANY authentication methods, but even under
"integrated Authentication" CAN use either NTLM or
Kerberos.

NTLM is invoked when any of the machines (web client,
web server, or DC) involved in "integrated authentication"
is not running a Kerberos capable OS (e.g., NT or 9x.)

In the case os IIS 6, you can guarantee that the server at least
is Kerberos capable since NT won't run this.
 
Back
Top