Can you reset a client connecting to a remote Site DC back..

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hi,

Two part question:

In W2K AD and I expect W2003 AD, a client computer when logging in tries to
use a local Site DC for authentication. If none, is available, how does it
determine which DC it should authenticate to? The following article
explains the process but I wonder if it is completely correct:

http://www.windowsitpro.com/Windows/Article/ArticleID/37935/37935.html

Our experience has found that the DC's selected is not the fastest
responding (following network topology). I've read various articles, but
still not clear as to how that DC is selected. E.g. is it taking the first
15 DC, in DNS, based on alphabetical order, to ping, to see which one is the
closest? If so, is there a way to change this mechanism?

Once a client has information about which DC it is using,

how long is it cached?
does a reboot clear the cache? If not, is there a way to force a client the
next time the user logs in, to go and validate if a DC is available in the
Site?

Thanks for any input in advance,

Ed
6 answers Last reply
More about reset client connecting remote site back
  1. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Ed,

    I suppose you could weight the DCs in the DNS to set up a preferential order
    for their application but I am not completely sure if this would have the
    unintended effect of overriding the "site stickiness". You would want to
    ensure that, when available, the local DCs would be used first. This could
    be effected through very careful planning.

    As to the cache length, this would be only tied to the local DNS cache as it
    would be queried to determine the local DC and the next ones to query.
    --
    Ryan Hanisco
    MCSE, MCDBA
    FlagShip Integration Services

    "ed@lehigh.com" <ed@lehigh.com@discussions.microsoft.com> wrote in message
    news:E0BA19E3-8ABB-4D4A-906B-98036D7C2E7C@microsoft.com...
    > Hi,
    >
    > Two part question:
    >
    > In W2K AD and I expect W2003 AD, a client computer when logging in tries
    > to
    > use a local Site DC for authentication. If none, is available, how does
    > it
    > determine which DC it should authenticate to? The following article
    > explains the process but I wonder if it is completely correct:
    >
    > http://www.windowsitpro.com/Windows/Article/ArticleID/37935/37935.html
    >
    > Our experience has found that the DC's selected is not the fastest
    > responding (following network topology). I've read various articles, but
    > still not clear as to how that DC is selected. E.g. is it taking the
    > first
    > 15 DC, in DNS, based on alphabetical order, to ping, to see which one is
    > the
    > closest? If so, is there a way to change this mechanism?
    >
    > Once a client has information about which DC it is using,
    >
    > how long is it cached?
    > does a reboot clear the cache? If not, is there a way to force a client
    > the
    > next time the user logs in, to go and validate if a DC is available in the
    > Site?
    >
    > Thanks for any input in advance,
    >
    > Ed
  2. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Ryan,

    Thanks for responding, but your response doesn't answer the questions.

    I can share new info, that an article talks about 100ms being the max wait
    time for DC's to respond within the Site for netlogon. have you heard this?
    After that it looks at the generic DNS service records under the _tcp area to
    find a DC.

    However, if the local Site DC's don't respond within 100ms, but responds
    before the remote DC's respond - does it still take the local DC for
    authentication?

    Also - does the 100ms include latency time or is it pure time from the time
    the packet leaves the client?

    Finally - going back to the original post - is there a way to force a client
    to re-point to a local DC, without a cold reboot or logoff?

    Ed


    "Ryan Hanisco" wrote:

    > Ed,
    >
    > I suppose you could weight the DCs in the DNS to set up a preferential order
    > for their application but I am not completely sure if this would have the
    > unintended effect of overriding the "site stickiness". You would want to
    > ensure that, when available, the local DCs would be used first. This could
    > be effected through very careful planning.
    >
    > As to the cache length, this would be only tied to the local DNS cache as it
    > would be queried to determine the local DC and the next ones to query.
    > --
    > Ryan Hanisco
    > MCSE, MCDBA
    > FlagShip Integration Services
    >
    > "ed@lehigh.com" <ed@lehigh.com@discussions.microsoft.com> wrote in message
    > news:E0BA19E3-8ABB-4D4A-906B-98036D7C2E7C@microsoft.com...
    > > Hi,
    > >
    > > Two part question:
    > >
    > > In W2K AD and I expect W2003 AD, a client computer when logging in tries
    > > to
    > > use a local Site DC for authentication. If none, is available, how does
    > > it
    > > determine which DC it should authenticate to? The following article
    > > explains the process but I wonder if it is completely correct:
    > >
    > > http://www.windowsitpro.com/Windows/Article/ArticleID/37935/37935.html
    > >
    > > Our experience has found that the DC's selected is not the fastest
    > > responding (following network topology). I've read various articles, but
    > > still not clear as to how that DC is selected. E.g. is it taking the
    > > first
    > > 15 DC, in DNS, based on alphabetical order, to ping, to see which one is
    > > the
    > > closest? If so, is there a way to change this mechanism?
    > >
    > > Once a client has information about which DC it is using,
    > >
    > > how long is it cached?
    > > does a reboot clear the cache? If not, is there a way to force a client
    > > the
    > > next time the user logs in, to go and validate if a DC is available in the
    > > Site?
    > >
    > > Thanks for any input in advance,
    > >
    > > Ed
    >
    >
    >
  3. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    1. I am not 100% sure whether it will stop listening for timed out LDAP
    pings. Generally, though, if it hasn't responded in 100ms, you have other
    problems and really don't want traffic there anyway. Another server would
    be more stable, even if it has slower access times.

    2. The 100ms is based on the client's timer and does not take latency into
    account.

    3. When a workstation authenticates, it is not maintaining a session open
    with the server constantly. The next time it needs to reference the AD or
    generate a token, it will query the DNS again and start the process over.

    Hope this helps.
    --
    Ryan Hanisco
    MCSE, MCDBA
    FlagShip Integration Services

    "ed@lehigh.com" <edlehighcom@discussions.microsoft.com> wrote in message
    news:A10EAE99-06F5-465B-92FA-74A1930CAF9B@microsoft.com...
    > Ryan,
    >
    > Thanks for responding, but your response doesn't answer the questions.
    >
    > I can share new info, that an article talks about 100ms being the max wait
    > time for DC's to respond within the Site for netlogon. have you heard
    > this?
    > After that it looks at the generic DNS service records under the _tcp area
    > to
    > find a DC.
    >
    > However, if the local Site DC's don't respond within 100ms, but responds
    > before the remote DC's respond - does it still take the local DC for
    > authentication?
    >
    > Also - does the 100ms include latency time or is it pure time from the
    > time
    > the packet leaves the client?
    >
    > Finally - going back to the original post - is there a way to force a
    > client
    > to re-point to a local DC, without a cold reboot or logoff?
    >
    > Ed
    >
    >
    >
    > "Ryan Hanisco" wrote:
    >
    >> Ed,
    >>
    >> I suppose you could weight the DCs in the DNS to set up a preferential
    >> order
    >> for their application but I am not completely sure if this would have the
    >> unintended effect of overriding the "site stickiness". You would want to
    >> ensure that, when available, the local DCs would be used first. This
    >> could
    >> be effected through very careful planning.
    >>
    >> As to the cache length, this would be only tied to the local DNS cache as
    >> it
    >> would be queried to determine the local DC and the next ones to query.
    >> --
    >> Ryan Hanisco
    >> MCSE, MCDBA
    >> FlagShip Integration Services
    >>
    >> "ed@lehigh.com" <ed@lehigh.com@discussions.microsoft.com> wrote in
    >> message
    >> news:E0BA19E3-8ABB-4D4A-906B-98036D7C2E7C@microsoft.com...
    >> > Hi,
    >> >
    >> > Two part question:
    >> >
    >> > In W2K AD and I expect W2003 AD, a client computer when logging in
    >> > tries
    >> > to
    >> > use a local Site DC for authentication. If none, is available, how
    >> > does
    >> > it
    >> > determine which DC it should authenticate to? The following article
    >> > explains the process but I wonder if it is completely correct:
    >> >
    >> > http://www.windowsitpro.com/Windows/Article/ArticleID/37935/37935.html
    >> >
    >> > Our experience has found that the DC's selected is not the fastest
    >> > responding (following network topology). I've read various articles,
    >> > but
    >> > still not clear as to how that DC is selected. E.g. is it taking the
    >> > first
    >> > 15 DC, in DNS, based on alphabetical order, to ping, to see which one
    >> > is
    >> > the
    >> > closest? If so, is there a way to change this mechanism?
    >> >
    >> > Once a client has information about which DC it is using,
    >> >
    >> > how long is it cached?
    >> > does a reboot clear the cache? If not, is there a way to force a
    >> > client
    >> > the
    >> > next time the user logs in, to go and validate if a DC is available in
    >> > the
    >> > Site?
    >> >
    >> > Thanks for any input in advance,
    >> >
    >> > Ed
    >>
    >>
    >>
  4. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Hi Ryan,

    If I understand right, you are suggesting that if a DC does not get back to
    a client request within 100ms, that you don't want traffic there. So - for
    example, a frame/relay T1 link has a latency of 80 - 120ms on it's own.
    Therefore, it would always not log onto the AD Site where it's subnet is
    mapped to?

    On note 2: You mentioned it looks up DNS everytime it needs to go back to a
    DC. My understanding is quite different, otherwise everytime it went to do
    any LDAP query (e.g. look up the GAL in Outlook), it would then do a DNS
    lookup first to find which DC to go to?

    I take it that no one know how to re-point a client PC back to it's home DC
    for authentication without a reboot - unless your point 2 applies for all DC
    access - everytime.

    Ed
    "Ryan Hanisco" wrote:

    > 1. I am not 100% sure whether it will stop listening for timed out LDAP
    > pings. Generally, though, if it hasn't responded in 100ms, you have other
    > problems and really don't want traffic there anyway. Another server would
    > be more stable, even if it has slower access times.
    >
    > 2. The 100ms is based on the client's timer and does not take latency into
    > account.
    >
    > 3. When a workstation authenticates, it is not maintaining a session open
    > with the server constantly. The next time it needs to reference the AD or
    > generate a token, it will query the DNS again and start the process over.
    >
    > Hope this helps.
    > --
    > Ryan Hanisco
    > MCSE, MCDBA
    > FlagShip Integration Services
    >
    > "ed@lehigh.com" <edlehighcom@discussions.microsoft.com> wrote in message
    > news:A10EAE99-06F5-465B-92FA-74A1930CAF9B@microsoft.com...
    > > Ryan,
    > >
    > > Thanks for responding, but your response doesn't answer the questions.
    > >
    > > I can share new info, that an article talks about 100ms being the max wait
    > > time for DC's to respond within the Site for netlogon. have you heard
    > > this?
    > > After that it looks at the generic DNS service records under the _tcp area
    > > to
    > > find a DC.
    > >
    > > However, if the local Site DC's don't respond within 100ms, but responds
    > > before the remote DC's respond - does it still take the local DC for
    > > authentication?
    > >
    > > Also - does the 100ms include latency time or is it pure time from the
    > > time
    > > the packet leaves the client?
    > >
    > > Finally - going back to the original post - is there a way to force a
    > > client
    > > to re-point to a local DC, without a cold reboot or logoff?
    > >
    > > Ed
    > >
    > >
    > >
    > > "Ryan Hanisco" wrote:
    > >
    > >> Ed,
    > >>
    > >> I suppose you could weight the DCs in the DNS to set up a preferential
    > >> order
    > >> for their application but I am not completely sure if this would have the
    > >> unintended effect of overriding the "site stickiness". You would want to
    > >> ensure that, when available, the local DCs would be used first. This
    > >> could
    > >> be effected through very careful planning.
    > >>
    > >> As to the cache length, this would be only tied to the local DNS cache as
    > >> it
    > >> would be queried to determine the local DC and the next ones to query.
    > >> --
    > >> Ryan Hanisco
    > >> MCSE, MCDBA
    > >> FlagShip Integration Services
    > >>
    > >> "ed@lehigh.com" <ed@lehigh.com@discussions.microsoft.com> wrote in
    > >> message
    > >> news:E0BA19E3-8ABB-4D4A-906B-98036D7C2E7C@microsoft.com...
    > >> > Hi,
    > >> >
    > >> > Two part question:
    > >> >
    > >> > In W2K AD and I expect W2003 AD, a client computer when logging in
    > >> > tries
    > >> > to
    > >> > use a local Site DC for authentication. If none, is available, how
    > >> > does
    > >> > it
    > >> > determine which DC it should authenticate to? The following article
    > >> > explains the process but I wonder if it is completely correct:
    > >> >
    > >> > http://www.windowsitpro.com/Windows/Article/ArticleID/37935/37935.html
    > >> >
    > >> > Our experience has found that the DC's selected is not the fastest
    > >> > responding (following network topology). I've read various articles,
    > >> > but
    > >> > still not clear as to how that DC is selected. E.g. is it taking the
    > >> > first
    > >> > 15 DC, in DNS, based on alphabetical order, to ping, to see which one
    > >> > is
    > >> > the
    > >> > closest? If so, is there a way to change this mechanism?
    > >> >
    > >> > Once a client has information about which DC it is using,
    > >> >
    > >> > how long is it cached?
    > >> > does a reboot clear the cache? If not, is there a way to force a
    > >> > client
    > >> > the
    > >> > next time the user logs in, to go and validate if a DC is available in
    > >> > the
    > >> > Site?
    > >> >
    > >> > Thanks for any input in advance,
    > >> >
    > >> > Ed
    > >>
    > >>
    > >>
    >
    >
    >
  5. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    > Once a client has information about which DC it is using,

    > how long is it cached?

    Damn it!!! I can't remember!!! <g>


    > does a reboot clear the cache?

    No, it's stored in the registry. Only if the DCs in the site don't respond
    in a timely fashion does the locator start from scratch.


    > If not, is there a way to force a client the next time the user logs in,
    > to go and validate if a DC is available in the Site?

    The client's site information is stored in a dynamic key in the registry:
    -- HKLM\ SYSTEM\ CurrentControlSet\ Services\ Netlogon\ Parameters\
    DynamicSiteName


    You can override this with this key to always specify a site:
    -- HKLM\ SYSTEM\ CurrentControlSet\ Services\ Netlogon\ Parameters\
    SiteName


    You *should* not edit the dynamic value; override using the static value.

    More info here:
    --
    http://www.microsoft.com/resources/documentation/windows/2000/server/reskit/en-us/default.asp?url=/resources/documentation/Windows/2000/server/reskit/en-us/distrib/dsbc_nar_jqiy.asp?frame=true


    --

    Paul Williams

    http://www.msresource.net/
    http://forums.msresource.net/

    "ed@lehigh.com" <ed@lehigh.com@discussions.microsoft.com> wrote in message
    news:E0BA19E3-8ABB-4D4A-906B-98036D7C2E7C@microsoft.com...
    Hi,

    Two part question:

    In W2K AD and I expect W2003 AD, a client computer when logging in tries to
    use a local Site DC for authentication. If none, is available, how does it
    determine which DC it should authenticate to? The following article
    explains the process but I wonder if it is completely correct:

    http://www.windowsitpro.com/Windows/Article/ArticleID/37935/37935.html

    Our experience has found that the DC's selected is not the fastest
    responding (following network topology). I've read various articles, but
    still not clear as to how that DC is selected. E.g. is it taking the first
    15 DC, in DNS, based on alphabetical order, to ping, to see which one is the
    closest? If so, is there a way to change this mechanism?

    Once a client has information about which DC it is using,

    how long is it cached?
    does a reboot clear the cache? If not, is there a way to force a client the
    next time the user logs in, to go and validate if a DC is available in the
    Site?

    Thanks for any input in advance,

    Ed
  6. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    > If I understand right, you are suggesting that if a DC does not get back
    > to a client request within 100ms, that you don't want traffic there. So -
    > for example, a frame/relay T1 link has a latency of 80 - 120ms on it's
    > own. Therefore, it would always not log onto the AD Site where it's
    > subnet is mapped to?

    Hmmm...interesting scenario. I'm not sure of the answer. I'd have to test
    this. I will say that you can more than likely fudge this timeout. You can
    practically change every TCP/IP setting in Windows NT 5.x.


    > On note 2: You mentioned it looks up DNS everytime it needs to go back to
    > a DC. My understanding is quite different, otherwise everytime it went to
    > do any LDAP query (e.g. look up the GAL in Outlook), it would then do a
    > DNS lookup first to find which DC to go to?

    Yes, this is as I understand it too. Excluding DNS Resolver (client)
    caching. If it's not in the local cache, it makes a DNS call. Different
    operations require different info. Look at all the sub-domains under _msdcs
    for the kind of different calls you can expect.


    > I take it that no one know how to re-point a client PC back to it's home
    > DC for authentication without a reboot - unless your point 2 applies for
    > all DC access - everytime.

    Perhaps. I've added some comments specific to your initial post. You'll
    find them directly underneath your original post. You can manually force a
    client to use a certain site. You can also play with SRV weightings and
    priorities in the local DNS server.


    --

    Paul Williams

    http://www.msresource.net/
    http://forums.msresource.net/

    "ed@lehigh.com" <edlehighcom@discussions.microsoft.com> wrote in message
    news:99A9491E-728F-4633-BD1C-D4FDF60B9243@microsoft.com...
    Hi Ryan,

    If I understand right, you are suggesting that if a DC does not get back to
    a client request within 100ms, that you don't want traffic there. So - for
    example, a frame/relay T1 link has a latency of 80 - 120ms on it's own.
    Therefore, it would always not log onto the AD Site where it's subnet is
    mapped to?

    On note 2: You mentioned it looks up DNS everytime it needs to go back to a
    DC. My understanding is quite different, otherwise everytime it went to do
    any LDAP query (e.g. look up the GAL in Outlook), it would then do a DNS
    lookup first to find which DC to go to?

    I take it that no one know how to re-point a client PC back to it's home DC
    for authentication without a reboot - unless your point 2 applies for all DC
    access - everytime.

    Ed
    "Ryan Hanisco" wrote:

    > 1. I am not 100% sure whether it will stop listening for timed out LDAP
    > pings. Generally, though, if it hasn't responded in 100ms, you have other
    > problems and really don't want traffic there anyway. Another server would
    > be more stable, even if it has slower access times.
    >
    > 2. The 100ms is based on the client's timer and does not take latency into
    > account.
    >
    > 3. When a workstation authenticates, it is not maintaining a session open
    > with the server constantly. The next time it needs to reference the AD or
    > generate a token, it will query the DNS again and start the process over.
    >
    > Hope this helps.
    > --
    > Ryan Hanisco
    > MCSE, MCDBA
    > FlagShip Integration Services
    >
    > "ed@lehigh.com" <edlehighcom@discussions.microsoft.com> wrote in message
    > news:A10EAE99-06F5-465B-92FA-74A1930CAF9B@microsoft.com...
    > > Ryan,
    > >
    > > Thanks for responding, but your response doesn't answer the questions.
    > >
    > > I can share new info, that an article talks about 100ms being the max
    > > wait
    > > time for DC's to respond within the Site for netlogon. have you heard
    > > this?
    > > After that it looks at the generic DNS service records under the _tcp
    > > area
    > > to
    > > find a DC.
    > >
    > > However, if the local Site DC's don't respond within 100ms, but responds
    > > before the remote DC's respond - does it still take the local DC for
    > > authentication?
    > >
    > > Also - does the 100ms include latency time or is it pure time from the
    > > time
    > > the packet leaves the client?
    > >
    > > Finally - going back to the original post - is there a way to force a
    > > client
    > > to re-point to a local DC, without a cold reboot or logoff?
    > >
    > > Ed
    > >
    > >
    > >
    > > "Ryan Hanisco" wrote:
    > >
    > >> Ed,
    > >>
    > >> I suppose you could weight the DCs in the DNS to set up a preferential
    > >> order
    > >> for their application but I am not completely sure if this would have
    > >> the
    > >> unintended effect of overriding the "site stickiness". You would want
    > >> to
    > >> ensure that, when available, the local DCs would be used first. This
    > >> could
    > >> be effected through very careful planning.
    > >>
    > >> As to the cache length, this would be only tied to the local DNS cache
    > >> as
    > >> it
    > >> would be queried to determine the local DC and the next ones to query.
    > >> --
    > >> Ryan Hanisco
    > >> MCSE, MCDBA
    > >> FlagShip Integration Services
    > >>
    > >> "ed@lehigh.com" <ed@lehigh.com@discussions.microsoft.com> wrote in
    > >> message
    > >> news:E0BA19E3-8ABB-4D4A-906B-98036D7C2E7C@microsoft.com...
    > >> > Hi,
    > >> >
    > >> > Two part question:
    > >> >
    > >> > In W2K AD and I expect W2003 AD, a client computer when logging in
    > >> > tries
    > >> > to
    > >> > use a local Site DC for authentication. If none, is available, how
    > >> > does
    > >> > it
    > >> > determine which DC it should authenticate to? The following article
    > >> > explains the process but I wonder if it is completely correct:
    > >> >
    > >> > http://www.windowsitpro.com/Windows/Article/ArticleID/37935/37935.html
    > >> >
    > >> > Our experience has found that the DC's selected is not the fastest
    > >> > responding (following network topology). I've read various articles,
    > >> > but
    > >> > still not clear as to how that DC is selected. E.g. is it taking
    > >> > the
    > >> > first
    > >> > 15 DC, in DNS, based on alphabetical order, to ping, to see which one
    > >> > is
    > >> > the
    > >> > closest? If so, is there a way to change this mechanism?
    > >> >
    > >> > Once a client has information about which DC it is using,
    > >> >
    > >> > how long is it cached?
    > >> > does a reboot clear the cache? If not, is there a way to force a
    > >> > client
    > >> > the
    > >> > next time the user logs in, to go and validate if a DC is available
    > >> > in
    > >> > the
    > >> > Site?
    > >> >
    > >> > Thanks for any input in advance,
    > >> >
    > >> > Ed
    > >>
    > >>
    > >>
    >
    >
    >
Ask a new question

Read More

Active Directory Windows