Sign in with
Sign up | Sign in
Your question

Force authentication to a specific DC where multiple DC's ..

Last response: in Windows 2000/NT
Share
Anonymous
May 3, 2005 12:47:12 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

I apologize if I posted this thread in the wrong forum.

We have five Windows 2003 domain controllers running our main AD site.
Two of those domain controllers have a virtual server running on them.
The guest servers on each are (Windows 2003) radius servers.
Currently, the virtual radius servers authenticate to other DC's in the
main site. Is there any way I can force the virtual radius servers to
authenticate to the host machines (DC's) to reduce network traffic.

I know in AD Sites and Services you can "weight" or prioritize
controllers, but I don't want to make a system wide change. This would
increase traffic to these two particular host DC's.

If anyone has any suggestions I would greatly appreciate it.
Thanks.


--
9number9
------------------------------------------------------------------------
9number9's Profile: http://www.msusenet.com/member.php?userid=886
View this thread: http://www.msusenet.com/t-1870401557
Anonymous
May 4, 2005 2:50:25 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

In WIN2000 without changing either the Weight or the Priority for a specific
Domain Controller ( or Controllers ) then there is - out of the box - pretty
much nothing that you can do to *ensure* that specific Domain Controllers
are used to authenticate requests. Just to repeat what you probably already
know:

Clients will try to authenticate first to a Domain Controller in its Site
(based on IP Address ). Clients will authenticate to the DC with the lowest
Priority ( so a [0] is going to win vs. a [2] ). In the event that
multiple Domain Controllers should have the same Priority then the Weight
value comes into play ( so a [80] will authenticate about 4x as many
requests as a [20]...... ).

By default all Domain Controllers have a Weight of [0] and a Priority of
[100]. So, out of the box there is supposed to be an equal distribution of
authentication requests ( well, pretty equal ).

And this is actually a DNS thing.....not sure about how the Sites and
Services play a role in that (Priority and Weight values ). But remember, I
am speaking about WIN2000. In WIN2003 it may have changed....not sure how,
but......

--
Cary W. Shultz
Roanoke, VA 24012
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com



"9number9" <9number9.1ogmwc@no-mx.msusenet.com> wrote in message
news:9number9.1ogmwc@no-mx.msusenet.com...
>
> I apologize if I posted this thread in the wrong forum.
>
> We have five Windows 2003 domain controllers running our main AD site.
> Two of those domain controllers have a virtual server running on them.
> The guest servers on each are (Windows 2003) radius servers.
> Currently, the virtual radius servers authenticate to other DC's in the
> main site. Is there any way I can force the virtual radius servers to
> authenticate to the host machines (DC's) to reduce network traffic.
>
> I know in AD Sites and Services you can "weight" or prioritize
> controllers, but I don't want to make a system wide change. This would
> increase traffic to these two particular host DC's.
>
> If anyone has any suggestions I would greatly appreciate it.
> Thanks.
>
>
> --
> 9number9
> ------------------------------------------------------------------------
> 9number9's Profile: http://www.msusenet.com/member.php?userid=886
> View this thread: http://www.msusenet.com/t-1870401557
>
Anonymous
May 5, 2005 2:43:43 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Thanks for the info, Cary. I know there was a registry hack for this in
NT4.0, I guess I was hoping that there was a similar solution in 2000 or
2003. I will keep searching ....


--
9number9
------------------------------------------------------------------------
9number9's Profile: http://www.msusenet.com/member.php?userid=886
View this thread: http://www.msusenet.com/t-1870401557
May 6, 2005 6:59:46 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Can you put your radius servers on a different ip subnet and assign
that subnet to a different AD site? With VMWare you could do all of
that inside the virtual environment, I'm presuming the same might be
true for Virtual Server.
!