Re: Which DC for authentication?

---

• From: Ulf B. Simon-Weidner [MVP] <nospam2-ulf@xxxxxxxxxxxxxxxxxx>
• Date: Fri, 4 Nov 2005 18:44:46 +0100

---

=?Utf-8?B?QmFiYQ==?= says...
> This is my problem:
> i have a domain whith 2 subdomains: father.com, child1.father.com,
> child2.father.com and 8 sites.
> In every site there are two DC, one for child1.father.com and one for
> child2.father.com
> Very often client in a site use DCs of other site to authenticate.
> I have check the configuration of the DNS server:
> In the zone child1.father.com in the directory _tcp there is a entry _ldap,
> _kerberos and _kpasswd for each DC of the domain.
> In _sites.<sitename>._tcp there is a entry _ldap and _kerberos for the DC of
> the site but also for same other DCs of the other sites. Is it correct?
>

Hello Baba,

no, it's supposed to contain only the DC which is in that site, if there is a
DC in that site.

But however this is a migration issue. There's a feature called Automatic Site
Coverage which makes sure that every site has at least one DC for every domain.
When you are implementing sites you usually first configure the site, then move
the DC to that site or freshly install a DC with a IP-Adress matching one of
the subnets in that site. So there is a moment where a site exists without a
DC, and another DC might figure that out in the time and decides to be so kind
providing services for that DC-less site.

Usually - if DNS aging and scavening is configured - this will be cleaned up
over the time. If it's not, or if the site is quite new, you can do this
yourself.

You can simply delete the records which are not supposed to be there.

Don't worry to much - I'd do that on the evening - cause if you delete one
entry which is supposed to be there the DC will recreate it after a while or
when rebooting or when restarting the netlogon service.

--
Gruesse - Sincerely,

Ulf B. Simon-Weidner

MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz
Weblog: http://msmvps.org/UlfBSimonWeidner
Website: http://www.windowsserverfaq.org
.

---

• Prev by Date: Re: Active Directory Permissions
• Next by Date: Re: Active Directory Export (LDIFDE)
• Previous by thread: Re: Active Directory Permissions
• Next by thread: Re: Active Directory Export (LDIFDE)
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Group policy Error; Event ID 1030 & 1058 ... Starting test: CrossRefValidation ... Running partition tests on: Configuration ... "Meinolf Weber" wrote: ... On my DC NIC 213.42.20.20 is the alternate DNS server. ... (microsoft.public.windows.group_policy) Re: Computers Registering Two IPs ... bearing whatsoever to the configuration of our network. ... this IP in the registry of the affected machines, ... The dynamic updates to our domain controller's DNS server appear to be ... Microsoft MVP - Directory Services ... (microsoft.public.windows.server.dns) Re: Two ISPs, One NATed Internal Subnet, Firewall Policys ... > We wish to use one connection primarly, ... the netfilter configuration can be static; ... ADSL/cable router and the ISP, and between the ISP and the wider Internet ... DNS server monitoring is often used. ... (Fedora) make my DNS to maintain my zone. ... 2.- I have configured NIC.COM to forward queries to NS0.XXX.COM and ... by my ISP so it was easier to update the A records in the DNS server. ... Here I used the wizard to add the zone XYZ.COM ... What is the problem with my configuration? ... (microsoft.public.windows.server.dns) Re: Netlogon Error joining to Domain ... > configured as a member of a workgroup, not as a member of a domain. ... > Netlogon service does not need to run in this configuration. ... (microsoft.public.win2000.networking)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Windows  > microsoft.public.windows.server.active_directory  > 2005-11