Re: Multi-Site, Single Domain

First off, in a single domain forest, make all DCs into GCs, there is no reason not too as there is no overhead and every DC can do full authentication.

Second off it should be a GC since it is your DR site... Without a GC at your DR site if you are in native mode, normal users wouldn't be able to log on if there were a true disaster.

Finally, the machines should be using the DCs in their site unless there is a problem with those DCs at which point the machines will try other machines in the site and if none are found functioning it will go outside of the site. Assuming everything is configured properly this is how it should work.

What do you mean by SERVER$ entries? Do you mean sessions? If so, that doesn't mean the SERVER$ machine is authenticating against the DC. The only way to figure that info out is to use nltest /dsgetdc:domain or look at the logonserver environment variable. The sessions could be from any number of other things.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm


Nick wrote:
I currently have 3 AD servers in my organization 2 are GCs and the other offsite is used in the event of a disaster which is not a GC. I have 2 sites configured in the sites and services and two subnets (1 for my default location, & 1 for the disaster site) In running nltest.exe /SERVER:someserver /dsgetsite I can see that my servers are showing up in their correct sites. I am noticing a lot of SERVER$ entries on my disaster recovery site DC from servers at the default location. Is there a way to adjust my settings so that the servers do not go across a slower VPN link for authentication purposes? I read it was not recommended to switch the LDAP priorities on the DCs, but I was not sure how true it is. Should servers in SITE1 go to SITE2 for authentication if DCs in SITE1 are available?
.

Relevant Pages

  • Re: AD Migration from Win2K to Win2K3
    ... DC to Win2K3. ... What problems are occuring that you need to remove the 2003 server? ... Possibly removing may cause more harm than good, especially if the previous IT person had inadvertently changed the DNS scope to a 2003 only scope that the 2000 machines do not recognize, among other differences that could have been made that you'll now need the 2003 server. ... please post an unedited ipconfig /all from the three DCs. ...
    (microsoft.public.windows.server.migration)
  • Re: W2k8 Server cannot join domain (but W2k3-Server can!)
    ... I tried it with fqdn and short domain name. ... It is running on physical machines. ... dcs, moved all FSMO-Roles etc. and demoted the old DCs. ... If i join a new member server with w2k3-OS, ...
    (microsoft.public.windows.server.active_directory)
  • Re: Windows 2000 WINS Server
    ... All the machines use the same WINS Server, including the DCs of both ... You may have to reboot the machines after the WINS ... >>To get the trust working, you can use just one WINS and> point everything to ...
    (microsoft.public.win2000.networking)
  • Re: SYSVOL GPOs re:copying
    ... If you create a test user account on each DC, does it successfully replicate to each of the other DCs? ... Stop FRS on each of the new DCs. ... open a command prompt and change directory into the GPMC scripts folder. ... The effort and/or risk in fixing this server seems to exceed the ...
    (microsoft.public.win2000.active_directory)
  • Re: PDC Is not replicating !!
    ... server on the replication DC. ... I have ACE server installed. ... > DCs replicating by disabling replication when USN rollback is ... > If you used imaging to copy your production environment into a lab ...
    (microsoft.public.win2000.active_directory)