Re: user Authenication question
- From: "Herb Martin" <news@xxxxxxxxxxxxxx>
- Date: Wed, 14 Mar 2007 08:47:28 -0500
"Jack" <Jack@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:256BE021-03C1-459D-98FF-5BB5D87A4E70@xxxxxxxxxxxxxxxx
"Herb Martin" wrote:
"Jack" <Jack@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:EFD0C7D1-E304-4763-9580-D5F3455114FD@xxxxxxxxxxxxxxxx
Hi All
Just want to confirm something before my company gets into a DR
project.
We have a site that has a domain controller which serves as GC, DNS,
DHCP,
file print server. I know its wrong but this is the infrasture that I
inhereited and dont think I have management staffs approval to change
anything.
What is wrong about it? Maybe the file server could be better moved
elsewhere
but that is not obvious without knowing more about the situation -- it is
NOT
automatically "wrong" but may be in some specific cases.
The server is being over taxed with file services, print services,
Then that is what makes it wrong, i.e., the "overtaxing" which is far from
obvious just because you run the services that way.
DNS,
logon takes forever on top of that its also participating in DFS, WSUS as
well as being a backup server.
How many (active) client machines for this server? Especially for the WSUS?
Is it doing active backups during business hours?
As to the DNS, most such slowness is due to the configuration being
incorrect
and this may account for SOME of the other problems.
What are the typical-averabe values for these PerfMon counters:
Pages per Second (memory)
CPU % (processor)
Physical Disk time %
(also) Seconds per transfer
Disk Queue length
If it is a dual processor system, what is the Processor Queue Length?
Internal (domain) computers must be set to use STRICTLY
the INTERNAL DNS Server (set) which can resolve the DCs
and other internal resources, on all interfaces.
Check replication. Make sure every DC can pass a complete "DCDiag /c" with
NO FAIL or WARN messages when run locally on that DC.
Anyways, as we are planning this DR project we realize that this DR
site
can
serve as a fail over for these users at the site. Mainly providing
file
server access by changing the login script to remap users to the DR
sites
server. Since this production server serves as GC as well how will
users
be
able to authenticate if the production GC is down?
You should have more than one GC, geneally at least one per Site, and for
fault tolerance at least TWO GCs per site.
Yes i would like to put another GC at that site but at the current time $
is
an issue and my boss is not about to shell out the $ for another server @
this time
You still should have other GCs in other Sites.
In a single domain forest, or even a smal multidomain forest maybe, every
DC should be a GC.
Yes all our DCs are GC also with the execption of the FSMO role holder
It should be too -- unless you have multiple (larger) domains in the forest.
Here is what I am thinking, since GC advertise themselves using DNS SRV
record. If I was to change the DHCP scoope to add an additional DNS
entry
to
a DNS server on a different subnet would that do the trick? As in that
when
the DC fail user can go thru DNS and find another GC on a different
subnet
and authenticate?
Yes, but that isn't just about the GC, but is also important to find a DC
and
every other DNS resource name.
I am sorry for the stupid question but a server must be a DC before it can
become a GC right? if I have a alternative DNS configure all the other DNS
resource would be available from a different location right?
Yes. You should do this unless you wish local DC/GC/DNS failure to also
cause the clients to fail authentication and resource access.
Generally client machines should have the "closest" DNS server listedYes I am sorry I am using those terms losely and I will refer to site as
first
as Preferred, and other DNS servers (with the same info) listed as
Alternates.
If the above is true is there any way that I can define what GC will be
used?
No. And you don't want to do that. Clients already use the DC/GC from
their
OWN Site in preference.
You did actually define your "Sites" in AD Sites and Services, right?
(You weren't just using "site" to mean "location".)
defined in Sites and services and "location" as in physical location.
Site
is defined in Sites and services.
No, you did NOTHING wrong -- some people unfortunately say "site"
without ever having defined those sites. As long as you have your sites
correctly defined you are doing it right.
You should check that all Sites have the correct DCs, correct SiteLink
membership, correct subnets defined etc.
Every Site should then (typically) be removed from the "default-ip-sitelink"
once they have their own specific sitelink(s).
--
Herb Martin, MCSE, MVP
http://www.LearnQuick.Com
(phone on web site)
.
- References:
- Re: user Authenication question
- From: Herb Martin
- Re: user Authenication question
- From: Jack
- Re: user Authenication question
- Prev by Date: Re: user Authenication question
- Next by Date: Network is 4 hours behind the WIN 2K DC
- Previous by thread: Re: user Authenication question
- Next by thread: Must-have Active Directory Tools
- Index(es):
Relevant Pages
|
