Gil, you are correct. I think Roger is confusing not having a the
client's subnet defined in AD with auto-site coverage. If the client's
subnet is not defined in AD then the process Stuart outlined is
followed.
If you have an empty site (a site without a DC) the following algorithm
is used per the Resource Kit. A client will them authenticate with one
of the DCs in the site determined by the auto-site covergae algorithm.
It has been my experience that this works correclty, and can easily be
verified by ensuring there are site-specivic SRV records registered in
DNS for the empty site.
-Mark
Site Coverage Algorithm
During registration of SRV records in DNS, the following
algorithm is used to determine which domain controllers register site
SRV records that designate them as preferred domain controllers in sites
that do not have a specific domain represented.
For every domain controller in the forest, follow this
procedure:
1. Build a list of target sites - sites that have no
domain controllers for this domain (the domain of the current domain
controller).
2. Build a list of candidate sites - sites that have
domain controllers for this domain.
3. For every target site, follow these steps:
* Build a list of candidate sites of which this
domain is a member. (If none, do nothing.)
* Of these, build a list of sites that have the
lowest site link cost to the target site. (If none, do nothing.)
* If more than one, break ties (reduce this list
to one candidate site) by choosing the site with the largest number of
domain controllers.
* If more than one, break ties by choosing the
site that is first alphabetically.
* Register target-site-specific SRV records for
the domain controllers for this domain in the selected site.
-----Original Message-----
From: Gil Kirkpatrick
Sent: Tue 10/29/2002 1:10 PM
To: '[EMAIL PROTECTED]'
Cc:
Subject: RE: [ActiveDir] Sites with no DC
But NETLOGON does create SRV recs to cover DC-less sites if
there are sites
and subnets defined, which is what the original post indicated
("to create
an empty site (no DCs)for you [sic] subnets")
At least that's how I read it...
-gil
-----Original Message-----
From: Roger Seielstad [mailto:roger.seielstad@;inovis.com]
Sent: Tuesday, October 29, 2002 11:19 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Sites with no DC
Site coverage works exactly as Stuart Kwan explained - without
manual
intervention of the RR records, the actual logins are processed
fairly
randomly - they don't necessarily authenticate to the closeest
site. It just
doesn't happen.
------------------------------------------------------
Roger D. Seielstad - MCSE
Sr. Systems Administrator
Inovis - Formerly Harbinger and Extricity
Atlanta, GA
> -----Original Message-----
> From: Gil Kirkpatrick [mailto:gilk@;netpro.com]
> Sent: Tuesday, October 29, 2002 12:27 PM
> To: '[EMAIL PROTECTED]'
> Subject: RE: [ActiveDir] Sites with no DC
>
>
> Really? What part is not the case? That clients don't
> authenticate, or that
> DCs don't publish SRV recs to cover DC-less sites based on
cost?
>
> My experience has been that site coverage works as advertised.
>
> -gil
>
> -----Original Message-----
> From: Roger Seielstad [mailto:roger.seielstad@;inovis.com]
> Sent: Tuesday, October 29, 2002 7:43 AM
> To: '[EMAIL PROTECTED]'
> Subject: RE: [ActiveDir] Sites with no DC
>
>
> > If you decide "to create an empty site (no DCs)for you
subnets", the
> > autosite coverage algorithm will ensure that clients in
> that site are
> > authenticated with a DC in a nearby site. The DCs in the
> closest site
> > based on cost will register site-specific SRV records for
the empty
> > site.
>
> >From experience, I can tell you unequivocally that this is
NOT the
> >case. As
> recently as Win2k SP2.
>
> ------------------------------------------------------
> Roger D. Seielstad - MCSE
> Sr. Systems Administrator
> Inovis - Formerly Harbinger and Extricity
> Atlanta, GA
>
>
> > -----Original Message-----
> > From: Tucker, Mark [mailto:MTucker@;aelita.com]
> > Sent: Thursday, October 24, 2002 3:20 PM
> > To: [EMAIL PROTECTED]
> > Subject: RE: [ActiveDir] Sites with no DC
> >
> >
> > I would agree that you want to register the subnets in Sites
and
> > Services.
> >
> > If a client attempts to authenticate from a subnet that is
not
> > registered, AD has no way to determine what site the client
> is in. It
> > this case, I believe the client will query DNS for all of
> the DCs in
> > the domain and then attempt to contact each one in turn.
The first
> > one that replies will be used for authentication.
> >
> > If you decide to create an empty site (no DCs)for you
subnets, the
> > autosite coverage algorithm will ensure that clients in
> that site are
> > authenticated with a DC in a nearby site. The DCs in the
> closest site
> > based on cost will register site-specific SRV records for
the empty
> > site.
> >
> > -Mark
> > -----Original Message-----
> > From: Roger Seielstad [mailto:roger.seielstad@;inovis.com]
> > Sent: Thursday, October 24, 2002 9:39 AM
> > To: '[EMAIL PROTECTED]'
> > Subject: RE: [ActiveDir] Sites with no DC
> >
> >
> > > Oh, and this all does assume that YOUR network engineers
> > TELL you when
> > > they put in a whole 'nother group of networks or
sub-netted
> > something
> > > that you already had defined. No, really - I'm not
bitter....
> >
> > Glad to know that happens elsewhere, too.
> >
> > ------------------------------------------------------
> > Roger D. Seielstad - MCSE
> > Sr. Systems Administrator
> > Inovis - Formerly Harbinger and Extricity
> > Atlanta, GA
> >
> >
> > > -----Original Message-----
> > > From: Rick Kingslan [mailto:rkingsla@;cox.net]
> > > Sent: Thursday, October 24, 2002 9:41 AM
> > > To: [EMAIL PROTECTED]
> > > Subject: RE: [ActiveDir] Sites with no DC
> > >
> > >
> > > I'd agree with Roger on this one - unless you don't mind
> machines in
> > > Pnsacola FL. Authenticating in Reno, NV. If we don't have
> > one of our
> > > subnets defined to some site, we see messages from the
Locator
> > > reporting that some machine at some site with the subnet
xx.xx
> > couldn't find an
> > > associated site. It suggests that you might want to
create a
> > > subnet for it.
> > >
> > > If these types of events are rare, or there are a small
number of
> > > un-associated machines, or, if you have boatloads of
> bandwidth, then
> > > it might not be a problem.
> > >
> > > I'd take chance out of the equation and just create the
> subnets and
> > > associate them with your hub until you have a clearer idea
> > of what the
> > > traffic pattern should be.
> > >
> > > Oh, and this all does assume that YOUR network engineers
> > TELL you when
> > > they put in a whole 'nother group of networks or
sub-netted
> > something
> > > that you already had defined. No, really - I'm not
bitter....
> > >
> > > Rick Kingslan - Microsoft MVP [Windows NT/2000]
> > > Microsoft Certified Trainer
> > > MCSA, MCSE+I - Windows NT / 2000
> > >
> > > "Any sufficiently advanced technology
> > > is indistinguishable from magic."
> > > --- Arthur C. Clarke
> > >
> > >
> > >
> > > > -----Original Message-----
> > > > From: [EMAIL PROTECTED]
> > > > [mailto:ActiveDir-owner@;mail.activedir.org] On Behalf Of
> > > > Roger Seielstad
> > > > Sent: Thursday, October 24, 2002 6:59 AM
> > > > To: '[EMAIL PROTECTED]'
> > > > Subject: RE: [ActiveDir] Sites with no DC
> > > >
> > > >
> > > > >From experience, I wouldn't trust the locator to get
> > 'close' very
> > > > >often.
> > > >
> > > > During our initial deployment, the WAN team changed the
IP pools
> > > > of our VPN concentrators. After looking through some of
the logs
> > > > on domain controllers, we were seeing a very random
distribution
> > > > of authentication, with some authentication happening 4
WAN hops
> > > > away, when there were multiple DCs on different local
subnets.
> > > >
> > > > I'd strongly suggest creating a subnet object for each
subnet on
> > > > your network, and associating each of them with a site.
> > > >
> > > > ------------------------------------------------------
> > > > Roger D. Seielstad - MCSE
> > > > Sr. Systems Administrator
> > > > Inovis - Formerly Harbinger and Extricity
> > > > Atlanta, GA
> > > >
> > > >
> > > > > -----Original Message-----
> > > > > From: Garello, Kenneth [mailto:KGarello@;worcester.edu]
> > > > > Sent: Wednesday, October 23, 2002 5:07 PM
> > > > > To: '[EMAIL PROTECTED]'
> > > > > Subject: RE: [ActiveDir] Sites with no DC
> > > > >
> > > > >
> > > > > How much overhead does leaving it up to the locator
incur?
> > > > >
> > > > > Ken
> > > > >
> > > > > -----Original Message-----
> > > > > From: Gil Kirkpatrick [mailto:gilk@;netpro.com]
> > > > > Sent: Wednesday, October 23, 2002 4:37 PM
> > > > > To: '[EMAIL PROTECTED]'
> > > > > Subject: RE: [ActiveDir] Sites with no DC
> > > > >
> > > > > Hey Don,
> > > > >
> > > > > Is this your first post to the list? If so, welcome.
> > > > >
> > > > > To answer your question, no you don't have to create
> a site for
> > > > > each subnet. You can associate multiple subnets with a
single
> > > > > site. Or you can leave the subnets unassigned, and the
DC
> > > > > locator will do its best to find a DC "close" to the
> > > > > authenticating PC.
> > > > >
> > > > > -gil
> > > > > -----Original Message-----
> > > > > From: Don Murawski (Lenox)
> > > > > [mailto:Don.Murawski@;worldtravel.com]
> > > > > Sent:
> > > > > Wednesday, October 23, 2002 1:02 PM
> > > > > To: [EMAIL PROTECTED]
> > > > > Subject: [ActiveDir] Sites with no DC
> > > > > We have subnets without dc's, do you need to
create a
> > > > > site and subnet in Sites and Services anyway for those
sites?
> > > > >
> > > > > Don L Murawski
> > > > >
> > > > >
> > > > List info : http://www.activedir.org/mail_list.htm
> > > > List FAQ : http://www.activedir.org/list_faq.htm
> > > > List archive:
> > > > http://www.mail-archive.com/activedir%>
40mail.activedir.org/
> > > >
> > >
> > >
> > > List info : http://www.activedir.org/mail_list.htm
> > > List FAQ : http://www.activedir.org/list_faq.htm
> > > List archive:
> > > http://www.mail-archive.com/activedir%>
40mail.activedir.org/
> > >
> > List info : http://www.activedir.org/mail_list.htm
> > List FAQ : http://www.activedir.org/list_faq.htm
> > List archive:
> > http://www.mail-archive.com/activedir%40mail.activedir.org/
> > List info : http://www.activedir.org/mail_list.htm
> > List FAQ : http://www.activedir.org/list_faq.htm
> > List archive:
> > http://www.mail-archive.com/activedir%>
40mail.activedir.org/
> >
> List info : http://www.activedir.org/mail_list.htm
> List FAQ : http://www.activedir.org/list_faq.htm
> List archive:
> http://www.mail-archive.com/activedir%> 40mail.activedir.org/
>
> List info :
> http://www.activedir.org/mail_list.htm
> List FAQ : http://www.activedir.org/list_faq.htm
> List archive:
> http://www.mail-archive.com/activedir%> 40mail.activedir.org/
>
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
<<winmail.dat>>
