Gil, you are correct. I think Roger is confusing not having a the client's subnet defined in AD with auto-site coverage. If the client's subnet is not defined in AD then the process Stuart outlined is followed. If you have an empty site (a site without a DC) the following algorithm is used per the Resource Kit. A client will them authenticate with one of the DCs in the site determined by the auto-site covergae algorithm. It has been my experience that this works correclty, and can easily be verified by ensuring there are site-specivic SRV records registered in DNS for the empty site. -Mark Site Coverage Algorithm During registration of SRV records in DNS, the following algorithm is used to determine which domain controllers register site SRV records that designate them as preferred domain controllers in sites that do not have a specific domain represented. For every domain controller in the forest, follow this procedure: 1. Build a list of target sites - sites that have no domain controllers for this domain (the domain of the current domain controller). 2. Build a list of candidate sites - sites that have domain controllers for this domain. 3. For every target site, follow these steps: * Build a list of candidate sites of which this domain is a member. (If none, do nothing.) * Of these, build a list of sites that have the lowest site link cost to the target site. (If none, do nothing.) * If more than one, break ties (reduce this list to one candidate site) by choosing the site with the largest number of domain controllers. * If more than one, break ties by choosing the site that is first alphabetically. * Register target-site-specific SRV records for the domain controllers for this domain in the selected site. -----Original Message----- From: Gil Kirkpatrick Sent: Tue 10/29/2002 1:10 PM To: '[EMAIL PROTECTED]' Cc: Subject: RE: [ActiveDir] Sites with no DC But NETLOGON does create SRV recs to cover DC-less sites if there are sites and subnets defined, which is what the original post indicated ("to create an empty site (no DCs)for you [sic] subnets") At least that's how I read it... -gil -----Original Message----- From: Roger Seielstad [mailto:roger.seielstad@;inovis.com] Sent: Tuesday, October 29, 2002 11:19 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Sites with no DC Site coverage works exactly as Stuart Kwan explained - without manual intervention of the RR records, the actual logins are processed fairly randomly - they don't necessarily authenticate to the closeest site. It just doesn't happen. ------------------------------------------------------ Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA > -----Original Message----- > From: Gil Kirkpatrick [mailto:gilk@;netpro.com] > Sent: Tuesday, October 29, 2002 12:27 PM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] Sites with no DC > > > Really? What part is not the case? That clients don't > authenticate, or that > DCs don't publish SRV recs to cover DC-less sites based on cost? > > My experience has been that site coverage works as advertised. > > -gil > > -----Original Message----- > From: Roger Seielstad [mailto:roger.seielstad@;inovis.com] > Sent: Tuesday, October 29, 2002 7:43 AM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] Sites with no DC > > > > If you decide "to create an empty site (no DCs)for you subnets", the > > autosite coverage algorithm will ensure that clients in > that site are > > authenticated with a DC in a nearby site. The DCs in the > closest site > > based on cost will register site-specific SRV records for the empty > > site. > > >From experience, I can tell you unequivocally that this is NOT the > >case. As > recently as Win2k SP2. > > ------------------------------------------------------ > Roger D. Seielstad - MCSE > Sr. Systems Administrator > Inovis - Formerly Harbinger and Extricity > Atlanta, GA > > > > -----Original Message----- > > From: Tucker, Mark [mailto:MTucker@;aelita.com] > > Sent: Thursday, October 24, 2002 3:20 PM > > To: [EMAIL PROTECTED] > > Subject: RE: [ActiveDir] Sites with no DC > > > > > > I would agree that you want to register the subnets in Sites and > > Services. > > > > If a client attempts to authenticate from a subnet that is not > > registered, AD has no way to determine what site the client > is in. It > > this case, I believe the client will query DNS for all of > the DCs in > > the domain and then attempt to contact each one in turn. The first > > one that replies will be used for authentication. > > > > If you decide to create an empty site (no DCs)for you subnets, the > > autosite coverage algorithm will ensure that clients in > that site are > > authenticated with a DC in a nearby site. The DCs in the > closest site > > based on cost will register site-specific SRV records for the empty > > site. > > > > -Mark > > -----Original Message----- > > From: Roger Seielstad [mailto:roger.seielstad@;inovis.com] > > Sent: Thursday, October 24, 2002 9:39 AM > > To: '[EMAIL PROTECTED]' > > Subject: RE: [ActiveDir] Sites with no DC > > > > > > > Oh, and this all does assume that YOUR network engineers > > TELL you when > > > they put in a whole 'nother group of networks or sub-netted > > something > > > that you already had defined. No, really - I'm not bitter.... > > > > Glad to know that happens elsewhere, too. > > > > ------------------------------------------------------ > > Roger D. Seielstad - MCSE > > Sr. Systems Administrator > > Inovis - Formerly Harbinger and Extricity > > Atlanta, GA > > > > > > > -----Original Message----- > > > From: Rick Kingslan [mailto:rkingsla@;cox.net] > > > Sent: Thursday, October 24, 2002 9:41 AM > > > To: [EMAIL PROTECTED] > > > Subject: RE: [ActiveDir] Sites with no DC > > > > > > > > > I'd agree with Roger on this one - unless you don't mind > machines in > > > Pnsacola FL. Authenticating in Reno, NV. If we don't have > > one of our > > > subnets defined to some site, we see messages from the Locator > > > reporting that some machine at some site with the subnet xx.xx > > couldn't find an > > > associated site. It suggests that you might want to create a > > > subnet for it. > > > > > > If these types of events are rare, or there are a small number of > > > un-associated machines, or, if you have boatloads of > bandwidth, then > > > it might not be a problem. > > > > > > I'd take chance out of the equation and just create the > subnets and > > > associate them with your hub until you have a clearer idea > > of what the > > > traffic pattern should be. > > > > > > Oh, and this all does assume that YOUR network engineers > > TELL you when > > > they put in a whole 'nother group of networks or sub-netted > > something > > > that you already had defined. No, really - I'm not bitter.... > > > > > > Rick Kingslan - Microsoft MVP [Windows NT/2000] > > > Microsoft Certified Trainer > > > MCSA, MCSE+I - Windows NT / 2000 > > > > > > "Any sufficiently advanced technology > > > is indistinguishable from magic." > > > --- Arthur C. Clarke > > > > > > > > > > > > > -----Original Message----- > > > > From: [EMAIL PROTECTED] > > > > [mailto:ActiveDir-owner@;mail.activedir.org] On Behalf Of > > > > Roger Seielstad > > > > Sent: Thursday, October 24, 2002 6:59 AM > > > > To: '[EMAIL PROTECTED]' > > > > Subject: RE: [ActiveDir] Sites with no DC > > > > > > > > > > > > >From experience, I wouldn't trust the locator to get > > 'close' very > > > > >often. > > > > > > > > During our initial deployment, the WAN team changed the IP pools > > > > of our VPN concentrators. After looking through some of the logs > > > > on domain controllers, we were seeing a very random distribution > > > > of authentication, with some authentication happening 4 WAN hops > > > > away, when there were multiple DCs on different local subnets. > > > > > > > > I'd strongly suggest creating a subnet object for each subnet on > > > > your network, and associating each of them with a site. > > > > > > > > ------------------------------------------------------ > > > > Roger D. Seielstad - MCSE > > > > Sr. Systems Administrator > > > > Inovis - Formerly Harbinger and Extricity > > > > Atlanta, GA > > > > > > > > > > > > > -----Original Message----- > > > > > From: Garello, Kenneth [mailto:KGarello@;worcester.edu] > > > > > Sent: Wednesday, October 23, 2002 5:07 PM > > > > > To: '[EMAIL PROTECTED]' > > > > > Subject: RE: [ActiveDir] Sites with no DC > > > > > > > > > > > > > > > How much overhead does leaving it up to the locator incur? > > > > > > > > > > Ken > > > > > > > > > > -----Original Message----- > > > > > From: Gil Kirkpatrick [mailto:gilk@;netpro.com] > > > > > Sent: Wednesday, October 23, 2002 4:37 PM > > > > > To: '[EMAIL PROTECTED]' > > > > > Subject: RE: [ActiveDir] Sites with no DC > > > > > > > > > > Hey Don, > > > > > > > > > > Is this your first post to the list? If so, welcome. > > > > > > > > > > To answer your question, no you don't have to create > a site for > > > > > each subnet. You can associate multiple subnets with a single > > > > > site. Or you can leave the subnets unassigned, and the DC > > > > > locator will do its best to find a DC "close" to the > > > > > authenticating PC. > > > > > > > > > > -gil > > > > > -----Original Message----- > > > > > From: Don Murawski (Lenox) > > > > > [mailto:Don.Murawski@;worldtravel.com] > > > > > Sent: > > > > > Wednesday, October 23, 2002 1:02 PM > > > > > To: [EMAIL PROTECTED] > > > > > Subject: [ActiveDir] Sites with no DC > > > > > We have subnets without dc's, do you need to create a > > > > > site and subnet in Sites and Services anyway for those sites? > > > > > > > > > > Don L Murawski > > > > > > > > > > > > > > List info : http://www.activedir.org/mail_list.htm > > > > List FAQ : http://www.activedir.org/list_faq.htm > > > > List archive: > > > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > > > > > > > > > > List info : http://www.activedir.org/mail_list.htm > > > List FAQ : http://www.activedir.org/list_faq.htm > > > List archive: > > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > List info : > http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
<<winmail.dat>>