Site link configuration question..

Discussion in 'Active Directory' started by Kent, Jul 4, 2008.

  1. Kent

    Kent Guest

    Hi All,
    I would like to seek some opinions from AD experts regarding my scenario
    below:

    Scenario:
    ---------
    1. Active Directory contains 8 domain controllers (all configured as GC), 4
    located at UK data centre and 4 more located at Singpapore data centre.
    2. There are around 20 sites created on AD which are located at Asia Pacific
    region and around 40 sites created on AD which are located at Europe &
    America region.
    3. I want to ensure computers at sites located at Asia Pacific will
    authenticate to domain controllers at Singapore data centre and computers at
    sites located at Europe/America to authenticate to domain controllers at UK
    data centre.


    Current setup:
    --------------
    1. Site link between Singapore DC and UK DC is having a cost of 10.
    2. A site link is configured to contain multiple sites from Asia Pacific to
    Singapore DC with a cost of 50. This is the same to Europe/America site link
    but it's configured to UK DC instead of Singapore one (with a cost of 50 as
    well).
    3. The problem with this setup is users are authenticating to different
    domain controllers, sometime to Singapore then UK.


    My suggestion is to:
    --------------------
    1. Configure 2 site links for 1 site with different costing. Example: Site A
    is located at Asia Pacific, computers at Site A must authenticate to domain
    controllers at Singapore data centre so i will create a Site Link to
    Singapore DC site with cost of 40 and another Site Link to UK site with cost
    of 80. This would ensure the logon authentication will go to the correct
    domain controllers.
    2. Site Link betwenn Singapore DC and UK DC will have a cost of 10.


    But i'm not sure whether is this solution practical because it'll create
    alot of Site Links on Active Directory.
    Anyone can give some suggestions?

    Thanks in advance.
     
    Kent, Jul 4, 2008
    #1
    1. Advertisements

  2. Jorge de Almeida Pinto [MVP - DS], Jul 4, 2008
    #2
    1. Advertisements

  3. Jorge de Almeida Pinto [MVP - DS], Jul 4, 2008
    #3
  4. Kent

    dave m Guest

    I assume, and hate to, that there is only a single domain involved here.

    dave Admin
     
    dave m, Jul 4, 2008
    #4
  5. Kent

    Kent Guest

    Hello,
    Yes, subnets are defined correctly and linked to the correct sites.
    Branch sites does not have any DC and no apps like DFS, MSMQ, etc is
    installed.

    So are there any good ideas for me get the logon authentication to work
    correctly?
    Thanks
     
    Kent, Jul 6, 2008
    #5
  6. Kent

    Kent Guest

    hi dave,
    yes, this is a single domain configuration
     
    Kent, Jul 6, 2008
    #6
  7. in that case I would:
    * create an AD site for each HUB
    * create an AD site link and put the HUBs in it
    * create an AD subnet for each subnet at one HUB and link it to the AD site
    of the corresponding HUB
    * create an AD subnet for each subnet at the branch offices and link it to
    the AD site of the nearest HUB

    this way client at a branch office will use the nearest HUB

    if you were to have site aware apps in the branch office site I would:
    * create an AD site for each HUB
    * create an AD site for each branch office (BO)
    * create an AD subnet for each subnet at one HUB and link it to the AD site
    of the corresponding HUB
    * create an AD subnet for each subnet at one BO and link it to the AD site
    of the corresponding BO
    * create an AD site link for each BO and its nearest HUB
    in this last scenario the DCs in the HUB will register SRV records in the
    linked BOs and therefore service those BOs as you want

    --

    Cheers,
    (HOPEFULLY THIS INFORMATION HELPS YOU!)

    # Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

    BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
    BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
     
    Jorge de Almeida Pinto [MVP - DS], Jul 7, 2008
    #7
  8. Kent

    Kent Guest

    Hi Jorge,
    Thanks for your advice below.

    I've tested out the 1st solution in virtual environment (without site aware
    apps), and it's working perfectly.

    However, when i test out the 2nd solution it seems that the authentication
    is not consistent. Let me brief you on my virtual setup.

    - 3 sites = SiteA (with 1 domain controller), SiteB (with 1 domain
    controller), SiteC (clients without domain controller)
    - SiteA & SiteB is in the same Site Link with a cost of 20
    - SiteB & SiteC is in the same Site Link with a cost of 50

    When a XP machine from SiteC is logging on to the domain, it should be
    authenticating to domain controller at SiteB but sometimes it's going to
    domain controller at SiteA.

    But when changing the Site Link cost of 50 to 15 (SiteB & SiteC),
    authentication is constantly going to domain controller at SiteB (which is
    what i want). So, my question is whether is it correct to have lower cost
    between Branch and HUB than HUB to HUB?

    Appreciate your advice on this.
    Thanks again.
     
    Kent, Jul 7, 2008
    #8
  9. it should not matter what the costs is because the site link between the BO
    and the HUB is always the cheapest!. Do you have other site links
    configured?
    use can also use NLTEST on both the client and the DC to test configurations

    --

    Cheers,
    (HOPEFULLY THIS INFORMATION HELPS YOU!)

    # Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

    BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
    BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
     
    Jorge de Almeida Pinto [MVP - DS], Jul 7, 2008
    #9
  10. Kent

    Kent Guest

    Yes, there are currently 2 site links configured.

    First Site Link with the cost of 50 are configured to contain 2 HUB sites
    (SITEA & SITEB).
    Second Site Link with the cost of 80 is configured to contain 1 BO (SITEC) &
    1 nearest HUB site (SITEB).

    I've tried with nltest and set command, the logon server for a client at
    SITEC is going to DC at SITEA & SITEC randomly. By right, it should only goes
    to DC at SITEB right as there is already a Site Link configured?

    Thanks.
     
    Kent, Jul 8, 2008
    #10
  11. * post the IP of the client you used
    * post NLTEST /DSGETSITE
    * post NLTEST /DSGETDC:<DOMAIN>
    * post NLTEST /DSGETSITECOV
    * adfind -config -rb "CN=Sites" -f "objectCategory=Site" siteObjectBL
    * adfind -config -rb "CN=IP,CN=Inter-Site Transports,CN=Sites" -f
    "objectCategory=Site" siteObjectBL

    ADFIND can be downloaded from joeware.net

    --

    Cheers,
    (HOPEFULLY THIS INFORMATION HELPS YOU!)

    # Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

    BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
    BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
     
    Jorge de Almeida Pinto [MVP - DS], Jul 8, 2008
    #11
  12. Kent

    Kent Guest

    post the IP of the client you used
    ----------------------------------
    192.168.1.22


    post NLTEST /DSGETSITE
    ----------------------
    C:\Documents and Settings\administrator>nltest /dsgetsite
    Client
    The command completed successfully


    post NLTEST /DSGETDC:<DOMAIN>
    -----------------------------
    C:\Documents and Settings\administrator>nltest /dsgetdc:contoso.com
    DC: \\hq-con-dc-03.contoso.com
    Address: \\192.100.0.2
    Dom Guid: 6de92f82-4b65-4711-9abc-2e86c0ade8ed
    Dom Name: contoso.com
    Forest Name: contoso.com
    Dc Site Name: AsiaPacific
    Our Site Name: Client
    Flags: GC DS LDAP KDC TIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST
    CLO
    SE_SITE
    The command completed successfully


    post NLTEST /DSGETSITECOV
    -------------------------
    C:\AdFind>nltest /dsgetsitecov
    DsGetDcSiteCoverage failed: Status = 50 0x32 ERROR_NOT_SUPPORTED


    adfind -config -rb "CN=Sites" -f "objectCategory=Site" siteObjectBL
    -------------------------------------------------------------------
    C:\AdFind>adfind -config -rb "CN=Sites" -f "objectCategory=Site" siteobjectBL

    AdFind V01.37.00cpp Joe Richards () June 2007

    Using server: hq-con-dc-01.contoso.com:389
    Directory: Windows Server 2003
    Base DN: CN=Sites,CN=Configuration,DC=contoso,DC=com

    dn:CN=Europe,CN=Sites,CN=Configuration,DC=contoso,DC=com
    ,DC=com

    4 Objects returned


    adfind -config -rb "CN=IP,CN=Inter-Site Transports,CN=Sites" -f
    "objectCategory=Site" siteObjectB
    --------------------------------------------------------------------------------------------------
    C:\AdFind>adfind -config -rb "CN=IP,CN=Inter-Site Transports,CN=Sites" -f
    "objec
    tCategory=Site" siteobjectBL

    AdFind V01.37.00cpp Joe Richards () June 2007

    Using server: hq-con-dc-01.contoso.com:389
    Directory: Windows Server 2003
    Base DN: CN=IP,CN=Inter-Site
    Transports,CN=Sites,CN=Configuration,DC=contoso,DC=
    com

    0 Objects returned
     
    Kent, Jul 9, 2008
    #12
  13. Kent

    Kent Guest

    ---This one is logon to the wrong domain controller---

    post the IP of the client you used
    ----------------------------------
    192.168.1.22


    post NLTEST /DSGETSITE
    ----------------------
    C:\Documents and Settings\administrator>nltest /dsgetsite
    Client
    The command completed successfully


    post NLTEST /DSGETDC:<DOMAIN>
    -----------------------------
    C:\Documents and Settings\administrator>nltest /dsgetdc:contoso.com
    DC: \\hq-con-dc-01.contoso.com
    Address: \\10.0.0.2
    Dom Guid: 6de92f82-4b65-4711-9abc-2e86c0ade8ed
    Dom Name: contoso.com
    Forest Name: contoso.com
    Dc Site Name: Europe
    Our Site Name: Client
    Flags: PDC GC DS LDAP KDC TIMESERV GTIMESERV WRITABLE DNS_DC
    DNS_DOMAIN
    DNS_FOREST
    The command completed successfully


    post NLTEST /DSGETSITECOV
    -------------------------
    C:\AdFind>nltest /dsgetsitecov
    DsGetDcSiteCoverage failed: Status = 50 0x32 ERROR_NOT_SUPPORTED


    adfind -config -rb "CN=Sites" -f "objectCategory=Site" siteObjectBL
    -------------------------------------------------------------------
    C:\AdFind>adfind -config -rb "CN=Sites" -f "objectCategory=Site" siteObjectBL

    AdFind V01.37.00cpp Joe Richards () June 2007

    Using server: hq-con-dc-01.contoso.com:389
    Directory: Windows Server 2003
    Base DN: CN=Sites,CN=Configuration,DC=contoso,DC=com

    dn:CN=Europe,CN=Sites,CN=Configuration,DC=contoso,DC=com
    ,DC=com

    4 Objects returned


    adfind -config -rb "CN=IP,CN=Inter-Site Transports,CN=Sites" -f
    "objectCategory=Site" siteObjectB
    --------------------------------------------------------------------------------------------------
    C:\AdFind>adfind -config -rb "CN=IP,CN=Inter-Site Transports,CN=Sites" -f
    "objec
    tCategory=Site" siteobjectBL

    AdFind V01.37.00cpp Joe Richards () June 2007

    Using server: hq-con-dc-01.contoso.com:389
    Directory: Windows Server 2003
    Base DN: CN=IP,CN=Inter-Site
    Transports,CN=Sites,CN=Configuration,DC=contoso,DC=
    com

    0 Objects returned
     
    Kent, Jul 9, 2008
    #13
  14. Jorge de Almeida Pinto [MVP - DS], Jul 9, 2008
    #14
  15. Jorge de Almeida Pinto [MVP - DS], Jul 9, 2008
    #15
  16. Kent

    Kent Guest

    HQ-CON-DC-01
    ------------------
    C:\Documents and Settings\Administrator>nltest /dsgetsitecov
    Europe
    The command completed successfully

    HQ-CON-DC-02
    ------------------
    C:\Documents and Settings\Administrator.CONTOSO>nltest /dsgetsitecov
    Europe
    The command completed successfully

    HQ-CON-DC-03
    ------------------
    C:\Documents and Settings\Administrator.CONTOSO>nltest /dsgetsitecov
    AsiaPacific
    Client
    The command completed successfully

    HQ-CON-DC-04
    ------------------
    C:\Documents and Settings\Administrator.CONTOSO>nltest /dsgetsitecov
    America
    The command completed successfully
     
    Kent, Jul 10, 2008
    #16
  17. Kent

    Kent Guest

    ---2 logon result---

    C:\AdFind>adfind -config -rb "CN=IP,CN=Inter_Site Transports,CN=Sites" -f
    "objec
    tCategory=siteLink" siteObjectBL

    AdFind V01.37.00cpp Joe Richards () June 2007

    Using server: hq-con-dc-01.contoso.com:389
    Directory: Windows Server 2003
    Base DN: CN=IP,CN=Inter_Site
    Transports,CN=Sites,CN=Configuration,DC=contoso,DC=
    com

    ldap_get_next_page_s: [hq-con-dc-01.contoso.com] Error 0x20 (32) - No Such
    Objec
    t

    Best Match of: 'CN=Sites,CN=Configuration,DC=contoso,DC=com'

    0 Objects returned

    ======================================================

    C:\AdFind>adfind -config -rb "CN=IP,CN=Inter_Site Transports,CN=Sites" -f
    "objec
    tCategory=siteLink" siteObjectBL

    AdFind V01.37.00cpp Joe Richards () June 2007

    Using server: hq-con-dc-03.contoso.com:389
    Directory: Windows Server 2003
    Base DN: CN=IP,CN=Inter_Site
    Transports,CN=Sites,CN=Configuration,DC=contoso,DC=
    com

    ldap_get_next_page_s: [hq-con-dc-03.contoso.com] Error 0x20 (32) - No Such
    Objec
    t

    Best Match of: 'CN=Sites,CN=Configuration,DC=contoso,DC=com'

    0 Objects returned
     
    Kent, Jul 10, 2008
    #17
  18. retry please with:
    adfind -config -rb "CN=IP,CN=Inter-Site Transports,CN=Sites" -f
    "objectCategory=siteLink" siteList

    for some reason the - was changed to a _



    --

    Cheers,
    (HOPEFULLY THIS INFORMATION HELPS YOU!)

    # Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

    BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
    BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
    ------------------------------------------------------------------------------------------
    * How to ask a question --> http://support.microsoft.com/?id=555375
    ------------------------------------------------------------------------------------------
    * This posting is provided "AS IS" with no warranties and confers no rights!
    * Always test ANY suggestion in a test environment before implementing!
    ------------------------------------------------------------------------------------------
    #################################################
    #################################################
    ------------------------------------------------------------------------------------------
     
    Jorge de Almeida Pinto [MVP - DS], Jul 10, 2008
    #18
  19. Kent

    Kent Guest

    here you go..

    C:\AdFind>adfind -config -rb "CN=IP,CN=Inter-Site Transports,CN=Sites" -f
    "objec
    tCategory=siteLink" siteList

    AdFind V01.37.00cpp Joe Richards () June 2007

    Using server: hq-con-dc-03.contoso.com:389
    Directory: Windows Server 2003
    Base DN: CN=IP,CN=Inter-Site
    Transports,CN=Sites,CN=Configuration,DC=contoso,DC=
    com

    dn:CN=DEFAULTIPSITELINK,CN=IP,CN=Inter-Site
    Transports,CN=Sites,CN=Configuration
    ,DC=contoso,DC=com
    dn:CN=Client to AsiaPac,CN=IP,CN=Inter-Site
    Transports,CN=Sites,CN=Configuration
    ,DC=contoso,DC=com
    2 Objects returned



     
    Kent, Jul 11, 2008
    #19
  20. Kent

    Kent Guest

    i have a question..based on adfind result, it's using server hq-con-dc-03
    (this is the correct DC to use) but set L shows hq-con-dc-01 instead. Why is
    this so?

    C:\AdFind>adfind -config -rb "CN=IP,CN=Inter-Site Transports,CN=Sites" -f
    "objec
    tCategory=siteLink" siteList

    AdFind V01.37.00cpp Joe Richards () June 2007

    Using server: hq-con-dc-03.contoso.com:389
    Directory: Windows Server 2003
    Base DN: CN=IP,CN=Inter-Site
    Transports,CN=Sites,CN=Configuration,DC=contoso,DC=
    com

    dn:CN=DEFAULTIPSITELINK,CN=IP,CN=Inter-Site
    Transports,CN=Sites,CN=Configuration
    ,DC=contoso,DC=com
    dn:CN=Client to AsiaPac,CN=IP,CN=Inter-Site
    Transports,CN=Sites,CN=Configuration
    ,DC=contoso,DC=com
    2 Objects returned

    C:\AdFind>set l
    LOGONSERVER=\\HQ-CON-DC-01




     
    Kent, Jul 11, 2008
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.