AD Sites and Terminal Server Logon

[gurvinder.nijjar]

We are going to do a office move soon whereby we are moving all our clients
to office A and most of our servers to office B. Office A and B have a WAN
Link. At office A we will probably have 1 domain controller, while all
other servers including another domain controller will be at Office B.
Office A and B have different subnets, so we have created separate AD sites
fot these offices and linked their relevant sites to the subnets. Also the
DC's have been placed in their relevant AD site. At office A we have PC
users and Terminal server (TS) users. PC users will get their logon request
authenticated by the DC in office A as they are on the same subnet as the DC
in office A. TS users will connect to the Terminal servers over the WAN
link to office B, but will they be authenticated by the DC in office A or
office B. As the TS they are logging into is in Office B we seem to think
they will be authenticated by the DC in office B, even though their NCD
clients have ip from the subnet in office A. Can someone confirm this or
know more information about this.

I hope this is clear.

 

[Cary Shultz [A.D. MVP]]

If you have properly set up AD Sites and Services ( and it sounds like you
have ) then the AD Clients will ( er, *should* ) authenticate against the DC
in Site B ( the local DC ) and not against a DC in Site A ( i.e, across the
WAN link ). This is how it is supposed to happen. However, it does not
always do this due to 'generic' records.

A good way to tell is to sit at one of the clients in Site B and simply do a
set l ( that is the lower case letter 'L' and not the number 1 ) from the
command prompt. This will tell you against which DC that client
authenticated.

If the Terminal Server users are logging into the domain first on a PC (
just like the other users ) and then using the RDP Client to connect to the
Terminal Server ( located in Site A ) then they will first authenticate in
Site B for the domain logon ( assuming that things are correctly set up ).
When they authenticate via the RDP client on the Terminal Server they
would - I would suppose - be authenticated against a DC in Site A.

I am supposing that NCD is thin client? If I visit this site (
http://www.workthin.com/thinclient.htm ) it shows NCD as a thin client. Not
too up on thin client technology. I would suppose that the 'machine' is
getting an IP Address from the 'local' DHCP server ( the DC in Site B ).
When the client 'logs on' to the Terminal Server in Site A ( across the
WAN ) I would suppose that the authenticating DC is the DC in Site A. But I
am just showing the world my ignorance. I would suppose that this is how it
works....

HTH,

Cary