Force kerberos authentication to specific DC's

D

dude

Is it possible to force kerberos authentication to specific DC's regardless
of client's site?

I'm asking because we have a subnet range for VPN and many remote subnet
ranges for office branches. There are no subnets defined in sites and
services for these places. I've found that clients in the VPN range
sometimes go across the WAN to a site that's slower than usual, causing some
authentication timeout issue while trying to hit the intranet website at
corporate office. Although today I defined a subnet for VPN range and want
to see how this works out.

please shed some light on this, thanks!
 
J

Jorge_de_Almeida_Pinto

Is it possible to force kerberos authentication to specific
DC's regardless
of client's site?

I'm asking because we have a subnet range for VPN and many
remote subnet
ranges for office branches. There are no subnets defined in
sites and
services for these places. I've found that clients in the VPN
range
sometimes go across the WAN to a site that's slower than
usual, causing some
authentication timeout issue while trying to hit the intranet
website at
corporate office. Although today I defined a subnet for VPN
range and want
to see how this works out.

please shed some light on this, thanks!
Click to expand...

The problem you are experiencing is because no subnet definitions
exist in AD. Because of that clients/servers cannot determine the site
they belong to and thus choose the "closest DC". As the
clients/servers cannot determine the site they belong they ask for any
DC in the domain that can service them. And believe me, that can be
ANY DC in the domain regardless of its location!

What you need to do:
* Determine LAN-speed or higher connected location that have DCs or
other site aware services (like DFS). Create a site for that and
define all subnets of that location in AD and assign those to the site
just created

If I understand correctly you might create sites for your hub
locations, branch locations. Define all the subnets in AD and assign
them to the corresponding site. For the VPN you might assign
that/those subnets to an own site that has DC(s) just for the VPN or
you might assign those subnets to the nearest site with DCs
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Kerberos Authentication 8
Authentication and Cached Credentials Problem 2
Force authentication to a specific DC 3
Problems after demoting DC's 10
Site OU's and DC's 7
How Can I direct accounts/PC's to Specific DC's for Authentication 2
Force Authentication to Server before displaying shares Windows 2000 7
Multi-site AD setup 3

Top