Logon authentication attempts to access numerous Domain Controller

Attempting to log onto a member server using Terminal Services we find that
the server attempts to contact numerous Domain Controllers (DCs) around the
country before finally allowing logon.

Is there a way of forcing the server to go to its nearest DC and how many
other DCs must the server talk to before confirming the logon?

There is one root domain with 3 sub domains. The server and user trying to
access it are both in one of the sub domains.

"kujar" <(E-Mail Removed)> wrote in message
news:6EC5D5F3-FB6A-42D1-B9AE-(E-Mail Removed)...
> Attempting to log onto a member server using Terminal Services we find
that
> the server attempts to contact numerous Domain Controllers (DCs) around
the
> country before finally allowing logon.
>
> Is there a way of forcing the server to go to its nearest DC and how many
> other DCs must the server talk to before confirming the logon?
>
> There is one root domain with 3 sub domains. The server and user trying to
> access it are both in one of the sub domains.

I'm not sure about the three subdomains,...you can do it with only one
domain and then you use AD Sites to divide up the DCs based on their
physical location,...I'm assuming a slow WAN link between locations as
opposed to a fast LAN link. The Client (or the TS Server) will use the DC
that is in the same Site as the Client.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/IS...cessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/t...dance/2004.asp
http://www.microsoft.com/isaserver/t...dance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp
-----------------------------------------------------

AD Sites are used, but only subnets and DCs are added to a "Site". So all
other servers, workstations etc. are just part of the sub domain and not
added to a "Site". Does this mean that the server (of which there are at
least 10 in the sub domain) will always choose random DCs against which to
authenticate?

All WAN links are fast links.
Regards
kujar

"Phillip Windell" wrote:

> "kujar" <(E-Mail Removed)> wrote in message
> news:6EC5D5F3-FB6A-42D1-B9AE-(E-Mail Removed)...
> > Attempting to log onto a member server using Terminal Services we find
> that
> > the server attempts to contact numerous Domain Controllers (DCs) around
> the
> > country before finally allowing logon.
> >
> > Is there a way of forcing the server to go to its nearest DC and how many
> > other DCs must the server talk to before confirming the logon?
> >
> > There is one root domain with 3 sub domains. The server and user trying to
> > access it are both in one of the sub domains.
>
> I'm not sure about the three subdomains,...you can do it with only one
> domain and then you use AD Sites to divide up the DCs based on their
> physical location,...I'm assuming a slow WAN link between locations as
> opposed to a fast LAN link. The Client (or the TS Server) will use the DC
> that is in the same Site as the Client.
>
> --
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
> -----------------------------------------------------
> Understanding the ISA 2004 Access Rule Processing
> http://www.isaserver.org/articles/IS...cessRules.html
>
> Microsoft Internet Security & Acceleration Server: Guidance
> http://www.microsoft.com/isaserver/t...dance/2004.asp
> http://www.microsoft.com/isaserver/t...dance/2000.asp
>
> Microsoft Internet Security & Acceleration Server: Partners
> http://www.microsoft.com/isaserver/partners/default.asp
> -----------------------------------------------------
>
>
>
>

"kujar" <(E-Mail Removed)> wrote in message
news:6CF569CA-4046-41C7-BD6B-(E-Mail Removed)...
> AD Sites are used, but only subnets and DCs are added to a "Site". So all
> other servers, workstations etc. are just part of the sub domain and not
> added to a "Site". Does this mean that the server (of which there are at
> least 10 in the sub domain) will always choose random DCs against which to
> authenticate?

I don't know how to deal with "sub domains",...I don't know how they "act",
so I cannot comment on that.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/IS...cessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/t...dance/2004.asp
http://www.microsoft.com/isaserver/t...dance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp
-----------------------------------------------------

Maybe I'm using the wrong terminology. We have a root domain "ourcorp.com"
and 3 second level domains (which I termed sub-domains) "a.ourcorp.com",
"b.ourcorp.com" and "c.ourcorp.com". The problem is occurring in domain
"a.ourcorp.com".

I suspect the fact that there are three of them is irreleveant it could just
as easily be 1 or 20. What I am wondering is what the server is looking for
is for when trying to access all those DCs. Is it the Global Catalog Master
or some thing else and if so why? Doesn't replication make every DC equal?

Regards
kujar

"Phillip Windell" wrote:

> "kujar" <(E-Mail Removed)> wrote in message
> news:6CF569CA-4046-41C7-BD6B-(E-Mail Removed)...
> > AD Sites are used, but only subnets and DCs are added to a "Site". So all
> > other servers, workstations etc. are just part of the sub domain and not
> > added to a "Site". Does this mean that the server (of which there are at
> > least 10 in the sub domain) will always choose random DCs against which to
> > authenticate?
>
> I don't know how to deal with "sub domains",...I don't know how they "act",
> so I cannot comment on that.
>
> --
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
> -----------------------------------------------------
> Understanding the ISA 2004 Access Rule Processing
> http://www.isaserver.org/articles/IS...cessRules.html
>
> Microsoft Internet Security & Acceleration Server: Guidance
> http://www.microsoft.com/isaserver/t...dance/2004.asp
> http://www.microsoft.com/isaserver/t...dance/2000.asp
>
> Microsoft Internet Security & Acceleration Server: Partners
> http://www.microsoft.com/isaserver/partners/default.asp
> -----------------------------------------------------
>
>
>
>
>

"kujar" <(E-Mail Removed)> wrote in message
newsB8C0AC8-E52B-443F-B3BD-(E-Mail Removed)...
> Maybe I'm using the wrong terminology. We have a root domain "ourcorp.com"
> and 3 second level domains (which I termed sub-domains) "a.ourcorp.com",
> "b.ourcorp.com" and "c.ourcorp.com". The problem is occurring in domain
> "a.ourcorp.com".

Yes, I understaood what you meant. I don't know what effect they would have
on the situation. It is better to let someone else who understands those
deal with that rather than me.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/IS...cessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/t...dance/2004.asp
http://www.microsoft.com/isaserver/t...dance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp
-----------------------------------------------------

have you tried posting in the AD newsgroup?

microsoft.public.windows.server.active_directory



kujar wrote:
> Maybe I'm using the wrong terminology. We have a root domain
> "ourcorp.com" and 3 second level domains (which I termed sub-domains)
> "a.ourcorp.com", "b.ourcorp.com" and "c.ourcorp.com". The problem is
> occurring in domain "a.ourcorp.com".
>
> I suspect the fact that there are three of them is irreleveant it
> could just as easily be 1 or 20. What I am wondering is what the
> server is looking for is for when trying to access all those DCs. Is
> it the Global Catalog Master or some thing else and if so why?
> Doesn't replication make every DC equal?
>
> Regards
> kujar
>
> "Phillip Windell" wrote:
>
>> "kujar" <(E-Mail Removed)> wrote in message
>> news:6CF569CA-4046-41C7-BD6B-(E-Mail Removed)...
>>> AD Sites are used, but only subnets and DCs are added to a "Site".
>>> So all other servers, workstations etc. are just part of the sub
>>> domain and not added to a "Site". Does this mean that the server
>>> (of which there are at least 10 in the sub domain) will always
>>> choose random DCs against which to authenticate?
>>
>> I don't know how to deal with "sub domains",...I don't know how they
>> "act", so I cannot comment on that.
>>
>> --
>> Phillip Windell [MCP, MVP, CCNA]
>> www.wandtv.com
>> -----------------------------------------------------
>> Understanding the ISA 2004 Access Rule Processing
>> http://www.isaserver.org/articles/IS...cessRules.html
>>
>> Microsoft Internet Security & Acceleration Server: Guidance
>> http://www.microsoft.com/isaserver/t...dance/2004.asp
>> http://www.microsoft.com/isaserver/t...dance/2000.asp
>>
>> Microsoft Internet Security & Acceleration Server: Partners
>> http://www.microsoft.com/isaserver/partners/default.asp
>> -----------------------------------------------------

Thanks guys for your help and I'll try posting to the AD group.

"Bill Grant" wrote:

> have you tried posting in the AD newsgroup?
>
> microsoft.public.windows.server.active_directory
>
>
>
> kujar wrote:
> > Maybe I'm using the wrong terminology. We have a root domain
> > "ourcorp.com" and 3 second level domains (which I termed sub-domains)
> > "a.ourcorp.com", "b.ourcorp.com" and "c.ourcorp.com". The problem is
> > occurring in domain "a.ourcorp.com".
> >
> > I suspect the fact that there are three of them is irreleveant it
> > could just as easily be 1 or 20. What I am wondering is what the
> > server is looking for is for when trying to access all those DCs. Is
> > it the Global Catalog Master or some thing else and if so why?
> > Doesn't replication make every DC equal?
> >
> > Regards
> > kujar
> >
> > "Phillip Windell" wrote:
> >
> >> "kujar" <(E-Mail Removed)> wrote in message
> >> news:6CF569CA-4046-41C7-BD6B-(E-Mail Removed)...
> >>> AD Sites are used, but only subnets and DCs are added to a "Site".
> >>> So all other servers, workstations etc. are just part of the sub
> >>> domain and not added to a "Site". Does this mean that the server
> >>> (of which there are at least 10 in the sub domain) will always
> >>> choose random DCs against which to authenticate?
> >>
> >> I don't know how to deal with "sub domains",...I don't know how they
> >> "act", so I cannot comment on that.
> >>
> >> --
> >> Phillip Windell [MCP, MVP, CCNA]
> >> www.wandtv.com
> >> -----------------------------------------------------
> >> Understanding the ISA 2004 Access Rule Processing
> >> http://www.isaserver.org/articles/IS...cessRules.html
> >>
> >> Microsoft Internet Security & Acceleration Server: Guidance
> >> http://www.microsoft.com/isaserver/t...dance/2004.asp
> >> http://www.microsoft.com/isaserver/t...dance/2000.asp
> >>
> >> Microsoft Internet Security & Acceleration Server: Partners
> >> http://www.microsoft.com/isaserver/partners/default.asp
> >> -----------------------------------------------------
>
>
>