Remote authentication priority

We have the following at my place of work:

The central building contains the main servers. Several remote buildings (mostly on microwave links) contain their own servers. They're all running 2003 something (a mixture of standard, enterprise, and advanced). User files are kept on the servers at the remote location where they work.

I'm in one of the remote buildings, and for some reason I am authenticated by the servers in the central building first, with our own servers as a backup, yet our files are stored on our own servers. When (as often happens) the microwave link is down, I randomly don't get access to my own files on my own servers. The IT people told me it's because I'm not authenticated in time or something. When I suggested it would make more sense to be authenticated on my servers first, they looked at me like I was stupid.

Who's the idiot here, me or them?

If it's them, what do I tell them to make them see sense? If it's me, why has MS programmed their server OS in such a stupid way?

--
http://www.petersparrots.com http://www.insanevideoclips.com http://www.petersphotos.com

At one time in my life, I thought I had a handle on the meaning of the word "service". "The act of doing things for other people."
Then I heard the terms such as "Internal Revenue Service," "Postal Service," "Civil Service," "Service Stations."
And I became confused about the word "service." This is not what I thought "service" meant.
One day, I overheard two farmers talking and one of them mentioned that he was having a bull "service" a few of his cows.
It all came into perspective.

The local site is preferred and used over a more expensive site. However,
for this to work properly, sites, subnets and site links need to be
correctly defined and configured. The idea of the data centre being first
to answer is out of date. That's how NT 4 worked with the NetBIOS mailslot
messages. AD doesn't do this. AD is site aware.

Ideally, all physical subnets will be correctly defined in AD and associated
with a site. Those site objects will be in different site links, where the
site link contains the remote site and the main site. Or at least, this is
the best way if you have a hub-and-spoke network topology. This can vary,
but in most cases is the best fit. If you have a different design, your AD
guys should know what they're doing. From what you've said this isn't the
case, so lets assume this is the best design for you.

With such a design in place, and the server objects for the DCs in the
correct site, and all DCs registering in DNS, your local box will always be
used for logon and DFS. If you want more advice, you need to take a peek at
the sites and services snap in. You can look at this even if you're not an
administrator. It's DSSITE.MSC in the ADMINPAK.

--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net

On Wed, 17 Jan 2007 20:18:33 -0000, Paul Williams [MVP] <(E-Mail Removed)> wrote:

> The local site is preferred and used over a more expensive site. However,
> for this to work properly, sites, subnets and site links need to be
> correctly defined and configured. The idea of the data centre being first
> to answer is out of date. That's how NT 4 worked with the NetBIOS mailslot
> messages. AD doesn't do this. AD is site aware.
>
> Ideally, all physical subnets will be correctly defined in AD and associated
> with a site. Those site objects will be in different site links, where the
> site link contains the remote site and the main site. Or at least, this is
> the best way if you have a hub-and-spoke network topology. This can vary,
> but in most cases is the best fit. If you have a different design, your AD
> guys should know what they're doing. From what you've said this isn't the
> case, so lets assume this is the best design for you.
>
> With such a design in place, and the server objects for the DCs in the
> correct site, and all DCs registering in DNS, your local box will always be
> used for logon and DFS. If you want more advice, you need to take a peek at
> the sites and services snap in. You can look at this even if you're not an
> administrator. It's DSSITE.MSC in the ADMINPAK.

Thanks, I'll have a word with them......

--
http://www.petersparrots.com http://www.insanevideoclips.com http://www.petersphotos.com

Three women are having lunch, discussing their husbands.
The first says, "My husband is cheating on me, I just know it. I found a pair of stockings in his jacket pocket, and they weren't mine!"
The second says, "My husband is cheating on me, I just know it. I found a condom in his wallet, so I poked it full of holes with my sewing needle!"
The third woman fainted.