Multiple Domain controllers

homerj742homerj742 Member Posts: 251
Question, a company has 2 domain controllers, one goes down, do they automatically authenticate with the other one?

Is there a way to specify which domain controller PC's should use to authenticate with?

Comments

  • RTmarcRTmarc Member Posts: 1,082 ■■■□□□□□□□
    Yes, the other DC will take up the slack and authenticate users. By giving a DC the PDC Emulator role it will be the predominant authenticator.
  • royalroyal Member Posts: 3,352 ■■■■□□□□□□
    Yes, other Domain Controllers will still authenticate. Let me explain why.

    When a client boots up, it will query dns for SRV records. DNS will respond back with a list of Domain Controllers. The client will then send datagrams to all the Domain Controllers to see which is operational. It will contact one of the Domain Controllers and that Domain Controller will check the client's subnet to see if that client could contact another DC in a closer site. If so, it will contact the DC in its own site or a closer site. Netlogon caches this information so it can contact that Domain Controller immediately next time it logs in. If that Domain Controller cannot be contacted the next time it tries to authenticate, the process is restarted.

    Also, there is a way to force a client to only be allowed to logon to a specific domain controller. If you go into Active Directory Users & Computers, go into the properties of a specific user, go into the Account Tab, click on the Log on To tab, choose The Following Computers, and add the Domain Controller(s).
    “For success, attitude is equally as important as ability.” - Harry F. Banks
  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    icroyal wrote:
    Also, there is a way to force a client to only be allowed to logon to a specific domain controller. If you go into Active Directory Users & Computers, go into the properties of a specific user, go into the Account Tab, click on the Log on To tab, choose The Following Computers, and add the Domain Controller(s).

    The computers you list in that part of ADUC are the only computers (workstations) that a user is allowed to log on to. Default is all workstations. To my knowledge this has nothing to do with what DC's a user authenticates to. Let me know if I am wrong (as it wouldn't be the first time).
    All things are possible, only believe.
  • RTmarcRTmarc Member Posts: 1,082 ■■■□□□□□□□
    sprkymrk wrote:
    icroyal wrote:
    Also, there is a way to force a client to only be allowed to logon to a specific domain controller. If you go into Active Directory Users & Computers, go into the properties of a specific user, go into the Account Tab, click on the Log on To tab, choose The Following Computers, and add the Domain Controller(s).

    The computers you list in that part of ADUC are the only computers (workstations) that a user is allowed to log on to. Default is all workstations. To my knowledge this has nothing to do with what DC's a user authenticates to. Let me know if I am wrong (as it wouldn't be the first time).
    You are correct. The only time you implement those settings is if you want to lock it down so a user is restricted to only his or her workstation. I use a similar setting where I work for the training user in the training lab. They are only allowed to log into specific machines.
  • royalroyal Member Posts: 3,352 ■■■■□□□□□□
    Oops. Thanks for the clarification regarding the Log On To button.
    “For success, attitude is equally as important as ability.” - Harry F. Banks
  • bighornsheepbighornsheep Member Posts: 1,506
    icroyal wrote:
    Oops. Thanks for the clarification regarding the Log On To button.

    I believe the only way to control which domain controller will authenticate a workstation or workstation(s) is with Sites and Subnet MMC.
    Jack of all trades, master of none
Sign In or Register to comment.