Multiple Domain controllers

Question, a company has 2 domain controllers, one goes down, do they automatically authenticate with the other one?

Is there a way to specify which domain controller PC's should use to authenticate with?

Find more posts tagged with

Comments

RTmarc

Yes, the other DC will take up the slack and authenticate users. By giving a DC the PDC Emulator role it will be the predominant authenticator.

royal

Yes, other Domain Controllers will still authenticate. Let me explain why.

When a client boots up, it will query dns for SRV records. DNS will respond back with a list of Domain Controllers. The client will then send datagrams to all the Domain Controllers to see which is operational. It will contact one of the Domain Controllers and that Domain Controller will check the client's subnet to see if that client could contact another DC in a closer site. If so, it will contact the DC in its own site or a closer site. Netlogon caches this information so it can contact that Domain Controller immediately next time it logs in. If that Domain Controller cannot be contacted the next time it tries to authenticate, the process is restarted.

Also, there is a way to force a client to only be allowed to logon to a specific domain controller. If you go into Active Directory Users & Computers, go into the properties of a specific user, go into the Account Tab, click on the Log on To tab, choose The Following Computers, and add the Domain Controller(s).

sprkymrk

icroyal wrote:

Also, there is a way to force a client to only be allowed to logon to a specific domain controller. If you go into Active Directory Users & Computers, go into the properties of a specific user, go into the Account Tab, click on the Log on To tab, choose The Following Computers, and add the Domain Controller(s).

The computers you list in that part of ADUC are the only computers (workstations) that a user is allowed to log on to. Default is all workstations. To my knowledge this has nothing to do with what DC's a user authenticates to. Let me know if I am wrong (as it wouldn't be the first time).

RTmarc

sprkymrk wrote:

icroyal wrote:

Also, there is a way to force a client to only be allowed to logon to a specific domain controller. If you go into Active Directory Users & Computers, go into the properties of a specific user, go into the Account Tab, click on the Log on To tab, choose The Following Computers, and add the Domain Controller(s).

The computers you list in that part of ADUC are the only computers (workstations) that a user is allowed to log on to. Default is all workstations. To my knowledge this has nothing to do with what DC's a user authenticates to. Let me know if I am wrong (as it wouldn't be the first time).

You are correct. The only time you implement those settings is if you want to lock it down so a user is restricted to only his or her workstation. I use a similar setting where I work for the training user in the training lab. They are only allowed to log into specific machines.

royal

Oops. Thanks for the clarification regarding the Log On To button.

bighornsheep

icroyal wrote:

Oops. Thanks for the clarification regarding the Log On To button.

I believe the only way to control which domain controller will authenticate a workstation or workstation(s) is with Sites and Subnet MMC.