Jorge's Quest For Knowledge!

All You Need To Know About Identity And Security On-Premises And In The Cloud. It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2010-05-19) Locating Domain Controllers To Access The Default Domain DFS (SYSVOL/NETLOGON)

Posted by Jorge on 2010-05-19


In the case of locating a DC to access the SYSVOL/NETLOGON, the authN DC creates two referral lists. The first list contains the DCs (in random order) from the same AD site of the AD client. The second list contains all the other DCs outside the AD site of the AD client.

The order of the second list is in random order when "Site Costed Referrals" are NOT enabled

The order of the second list is NOT in random order, but rather ordered based upon the (cumulative) site link costs with the AD client’s AD site as a reference, when "Site Costed Referrals" are enabled

"Site Costed Referrals" are NOT enabled by default on W2K3 SP1/R2 DCs. Requires registry setting.

"Site Costed Referrals" are enabled by default on W2K8/W2K8R2 DCs

However, for "Site Costed Referrals" to work for the default domain DFS (SYSVOL/NETLOGON) or custom DFS namespaces [1], the following MUST be TRUE:

  • A correct definition and implementation of the AD sites/subnets/site link costs
  • "Bridge All Site Links" (BASL) MUST be enabled so that Intersite Messaging can be used to calculate the cost matrix for the site-costing functionality [2]
  • Each AD site must have an ISTG defined to be able to generate the cost-matrix the site-costing functionality [3]

[1] The configuration for "Site Costed Referrals" for the default domain DFS and the custom DFS namespaces is done in a different way!

For default Domain DFS, on every DC:

  • Registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dfs\Parameters
  • Registry value name: SiteCostedReferrals
  • Registry value type: REG_DWORD
  • Registry value data: 1

For custom DFS namespaces:

  • Namespace properties –> Referrals tab –> Folder properties –> Referrals tab
  • The three ordering methods are:
  • Random order
    • Targets in the same Active Directory site as the client are listed in random order at the top of the referral.
    • Next, targets outside of the client’s site are listed in random order.
    • If no same-site target servers are available, the client computer is referred to a random target server no matter how expensive the connection is or how distant the target is.
  • Lowest cost
    • Targets in the same site as the client are listed in random order at the top of the referral.
    • Next, targets outside of the client’s site are listed in order of lowest cost to highest cost. Referrals with the same cost are grouped together and within each group the targets are listed in random order.
  • Exclude targets outside of the client’s site
    • In this method, the referral contains only the targets that are in the same site as the client. These same-site targets are listed in random order. If no same-site targets exist, the client does not receive a referral and cannot access that portion of the namespace.

[2] However, if do not want the ISTG/KCC to create replication connection objects to DCs in, for example, other Branch Offices because the network is not fully routed, you must turn off the "Bridge All Site Link" option on the IP container. BUT…this will impact the usage of Intersite Messaging to calculate the cost matrix for the site-costing functionality. There is a way to solve this though! When the FFL is at least W2K3 (interim) and the ISTG in an AD site is at least W2K3SP1, it is possible to disable Intersite Messaging for the ISTG (disabling auto site link bridging) and enable Intersite Messaging to calculate the cost matrix. This is done by:

  • Enabling the "Bridge All Site Link" option
  • For each AD site where you need to accommodate site-costing, execute the command "REPADMIN /SITEOPTIONS /SITE:<SITENAME> +W2K3_BRIDGES_REQUIRED". This option can be executed on ANY DC for ANY AD site, but it only takes effect as soon as the ISTG in the corresponding AD site takes notice of its new configuration

This applies to BOTH default domain DFS and the custom DFS namespaces!

[3] AD sites with an RWDC automatically have an ISTG and also have an automatic failover process. By default the very first RWDC in an AD site always becomes the ISTG. The selection of a new ISTG depends on the FFL. AD sites with an RODC do not have ISTG because RODCs do not register as one. Register an RODC as ISTG manually so that it is able to calculate the cost-matrix for the site-costing functionality. Downside is that there is not auto failover when the RODC becomes unavailable or is replaced by another RODC.

More info about DC Locator:

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: