Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » AD Site Question
AD Site Question [message #376855] Mon, 25 January 2010 15:16 Go to next message
Chris  is currently offline Chris  United States
Messages: 343
Registered: July 2009
Senior Member
I have a question regarding AD sites

We have currently only ran a single site (default-site) with no subnets
assigned.

We are now going to setup a DR site and I need to assign a subnet to
that site (no-problem only 1 subnet)

My question is that I'm not sure how many subnets are on our existing
infrastructure. I planned on assigning our calls B subnet to the
default site which covers most if not all of our servers and workstations.

Question: If someone tries to authenticate to AD and is not in either
subnet will the user:
1) default to the default site for authentication
2) not be able to authenticate at all
3) authenticate but to no particular DC
4) or something else entirely


Thanks
Re: AD Site Question [message #376968 is a reply to message #376855] Mon, 25 January 2010 17:27 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"Chris" <cisaksen@mail.nysed.gov> wrote in message
news:OTv9FwgnKHA.6084@TK2MSFTNGP02.phx.gbl...
>I have a question regarding AD sites
>
> We have currently only ran a single site (default-site) with no subnets
> assigned.
>
> We are now going to setup a DR site and I need to assign a subnet to that
> site (no-problem only 1 subnet)
>
> My question is that I'm not sure how many subnets are on our existing
> infrastructure. I planned on assigning our calls B subnet to the default
> site which covers most if not all of our servers and workstations.
> Question: If someone tries to authenticate to AD and is not in either
> subnet will the user:
> 1) default to the default site for authentication
> 2) not be able to authenticate at all
> 3) authenticate but to no particular DC
> 4) or something else entirely
>
>
> Thanks


The DsGetDcName and GetDcSiteList function (if I remember the function names
correctly), queries DNS for DC and site info. If there is no matching site
to the client's IP address, DNS will pick the 'closest' site based on subnet
based on subnet prioritization, and if no 'closest' subnet, it will round
robin between available sites.

It is best to create IP subnets objects for all subnets in the
infrastructure, and assign the subnet object appropriate under each site. If
you don't have a DC at a specific site, you can still assign that subnet
object to the default site so the DCs in that site will be used first.

If you don't know what subnets are in your infrastructure (kind of a little
surprised to hear this), I would highly suggest to inventory your whole
infrastructure with a sniffer, such as wireshark, or some other software. I
ran the following search in Google for you to give you some ideas:
http://www.google.com/search?hl=en&rls=com.microsoft%3Ae n-us%3AIE-SearchBox&q=inventory+all+subnets&aq=f& ;aql=&aqi=&oq=


Here is more specific information about the logon process:

How DNS Support for Active Directory Works: Active DirectoryEnables a client
to locate a domain controller (dc) of the domain named ..... The process
that the Locator follows can be summarized as follows: ...
Scroll down to "Domain Controller Locator Process."
http://technet.microsoft.com/en-us/library/cc759550(WS.10).aspx

How Domain Controllers Are Located in Windows XP_TCP.dc._msdcs.domainname.
After the client locates a domain controller, the client establishes ... To
troubleshoot the domain locator process: ...
http://support.microsoft.com/kb/314861

Jorge 's Quest For Knowledge! : DC Locator Process in W2K, W2K3(R2 ...This
is the 2 nd part of "DC Locator Process in W2K, W2K3(R2) and W2K8" Looking
at this all, the DC locator process as explained above still applies to ...
http://blogs.dirteam.com/blogs/jorge/archive/2007/06/30/dc-l ocator-process-in-w2k-w2k3-r2-and-w2k8-part-2.aspx

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE &
MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services

If you feel this is an urgent issue and require immediate assistance, please
contact Microsoft PSS directly. Please check http://support.microsoft.com
for regional support phone numbers.
Re: AD Site Question [message #377020 is a reply to message #376968] Mon, 25 January 2010 18:38 Go to previous messageGo to next message
southpaw  is currently offline southpaw  United States
Messages: 61
Registered: July 2009
Member
Ace , you never cease to amaze me. You are very thorough, I like...

Saving this post for future reference..

Great job!!..

"Ace Fekay [MVP-DS, MCT]" <aceman@mvps.RemoveThisPart.org> wrote in message
news:uevZL5hnKHA.5464@TK2MSFTNGP02.phx.gbl...
> "Chris" <cisaksen@mail.nysed.gov> wrote in message
> news:OTv9FwgnKHA.6084@TK2MSFTNGP02.phx.gbl...
>>I have a question regarding AD sites
>>
>> We have currently only ran a single site (default-site) with no subnets
>> assigned.
>>
>> We are now going to setup a DR site and I need to assign a subnet to that
>> site (no-problem only 1 subnet)
>>
>> My question is that I'm not sure how many subnets are on our existing
>> infrastructure. I planned on assigning our calls B subnet to the default
>> site which covers most if not all of our servers and workstations.
>> Question: If someone tries to authenticate to AD and is not in either
>> subnet will the user:
>> 1) default to the default site for authentication
>> 2) not be able to authenticate at all
>> 3) authenticate but to no particular DC
>> 4) or something else entirely
>>
>>
>> Thanks
>
>
> The DsGetDcName and GetDcSiteList function (if I remember the function
> names correctly), queries DNS for DC and site info. If there is no
> matching site to the client's IP address, DNS will pick the 'closest' site
> based on subnet based on subnet prioritization, and if no 'closest'
> subnet, it will round robin between available sites.
>
> It is best to create IP subnets objects for all subnets in the
> infrastructure, and assign the subnet object appropriate under each site.
> If you don't have a DC at a specific site, you can still assign that
> subnet object to the default site so the DCs in that site will be used
> first.
>
> If you don't know what subnets are in your infrastructure (kind of a
> little surprised to hear this), I would highly suggest to inventory your
> whole infrastructure with a sniffer, such as wireshark, or some other
> software. I ran the following search in Google for you to give you some
> ideas:
> http://www.google.com/search?hl=en&rls=com.microsoft%3Ae n-us%3AIE-SearchBox&q=inventory+all+subnets&aq=f& ;aql=&aqi=&oq=
>
>
> Here is more specific information about the logon process:
>
> How DNS Support for Active Directory Works: Active DirectoryEnables a
> client to locate a domain controller (dc) of the domain named ..... The
> process that the Locator follows can be summarized as follows: ...
> Scroll down to "Domain Controller Locator Process."
> http://technet.microsoft.com/en-us/library/cc759550(WS.10).aspx
>
> How Domain Controllers Are Located in Windows XP_TCP.dc._msdcs.domainname.
> After the client locates a domain controller, the client establishes ...
> To troubleshoot the domain locator process: ...
> http://support.microsoft.com/kb/314861
>
> Jorge 's Quest For Knowledge! : DC Locator Process in W2K, W2K3(R2 ...This
> is the 2 nd part of "DC Locator Process in W2K, W2K3(R2) and W2K8" Looking
> at this all, the DC locator process as explained above still applies to
> ...
> http://blogs.dirteam.com/blogs/jorge/archive/2007/06/30/dc-l ocator-process-in-w2k-w2k3-r2-and-w2k8-part-2.aspx
>
> --
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Please reply back to the newsgroup or forum for collaboration benefit
> among responding engineers, and to help others benefit from your
> resolution.
>
> Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE &
> MCSA 2003/2000, MCSA Messaging 2003
> Microsoft Certified Trainer
> Microsoft MVP - Directory Services
>
> If you feel this is an urgent issue and require immediate assistance,
> please contact Microsoft PSS directly. Please check
> http://support.microsoft.com for regional support phone numbers.
>
>
>
>
>
Re: AD Site Question [message #377135 is a reply to message #377020] Mon, 25 January 2010 22:28 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"southpaw" <nospam@somewhere.com> wrote in message
news:%236lKIhinKHA.6084@TK2MSFTNGP02.phx.gbl...
> Ace , you never cease to amaze me. You are very thorough, I like...
>
> Saving this post for future reference..
>
> Great job!!..

Thanks, southpaw!

Ace
Re: AD Site Question [message #377357 is a reply to message #376968] Tue, 26 January 2010 06:29 Go to previous messageGo to next message
pbbergs  is currently offline pbbergs  United States
Messages: 1024
Registered: July 2009
Senior Member
One thing to add. If you want to see which sites aren't define in Siters
and Services, open up the following and it will list every client that has
to go back to the default site.

Check the netlog on each dc, see if the clients at the remote site are
reporting not defined in a site
start notepad.exe C:\WINDOWS\Debug\Netlogon.log


--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"Ace Fekay [MVP-DS, MCT]" <aceman@mvps.RemoveThisPart.org> wrote in message
news:uevZL5hnKHA.5464@TK2MSFTNGP02.phx.gbl...
> "Chris" <cisaksen@mail.nysed.gov> wrote in message
> news:OTv9FwgnKHA.6084@TK2MSFTNGP02.phx.gbl...
>>I have a question regarding AD sites
>>
>> We have currently only ran a single site (default-site) with no subnets
>> assigned.
>>
>> We are now going to setup a DR site and I need to assign a subnet to that
>> site (no-problem only 1 subnet)
>>
>> My question is that I'm not sure how many subnets are on our existing
>> infrastructure. I planned on assigning our calls B subnet to the default
>> site which covers most if not all of our servers and workstations.
>> Question: If someone tries to authenticate to AD and is not in either
>> subnet will the user:
>> 1) default to the default site for authentication
>> 2) not be able to authenticate at all
>> 3) authenticate but to no particular DC
>> 4) or something else entirely
>>
>>
>> Thanks
>
>
> The DsGetDcName and GetDcSiteList function (if I remember the function
> names correctly), queries DNS for DC and site info. If there is no
> matching site to the client's IP address, DNS will pick the 'closest' site
> based on subnet based on subnet prioritization, and if no 'closest'
> subnet, it will round robin between available sites.
>
> It is best to create IP subnets objects for all subnets in the
> infrastructure, and assign the subnet object appropriate under each site.
> If you don't have a DC at a specific site, you can still assign that
> subnet object to the default site so the DCs in that site will be used
> first.
>
> If you don't know what subnets are in your infrastructure (kind of a
> little surprised to hear this), I would highly suggest to inventory your
> whole infrastructure with a sniffer, such as wireshark, or some other
> software. I ran the following search in Google for you to give you some
> ideas:
> http://www.google.com/search?hl=en&rls=com.microsoft%3Ae n-us%3AIE-SearchBox&q=inventory+all+subnets&aq=f& ;aql=&aqi=&oq=
>
>
> Here is more specific information about the logon process:
>
> How DNS Support for Active Directory Works: Active DirectoryEnables a
> client to locate a domain controller (dc) of the domain named ..... The
> process that the Locator follows can be summarized as follows: ...
> Scroll down to "Domain Controller Locator Process."
> http://technet.microsoft.com/en-us/library/cc759550(WS.10).aspx
>
> How Domain Controllers Are Located in Windows XP_TCP.dc._msdcs.domainname.
> After the client locates a domain controller, the client establishes ...
> To troubleshoot the domain locator process: ...
> http://support.microsoft.com/kb/314861
>
> Jorge 's Quest For Knowledge! : DC Locator Process in W2K, W2K3(R2 ...This
> is the 2 nd part of "DC Locator Process in W2K, W2K3(R2) and W2K8" Looking
> at this all, the DC locator process as explained above still applies to
> ...
> http://blogs.dirteam.com/blogs/jorge/archive/2007/06/30/dc-l ocator-process-in-w2k-w2k3-r2-and-w2k8-part-2.aspx
>
> --
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Please reply back to the newsgroup or forum for collaboration benefit
> among responding engineers, and to help others benefit from your
> resolution.
>
> Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE &
> MCSA 2003/2000, MCSA Messaging 2003
> Microsoft Certified Trainer
> Microsoft MVP - Directory Services
>
> If you feel this is an urgent issue and require immediate assistance,
> please contact Microsoft PSS directly. Please check
> http://support.microsoft.com for regional support phone numbers.
>
>
>
>
>
Re: AD Site Question [message #377435 is a reply to message #377357] Tue, 26 January 2010 08:16 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"Paul Bergson [MVP-DS]" <pbbergs@no_spammsn.com> wrote in message
news:%2384jcuonKHA.5696@TK2MSFTNGP04.phx.gbl...
> One thing to add. If you want to see which sites aren't define in Siters
> and Services, open up the following and it will list every client that has
> to go back to the default site.
>
> Check the netlog on each dc, see if the clients at the remote site are
> reporting not defined in a site
> start notepad.exe C:\WINDOWS\Debug\Netlogon.log


Good point! See, I thought I forgot something. :-)

Ace
Re: AD Site Question [message #377459 is a reply to message #377435] Tue, 26 January 2010 08:35 Go to previous messageGo to next message
Chris  is currently offline Chris  United States
Messages: 343
Registered: July 2009
Senior Member
Ace Fekay [MVP-DS, MCT] wrote:
> "Paul Bergson [MVP-DS]" <pbbergs@no_spammsn.com> wrote in message
> news:%2384jcuonKHA.5696@TK2MSFTNGP04.phx.gbl...
>
>> One thing to add. If you want to see which sites aren't define in Siters
>> and Services, open up the following and it will list every client that has
>> to go back to the default site.
>>
>> Check the netlog on each dc, see if the clients at the remote site are
>> reporting not defined in a site
>> start notepad.exe C:\WINDOWS\Debug\Netlogon.log
>>
>
>
> Good point! See, I thought I forgot something. :-)
>
> Ace
>
>
>
>
Thanks everyone this helps alot, as for not knowing all the subnets in our network, that information is in our networking guys hands. I need to get that info from them. I just don't know them because it's not the area I work in everyday.


Thanks again
Re: AD Site Question [message #377498 is a reply to message #377459] Tue, 26 January 2010 09:14 Go to previous message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"Chris" <cisaksen@mail.nysed.gov> wrote in message
news:O629l0pnKHA.4628@TK2MSFTNGP06.phx.gbl...
> Ace Fekay [MVP-DS, MCT] wrote:
>> "Paul Bergson [MVP-DS]" <pbbergs@no_spammsn.com> wrote in message
>> news:%2384jcuonKHA.5696@TK2MSFTNGP04.phx.gbl...
>>
>>> One thing to add. If you want to see which sites aren't define in
>>> Siters and Services, open up the following and it will list every client
>>> that has to go back to the default site.
>>>
>>> Check the netlog on each dc, see if the clients at the remote site are
>>> reporting not defined in a site
>>> start notepad.exe C:\WINDOWS\Debug\Netlogon.log
>>>
>>
>>
>> Good point! See, I thought I forgot something. :-)
>>
>> Ace
>>
>>
>>
>>
> Thanks everyone this helps alot, as for not knowing all the subnets in our
> network, that information is in our networking guys hands. I need to get
> that info from them. I just don't know them because it's not the area I
> work in everyday.
>
>
> Thanks again


Chris,

Here are a couple things you can run to determine your sites list and all
DCs. As for listing all subnets, you need one of the other tools I mentioned
in the Google search.

Scripts were obtained from:
http://www.activxperts.com/activmonitor/windowsmanagement/sc ripts/activedirectory/sites/

Lists Active Directory sites.
==========
Set objRootDSE = GetObject("LDAP://RootDSE")
strConfigurationNC = objRootDSE.Get("configurationNamingContext")

strSitesContainer = "LDAP://cn=Sites," & strConfigurationNC
Set objSitesContainer = GetObject(strSitesContainer)
objSitesContainer.Filter = Array("site")

For Each objSite In objSitesContainer
WScript.Echo "Name: " & objSite.Name
Next
==========


List All Domain Controllers
==========
Returns a list of all the domain controllers in the fabrikam.com domain.

Const ADS_SCOPE_SUBTREE = 2

Set objConnection = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCOmmand.ActiveConnection = objConnection

objCommand.CommandText = _
"Select distinguishedName from " & _
"'LDAP://cn=Configuration,DC=fabrikam,DC=com' " _
& "where objectClass='nTDSDSA'"
objCommand.Properties("Page Size") = 1000
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE

Set objRecordSet = objCommand.Execute
objRecordSet.MoveFirst

Do Until objRecordSet.EOF
Wscript.Echo "Computer Name: " & _
objRecordSet.Fields("distinguishedName").Value
objRecordSet.MoveNext
Loop
==========



List the Subnets in all Active Directory Sites
=================
Set objRootDSE = GetObject("LDAP://RootDSE")
strConfigurationNC = objRootDSE.Get("configurationNamingContext")

strSubnetsContainer = "LDAP://cn=Subnets,cn=Sites," & strConfigurationNC

Set objSubnetsContainer = GetObject(strSubnetsContainer)

objSubnetsContainer.Filter = Array("subnet")

Set objHash = CreateObject("Scripting.Dictionary")

For Each objSubnet In objSubnetsContainer
objSubnet.GetInfoEx Array("siteObject"), 0
strSiteObjectDN = objSubnet.Get("siteObject")
strSiteObjectName = Split(Split(strSiteObjectDN, ",")(0), "=")(1)

If objHash.Exists(strSiteObjectName) Then
objHash(strSiteObjectName) = objHash(strSiteObjectName) & "," & _
Split(objSubnet.Name, "=")(1)
Else
objHash.Add strSiteObjectName, Split(objSubnet.Name, "=")(1)
End If
Next

For Each strKey In objHash.Keys
WScript.Echo strKey & "," & objHash(strKey)
Next
===========


Ace
Previous Topic:Best Practise Analyzer
Next Topic:Windows 2008 AD
Goto Forum:
  


Current Time: Tue Jan 16 04:22:57 MST 2018

Total time taken to generate the page: 0.04801 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software