Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » Long Distance AD Authentication
Long Distance AD Authentication [message #389269] Thu, 11 February 2010 07:36 Go to next message
tkutil  is currently offline tkutil
Messages: 54
Registered: July 2009
Member
We have remote sites that have just a few users & computers that are
connected back to our corporate site with T1 (not sure on the actual size).
Is there any limitation or problems authenicating both user & computer
accounts? I had a computer come back to our site that I ended up
removing/re-adding the computer to the domain because even though the
computer object still existed in AD it wasn't really working as though it was
still a part of AD. I thought I read somewhere that after a certain period of
time stale computer objects are disconnected from AD. Is this true? How do I
handle remote location authenication without having a site server at the
location?
Re: Long Distance AD Authentication [message #389431 is a reply to message #389269] Thu, 11 February 2010 10:47 Go to previous messageGo to next message
Jorge Silva  is currently offline Jorge Silva
Messages: 398
Registered: July 2009
Senior Member
Hi
- Few users, how many 1000 users?
- Limitation for authentication? I think that your question is more related
with authentication over your WAN, right? To know that you may want to know
how many users/apps/computers are in the other side and how often they need
to connect to a DC to do authentication.
- The know limitation is related with UGMC (Universal Group Membership
Caching) which is a different thing.
- Most of your users (and depending of their computer OS) will be able to
use cached credentials when no DC is available for authentication. If the
DC(s) are available for authentication but your WAN link is overloaded with
other network requests, that is something that you'll to monitor before
deciding if you need to have a DC in that remote site or not.
- Also don't forget to setup the proper sites and assign the proper subnets.

--

I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MVP Directory Services

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.




"tkutil" <tkutil@discussions.microsoft.com> wrote in message
news:7B060D2F-6D84-4DD1-AB39-76EE5C2E2AC2@microsoft.com...
> We have remote sites that have just a few users & computers that are
> connected back to our corporate site with T1 (not sure on the actual
> size).
> Is there any limitation or problems authenicating both user & computer
> accounts? I had a computer come back to our site that I ended up
> removing/re-adding the computer to the domain because even though the
> computer object still existed in AD it wasn't really working as though it
> was
> still a part of AD. I thought I read somewhere that after a certain period
> of
> time stale computer objects are disconnected from AD. Is this true? How do
> I
> handle remote location authenication without having a site server at the
> location?
Re: Long Distance AD Authentication [message #389514 is a reply to message #389431] Thu, 11 February 2010 12:34 Go to previous messageGo to next message
tkutil  is currently offline tkutil
Messages: 54
Registered: July 2009
Member
We have branch offices with at most 3 - 5 users. There is not server at those
locations. All together there is about 50 users. Is there a way I can test
that these computers are still connected and functioning in AD?

"Jorge Silva" wrote:

> Hi
> - Few users, how many 1000 users?
> - Limitation for authentication? I think that your question is more related
> with authentication over your WAN, right? To know that you may want to know
> how many users/apps/computers are in the other side and how often they need
> to connect to a DC to do authentication.
> - The know limitation is related with UGMC (Universal Group Membership
> Caching) which is a different thing.
> - Most of your users (and depending of their computer OS) will be able to
> use cached credentials when no DC is available for authentication. If the
> DC(s) are available for authentication but your WAN link is overloaded with
> other network requests, that is something that you'll to monitor before
> deciding if you need to have a DC in that remote site or not.
> - Also don't forget to setup the proper sites and assign the proper subnets.
>
> --
>
> I hope that the information above helps you.
> Have a Nice day.
>
> Jorge Silva
> MVP Directory Services
>
> Please no e-mails, any questions should be posted in the NewsGroup
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>
>
>
> "tkutil" <tkutil@discussions.microsoft.com> wrote in message
> news:7B060D2F-6D84-4DD1-AB39-76EE5C2E2AC2@microsoft.com...
> > We have remote sites that have just a few users & computers that are
> > connected back to our corporate site with T1 (not sure on the actual
> > size).
> > Is there any limitation or problems authenicating both user & computer
> > accounts? I had a computer come back to our site that I ended up
> > removing/re-adding the computer to the domain because even though the
> > computer object still existed in AD it wasn't really working as though it
> > was
> > still a part of AD. I thought I read somewhere that after a certain period
> > of
> > time stale computer objects are disconnected from AD. Is this true? How do
> > I
> > handle remote location authenication without having a site server at the
> > location?
>
Re: Long Distance AD Authentication [message #389563 is a reply to message #389514] Thu, 11 February 2010 13:33 Go to previous message
Jorge Silva  is currently offline Jorge Silva
Messages: 398
Registered: July 2009
Senior Member
Yep, sounds that is more than enough to authentication process, but, you may
need to monitor how much available bandwidth is available for those users.
Users do not maintain a constant connection to Active directory DCs, they
their Kerberos ticket and they use it when accessing to other resources,
when that ticket expires they need to renew it. To test resource access is
simple, just try to access to a server with AD permissions configured, or
you may test other things, like opening the dsa.msc (Active Directory Users
and Computers) and modify a user or create a new one, etc... The point is,
you need to guarantee that WAN link between those users, the apps that they
need to work with and the DCs. You see, you're asking about the needs for
DCs, but you should be worried about your WAN reliability and available
bandwidth.

BTW: What are the user's needs? What they need to access to perform their
jobs?

--

I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MVP Directory Services

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.




"tkutil" <tkutil@discussions.microsoft.com> wrote in message
news:13299E50-DF49-4822-BADE-E492FA5A895E@microsoft.com...
> We have branch offices with at most 3 - 5 users. There is not server at
> those
> locations. All together there is about 50 users. Is there a way I can test
> that these computers are still connected and functioning in AD?
>
> "Jorge Silva" wrote:
>
>> Hi
>> - Few users, how many 1000 users?
>> - Limitation for authentication? I think that your question is more
>> related
>> with authentication over your WAN, right? To know that you may want to
>> know
>> how many users/apps/computers are in the other side and how often they
>> need
>> to connect to a DC to do authentication.
>> - The know limitation is related with UGMC (Universal Group Membership
>> Caching) which is a different thing.
>> - Most of your users (and depending of their computer OS) will be able to
>> use cached credentials when no DC is available for authentication. If the
>> DC(s) are available for authentication but your WAN link is overloaded
>> with
>> other network requests, that is something that you'll to monitor before
>> deciding if you need to have a DC in that remote site or not.
>> - Also don't forget to setup the proper sites and assign the proper
>> subnets.
>>
>> --
>>
>> I hope that the information above helps you.
>> Have a Nice day.
>>
>> Jorge Silva
>> MVP Directory Services
>>
>> Please no e-mails, any questions should be posted in the NewsGroup
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>
>>
>>
>>
>> "tkutil" <tkutil@discussions.microsoft.com> wrote in message
>> news:7B060D2F-6D84-4DD1-AB39-76EE5C2E2AC2@microsoft.com...
>> > We have remote sites that have just a few users & computers that are
>> > connected back to our corporate site with T1 (not sure on the actual
>> > size).
>> > Is there any limitation or problems authenicating both user & computer
>> > accounts? I had a computer come back to our site that I ended up
>> > removing/re-adding the computer to the domain because even though the
>> > computer object still existed in AD it wasn't really working as though
>> > it
>> > was
>> > still a part of AD. I thought I read somewhere that after a certain
>> > period
>> > of
>> > time stale computer objects are disconnected from AD. Is this true? How
>> > do
>> > I
>> > handle remote location authenication without having a site server at
>> > the
>> > location?
>>
Previous Topic:Active Directory performance
Next Topic:DNS Resolution
Goto Forum:
  


Current Time: Thu Jan 18 20:49:28 MST 2018

Total time taken to generate the page: 0.02203 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software