RODC Referral Process
in [Active Directory]
|
From: AJ on 9 Feb 2010 06:35 Hi Guys Can someone explain to me what process is used by a RODC to determine where it should forward an authentication request if caching of credentials on the RODC is not allowed? is it by using the DsGetDcName API? If there are multiple writeable DCs how does the RODC deal with spreading the load accordingly, as opposed to returning the same writeable DC for each request. In our situation this would overload a single DC. I'm assuming here that DsGetDCName returns the domain controller that responds the quickest and in that case an I/O bound DC currently dealing with a lot of authentication requests should never be selected? Appreciate if someone could sanity check my thoughts on this. TIA AJ
From: Meinolf Weber [MVP-DS] on 9 Feb 2010 08:07 Hello AJ, As a RODC normally is in a remote site, it uses the replication partner in AD sites and services where it has connectivity with. Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm > Hi Guys > > Can someone explain to me what process is used by a RODC to determine > where it should forward an authentication request if caching of > credentials on the RODC is not allowed? is it by using the DsGetDcName > API? > > If there are multiple writeable DCs how does the RODC deal with > spreading the load accordingly, as opposed to returning the same > writeable DC for each request. In our situation this would overload a > single DC. I'm assuming here that DsGetDCName returns the domain > controller that responds the quickest and in that case an I/O bound DC > currently dealing with a lot of authentication requests should never > be selected? > > Appreciate if someone could sanity check my thoughts on this. > > TIA > > AJ >
From: Paul Bergson [MVP-DS] on 9 Feb 2010 08:26 Her is a great blog I recently read up on from Microsoft. I think it will answer all your questions. http://blogs.technet.com/askds/archive/2008/01/18/understanding-read-only-domain-controller-authentication.aspx -- Paul Bergson MVP - Directory Services MCTS, MCT, MCSE, MCSA, Security+, BS CSci 2008, 2003, 2000 (Early Achiever), NT4 Microsoft's Thrive IT Pro of the Month - June 2009 http://www.pbbergs.com Please no e-mails, any questions should be posted in the NewsGroup This posting is provided "AS IS" with no warranties, and confers no rights. "AJ" <andyjones99(a)hotmail.co.uk> wrote in message news:b17cbad7-3829-4d39-90b7-f066415cce0b(a)o28g2000yqh.googlegroups.com... > Hi Guys > > Can someone explain to me what process is used by a RODC to determine > where it should forward an authentication request if caching of > credentials on the RODC is not allowed? is it by using the DsGetDcName > API? > > If there are multiple writeable DCs how does the RODC deal with > spreading the load accordingly, as opposed to returning the same > writeable DC for each request. In our situation this would overload a > single DC. I'm assuming here that DsGetDCName returns the domain > controller that responds the quickest and in that case an I/O bound DC > currently dealing with a lot of authentication requests should never > be selected? > > Appreciate if someone could sanity check my thoughts on this. > > TIA > > AJ
From: AJ on 9 Feb 2010 11:58 On 9 Feb, 13:07, Meinolf Weber [MVP-DS] <meiweb@(nospam)gmx.de> wrote: > Hello AJ, > > As a RODC normally is in a remote site, it uses the replication partner in > AD sites and services where it has connectivity with. > > Best regards > > Meinolf Weber > Disclaimer: This posting is provided "AS IS" with no warranties, and confers > no rights. > ** Please do NOT email, only reply to Newsgroups > ** HELP us help YOU!!!http://www.blakjak.demon.co.uk/mul_crss.htm > > > > > Hi Guys > > > Can someone explain to me what process is used by a RODC to determine > > where it should forward an authentication request if caching of > > credentials on the RODC is not allowed? is it by using the DsGetDcName > > API? > > > If there are multiple writeable DCs how does the RODC deal with > > spreading the load accordingly, as opposed to returning the same > > writeable DC for each request. In our situation this would overload a > > single DC. I'm assuming here that DsGetDCName returns the domain > > controller that responds the quickest and in that case an I/O bound DC > > currently dealing with a lot of authentication requests should never > > be selected? > > > Appreciate if someone could sanity check my thoughts on this. > > > TIA > > > AJ- Hide quoted text - > > - Show quoted text - Hi Meinolf/Paul Thanks for your reply(s). To add to this, we will likely have 6 RODC's maybe more in a permiter network and the same amount of Writeable domain controllers on the internal network. My concern here is to make sure that neither one of the RODCs or the Writeables get overloaded with authentication requests as we are talking a large number of users. The authentication requests will come from a thid party application via LDAP and be serviced intially by the RODC which will then refer to a writeable DC (No caching of creds). How would it be best to acheive this, should I manually configure the connection objects so that each RODC has a secure channel with its own writeable DC so a one to one mapping? I am more concerned about the referall traffic overload as opposed to the initial authenctication request from the application to the RODC as this will be handled by the application itself. I hope I am making sense here. Thanks for your advice.
From: AJ on 9 Feb 2010 14:06 On 9 Feb, 16:58, AJ <andyjone...(a)hotmail.co.uk> wrote: > On 9 Feb, 13:07, Meinolf Weber [MVP-DS] <meiweb@(nospam)gmx.de> wrote: > > > > > > > Hello AJ, > > > As a RODC normally is in a remote site, it uses the replication partner in > > AD sites and services where it has connectivity with. > > > Best regards > > > Meinolf Weber > > Disclaimer: This posting is provided "AS IS" with no warranties, and confers > > no rights. > > ** Please do NOT email, only reply to Newsgroups > > ** HELP us help YOU!!!http://www.blakjak.demon.co.uk/mul_crss.htm > > > > Hi Guys > > > > Can someone explain to me what process is used by a RODC to determine > > > where it should forward an authentication request if caching of > > > credentials on the RODC is not allowed? is it by using the DsGetDcName > > > API? > > > > If there are multiple writeable DCs how does the RODC deal with > > > spreading the load accordingly, as opposed to returning the same > > > writeable DC for each request. In our situation this would overload a > > > single DC. I'm assuming here that DsGetDCName returns the domain > > > controller that responds the quickest and in that case an I/O bound DC > > > currently dealing with a lot of authentication requests should never > > > be selected? > > > > Appreciate if someone could sanity check my thoughts on this. > > > > TIA > > > > AJ- Hide quoted text - > > > - Show quoted text - > > Hi Meinolf/Paul > > Thanks for your reply(s). > > To add to this, we will likely have 6 RODC's maybe more in a permiter > network and the same amount of Writeable domain controllers on the > internal network. My concern here is to make sure that neither one of > the RODCs or the Writeables get overloaded with authentication > requests as we are talking a large number of users. The authentication > requests will come from a thid party application via LDAP and be > serviced intially by the RODC which will then refer to a writeable DC > (No caching of creds). How would it be best to acheive this, should I > manually configure the connection objects so that each RODC has a > secure channel with its own writeable DC so a one to one mapping? I am > more concerned about the referall traffic overload as opposed to the > initial authenctication request from the application to the RODC as > this will be handled by the application itself. > > I hope I am making sense here. > > Thanks for your advice.- Hide quoted text - > > - Show quoted text - Maybe this is what I am after. Maybe this stuff just works and I shouldn't worry about it!? http://technet.microsoft.com/en-us/library/dd735927(WS.10).aspx Will the RODC see all the writeable domain controllers as a valid target for authentication and replication requests automatically? (Via the connection objects) TIA AJ
|
Next
|
Last
Pages: 1 2 Prev: win 2000 / 2003 ad problem Next: Windows 2000 single label domain problem |