Gostovanje na Windows strežnikih, ponudba webhosting, ASP.NET, PHP, MySQL


Windows technical support
Podporni forum za uporabnike storitev spletnega gostovanja
Reply to topic
Check and force specific DC to authenticate AD clients
Pico
Site Admin

Joined: 18 Jan 2004
Posts: 250
Location: HostMachine.net
Reply with quote
It is common struggle for AD domain admins to sometimes check and see, which DC domain controller actually authenticated AD domain user. Maybe while adding NEW DC to existing domain, and you wanna make sure users will be able to use new domain controller before you decommission old one.

So, how to check, which domain controller DC authenticated specific user?

Simply ON CLIENT open CMD and type:

Code:
SET LogonServer


Variable "LOGONSERVER" holds the UNC server name, which authenticated user against and is set fresh upon every user login.


How can you force specific (or NEW) DC to authenticate users?

You can push domain controllers up or down on priority list for authentication servers. By default AD domain uses some internal statistical calculation to point NET Logon service for authentication towards one of domain DC servers.

To manually reorder this authentication priority, you can set WEIGHT or PRIORITY in registry for all servers, and NET LOGON service of clients will obey your override.

So, on ALL servers (or at least on server, which you want to push UP or DOWN on priority list, ADD this registry value:

HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameter

New DWORD key named: LdapSrvWeight
Higher the value, higher on priority list.
Default value is 64 (hex) or 100 (dec). Max is FFFF (hex).
So, for example, if you would like NEW DC to be higher on priority list, set this value to, for example, 200 (decimal).

_________________
Site admin alias Labsy
Vsi nasveti in tehnične rešitve so podani v dobri veri in za ljudi z razčiščenimi pojmi o veljavni zakonodaji.
Odgovornost prevzemam izključno in samo za tiste posege, ki jih opravim lastnoročno.
View user's profileSend private messageVisit poster's websiteMSN Messenger
Check and force specific DC to authenticate AD clients
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT + 1 Hour  
Page 1 of 1  

  
  
 Reply to topic