Click here to get back home

Branch Office Authentication?
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Branch Office Authentication? Rob 01-23-2006
Posted by Rob on January 23, 2006, 10:55 am
Please log in for more thread options
 I have several Win2003 servers in my main office. I am about to deploy a
2003 server to a branch office, connected by VPN. I am going to add the
branch server as a DC and join it to the domain.

1. Is there a way to force branch users to authenticate to the branch DC to
save log on time/logon scripts?
2. If the VPN goes down between the offices, will the branch users still be
able to log on to the domain through the branch DC?

Thanks,
Rob



Posted by Ondrej Sevecek on January 24, 2006, 2:23 am
Please log in for more thread options
 in the text:

>I have several Win2003 servers in my main office. I am about to deploy a
> 2003 server to a branch office, connected by VPN. I am going to add the
> branch server as a DC and join it to the domain.
>
> 1. Is there a way to force branch users to authenticate to the branch DC
> to
> save log on time/logon scripts?

you should establish site topology - go to AD Sites and Services and create
a new *site* for your branch office. Move your branch server object from
"Default-First-Site-Name" to the newly created one. Then create an IP
address range/s that will be available in the branch office and add the
newly created site to the IP range.

Generally, your DCs use the "site" container to determine their site
membership. Member computers (servers and clients) determine their site
membership by means of their IP address. When a member server logs on a
user, it always try to determine its site membership and so its nearest DCs.

Also, you have to mark your branch office's DC as a "global catalog". This
can be done also in the snap-in. Open your branch office DC object in the
"sites" container and check the checkbox in "NTDS Settings" properties.

Also, you should install a DNS server on the branch office DC because domain
members use the DNS to detect their servers. The whole process is actually
the following:

- member client starts up
- if the client does not know anything about the domain, it queries DNS to
get ANY available DC.
- from this DC, the client gets site/subnet information of its own
- client determines its site from the information obtained and again queries
the DNS to get DCs of the appropriate site.
- client connects to ANY DC of its respective site
- the DC authenticates the computer/user and itself queries the nearest
Global Catalog to get the whole forest domain membership for the user


> 2. If the VPN goes down between the offices, will the branch users still
> be
> able to log on to the domain through the branch DC?

yes, no problem. Also, in the event of the local DC is not available, they
will authenticate over the VPN so you are safe of branch DC outages.

>
> Thanks,
> Rob


No problem,
Ond




Similar ThreadsPosted
"Read-Only" branch office domain controllers? April 20, 2006, 2:34 am
Users browsing network via Office 2003 October 7, 2006, 7:49 am
Determining Window Server 2003 Security Policy for US Office November 8, 2005, 11:19 am
Kerberos machine authentication - apparent authentication failures May 30, 2005, 10:35 am
USB Authentication in TS December 13, 2005, 10:02 am
Authentication Across Domains using IIS July 29, 2005, 6:47 am
Re: Authentication Issue January 24, 2006, 10:44 am
I can't underestand IKE Authentication! October 28, 2007, 12:31 pm
I can't underestand IKE Authentication! October 28, 2007, 12:33 pm
Workstation Authentication December 4, 2007, 3:56 pm

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap