Your network contains an Active Directory forest named contoso.com.
The forest contains a single domain. The domain contains three domain controllers.
The domain controllers are configured as shown in the following table.
You plan to test an application on a server named Server1.
Server1 is currently located in Site1. After the test, Server1 will be moved to Site2.
You need to ensure that Server1 attempts to authenticate to DC3 first, while you test the application.
What should you do?
A.
Create a new site and associate the site to an existing site link object.
B.
Modify the priority of site-specific service location (SRV) DNS records for Site2.
C.
Create a new subnet object and associate the subnet object to an existing site.
D.
Modify the weight of site-specific service location (SRV) DNS records Site1.
Explanation:
Service Location (SRV) Resource Record
Priority A number between 0 and 65535 that indicates the priority or level of preference given for
this record to the host that is specified in Host offering this service.
Priority indicates this host’s priority with respect to the other hosts in this domain that offer the same
service and are specified by different service location (SRV) resource records.
Incorrect:
Not D:
Weight: A number between 1 and 65535 to be used as a load-balancing mechanism. When you
select among more than one target SRV host for the type of service (specified in Service) that use
the same Priority number, you can use this field to weight preference toward specific hosts. Where
several hosts share equal priority, SRV-specified hosts with higher weight values that are entered
here should be returned first to resolver clients in SRV query results.Service Location
(SRV) Resource Record Dialog Box
If everything is working right, this answer is wrong.
When a client connects to a network and looks for a domain controller, the first thing it does is compare it’s subnet to the those associated with sites to see which is closest. If Server1 is on the same network with DC1 and DC2 and it’s on the same subnet, it will never look at the info for Site2. FURTHER, there is only one DC in Site2. Editing the priority does absolutely nothing because priority is for which DC is more important at THAT SITE. Similarly, editing the weight of Site 1 DCs will only skew which gets more requests in Site1.
To force the server to authenticate against DC3 in Site2, you’d need to give it an IP in a subnet assigned to Site2.
C.
https://technet.microsoft.com/en-us/library/cc978016.aspx
When a client that is searching for a domain controller receives the list of domain controller IP addresses from DNS, the client begins querying the domain controllers in turn to find out which domain controller is available and appropriate. Active Directory intercepts the query, which contains the IP address of the client, and passes it to Net Logon on the domain controller. Net Logon looks up the client IP address in its subnet-to-site mapping table by finding the subnet object that most closely matches the client IP address and then returns the following information:
The name of the site in which the client is located, or the site that most closely matches the client IP address.
The name of the site in which the current domain controller is located.
A bit that indicates whether the found domain controller is located (bit is set) or not located (bit is not set) in the site closest to the client.
This article seems to point B as the right answer:
https://support.microsoft.com/en-us/kb/306602
“To make sure that domain controllers and global catalogs from site B are chosen by the clients in site A only if the domain controllers and global catalogs from site A are not available, the domain controllers and global catalogs in site B that are covering site A should register SRV records that containing lower (higher in absolute value) priority.”
Besides, I fail to realize how C would solve the problem without changing the entire site’s subnet.
In our case all DC are online, so “only if the domain controllers and global catalogs from site A are not available” makes this proposal as explanation for B useless.
If we realize that subnets cab overlap (tested myself) then C is much more interesting…
“Interesting” does not offer a solution.
To which site would you associate the new subnet? And to what effect?
C seems as ineffective as B.
FYI, if you read this carefully the question asks how we can get Server1 to authenticate against DC3 WHILE the application is tested BEFORE it is moved to site 2.
Therefore the question is really asking us, how can we get Server1 (currently at site 1) to authenticate against the DC in site 2.
A subnet object would be no good to us here as the server would have an IP for the Site1 subnet at this point. The only other way you’re gonna get it to authenticate against the DC at Site3 is modify the priority (not weight!) of the SRV site specific records.
This question is evil, as the wording is designed to trip people up. Was it too much to ask; How can you get Server1 to authenticate against a DC bound to a different site? I guess that would be too easy…
Modifying the priority would be no use at all.
https://technet.microsoft.com/en-us/library/cc742513(v=ws.11).aspx
“Lower numbers are given higher preference. The highest priority or preference goes to a host (offering the service that is specified in this record) that has a priority value of zero (0).”
By default, SRV service records for all DCs in the domain will have priority set to 0.
How would you give DC3 a lower priority number than 0? Impossible.
You would have to increase the priority of SRV records for site1, but that is not an option.
All seems very well researched and argumented, but what is the right answer in this ???
Why not create a /32 subnet object (with the specific IP address of the application server), and associate it with site 2. When choosing a DC to authenticate against, a device will use the smallest applicable subnet. Therefore, a /32 inside the wider subnet allocations would allow this server to authenticate against a different site.
I’m going with C.
I also go with that. It’s less impact on overall infrastructure and only affects server3.
btw, one may wonder about how DC locator works when processing overlapping subnets. This article states that “the IP subnet with the smallest matching subnet mask is used”, wich would alway apply to /32:
https://technet.microsoft.com/en-us/library/2009.06.subnets.aspx
Answer is C without any doubt .. Domain Controllers tell the PC to which DC/Site to connect for authentication based solely on matching subnets -> sites .. there is nothing you can do to tweak a PC to authenticate to another site if the PC already has an IP address in a subnet defined in Sites and Services that attaches to a specific Site.. tweaking DNS SRV records only changes the behavior in that particular site.. ( I work for a LARGE technology company in the AD department.. I deal with Sites / Subnets all the time.. believe me.. “C” is the correct answer 🙂