You need to ensure that users in Branch2 only authenticate to the domain controllers in Main

Your network contains an Active Directory domain. The domain is configured as shown in
the following table.

Users in Branch2 sometimes authenticate to a domain controller in Branch1.
You need to ensure that users in Branch2 only authenticate to the domain controllers in
Main.
What should you do?

Your network contains an Active Directory domain. The domain is configured as shown in
the following table.

Users in Branch2 sometimes authenticate to a domain controller in Branch1.
You need to ensure that users in Branch2 only authenticate to the domain controllers in
Main.
What should you do?

A.
On DC3, set the AutoSiteCoverage value to 1.

B.
On DC1 and DC2, set the AutoSiteCoverage value to 0.

C.
On DC1 and DC2, set the AutoSiteCoverage value to 1.

D.
On DC3, set the AutoSiteCoverage value to 0.

Explanation:
http://technet.microsoft.com/en-us/library/cc787491%28v=ws.10%29.aspx
Parameters\AutoSiteCoverage
HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

Description Specifies whether the system can add sites to the coverage area of this domain
controller.
Domain controllers cover, that is, provide services to, the site in which they reside and to
other sites listed in the value of the entry SiteCoverage. In addition, when the value of
AutoSiteCoverage is 1, the system can add sites that do not have domain controllers to this
domain controller’s coverage area.

The sites added to the domain controller’s coverage are stored in memory, and a new list is
assembled each time the Net Logon service starts or when Netlogon is notified of the site
object changes. While Net Logon runs, it updates this list at an interval specified by the value
of the entry DnsRefreshInterval.

http://technet.microsoft.com/en-us/library/cc749944.aspx
Planning Active Directory for Branch Office
..
Disabling AutoSiteCoverage Registration in DNS
Another situation that requires configuration of SRV records results from not having a
domain controller in a particular site. This may happen because there are no users needing
constant logon access, or because replication to the site might be too expensive or too slow.
To ensure that a domain controller can be located in the site closest to a client computer, if
not the same site, Windows 2000 automatically attempts to register a domain controller in
every site by using an “autositecoverage” algorithm. The algorithm determines how one site
can “cover” another site when no domain controller exists in the second site. By default, the
process uses the replication topology.
The algorithm works as follows. Each domain controller checks all sites in the forest and
then checks the replication cost matrix. A domain controller advertises itself (registers a siterelated SRV record in DNS) in any site that does not have a domain controller for that
domain and for which its site has the lowest-cost connections. This process ensures that
every site has a domain controller even though its domain controller may not be located in
that site. The domain controllers that are published in DNS are those from the closest site
(as defined by the replication topology).
In the branch office scenario, any computer from other sites should not discover branch
office domain controllers. A client should always communicate with a local domain controller,
and if that is not available, use a domain controller in the hub site. To achieve this:
1. Disable AutoSiteCoverage on all of the domain controllers, not only for the branch domain
controllers, but also hub domain controllers.
2. Do not register generic records as described above.
If both of these configurations (1. and 2.) are performed, then all-site clients will discover the
local domain controller if it is available, or its hub domain controller (if no local domain
controller is available).
In the unusual scenario when a site with a domain controller for some domain is closer to
another site than the central hub, the administrator has the ability to configure that domain
controller with the specific (“close”) sites to be covered using the following registry values:
SiteCoverage, GcSiteCoverage. Alternatively, the administrator can use the following Group
Policy settings:
Sites Covered by the domain controller Locator DNS SRV Records
Sites Covered by the global catalog server Locator DNS SRV Records
Sites Covered by the NDNC Locator DNS SRV Records



Leave a Reply 0

Your email address will not be published. Required fields are marked *