Sunday, January 19, 2014

"Try Next Closest Site" Group Policy Setting

In a previous post I wrote about how the DC Locator component of Windows locates a domain controller.  This post can be found on the following URL:

http://clintboessen.blogspot.com.au/2010/05/how-clients-locate-domain-controllers.html

In this post we are going to look at a feature called "Try Next Closest Site" which is enabled on Windows Vista upwards clients via Group Policy.

In Windows 2000/XP/2003 when all domain controllers in an Active Directory site fail, there is a chance workstations may failover to another Active Directory site at a higher cost then the most preferable one as defined in Active Directory Sites and Services.  Changes have been made to the DC Locator algorithm starting from Windows Vista/2008 Server onwards which improves the DC Locator algorithm to ensure workstations always communicate with the next closest Active Directory site as defined in Sites and Services.

I strongly recommend this setting always be configured if your workstations are Windows Vista or higher.  To enable this setting perform the following.

1.Click Start, click Administrative Tools, and then click Group Policy Management.

2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

3.Double-click Forest:forest_name, double-click Domains, and then double-click domain_name.

4.Right-click Default Domain Policy, and then click Edit.

5.In Group Policy Management Editor, in the console tree, go to Computer Configuration/Policies/Administrative Templates/System/Netlogon/DC Locator DNS Records.

6.In the details pane, double-click Try Next Closest Site, click Enabled, and then click OK.
For additional reading please see the following URLs:

http://technet.microsoft.com/en-us/library/cc733142(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/cc772592(v=ws.10).aspx

Note: With "Try Next Closest Site" it will never try a remote site which contains a read only domain controller as read only domain controllers generally only store passwords for the users at the specific remote site for security reasons.

1 comment:

  1. Thanks so much for the comment. I try to put together my learning and experiece in terms of blog and feel great if this helps others.

    Interior Designers Chennai

    ReplyDelete