From: AJ on
Hi Guys

Can someone explain to me what process is used by a RODC to determine
where it should forward an authentication request if caching of
credentials on the RODC is not allowed? is it by using the DsGetDcName
API?

If there are multiple writeable DCs how does the RODC deal with
spreading the load accordingly, as opposed to returning the same
writeable DC for each request. In our situation this would overload a
single DC. I'm assuming here that DsGetDCName returns the domain
controller that responds the quickest and in that case an I/O bound DC
currently dealing with a lot of authentication requests should never
be selected?

Appreciate if someone could sanity check my thoughts on this.

TIA

AJ
From: Meinolf Weber [MVP-DS] on
Hello AJ,

As a RODC normally is in a remote site, it uses the replication partner in
AD sites and services where it has connectivity with.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Hi Guys
>
> Can someone explain to me what process is used by a RODC to determine
> where it should forward an authentication request if caching of
> credentials on the RODC is not allowed? is it by using the DsGetDcName
> API?
>
> If there are multiple writeable DCs how does the RODC deal with
> spreading the load accordingly, as opposed to returning the same
> writeable DC for each request. In our situation this would overload a
> single DC. I'm assuming here that DsGetDCName returns the domain
> controller that responds the quickest and in that case an I/O bound DC
> currently dealing with a lot of authentication requests should never
> be selected?
>
> Appreciate if someone could sanity check my thoughts on this.
>
> TIA
>
> AJ
>


From: Paul Bergson [MVP-DS] on
Her is a great blog I recently read up on from Microsoft. I think it will
answer all your questions.

http://blogs.technet.com/askds/archive/2008/01/18/understanding-read-only-domain-controller-authentication.aspx

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"AJ" <andyjones99(a)hotmail.co.uk> wrote in message
news:b17cbad7-3829-4d39-90b7-f066415cce0b(a)o28g2000yqh.googlegroups.com...
> Hi Guys
>
> Can someone explain to me what process is used by a RODC to determine
> where it should forward an authentication request if caching of
> credentials on the RODC is not allowed? is it by using the DsGetDcName
> API?
>
> If there are multiple writeable DCs how does the RODC deal with
> spreading the load accordingly, as opposed to returning the same
> writeable DC for each request. In our situation this would overload a
> single DC. I'm assuming here that DsGetDCName returns the domain
> controller that responds the quickest and in that case an I/O bound DC
> currently dealing with a lot of authentication requests should never
> be selected?
>
> Appreciate if someone could sanity check my thoughts on this.
>
> TIA
>
> AJ


From: AJ on
On 9 Feb, 13:07, Meinolf Weber [MVP-DS] <meiweb@(nospam)gmx.de> wrote:
> Hello AJ,
>
> As a RODC normally is in a remote site, it uses the replication partner in
> AD sites and services where it has connectivity with.
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!!http://www.blakjak.demon.co.uk/mul_crss.htm
>
>
>
> > Hi Guys
>
> > Can someone explain to me what process is used by a RODC to determine
> > where it should forward an authentication request if caching of
> > credentials on the RODC is not allowed? is it by using the DsGetDcName
> > API?
>
> > If there are multiple writeable DCs how does the RODC deal with
> > spreading the load accordingly, as opposed to returning the same
> > writeable DC for each request. In our situation this would overload a
> > single DC.  I'm assuming here that DsGetDCName returns the domain
> > controller that responds the quickest and in that case an I/O bound DC
> > currently dealing with a lot of authentication requests should never
> > be selected?
>
> > Appreciate if someone could sanity check my thoughts on this.
>
> > TIA
>
> > AJ- Hide quoted text -
>
> - Show quoted text -

Hi Meinolf/Paul

Thanks for your reply(s).

To add to this, we will likely have 6 RODC's maybe more in a permiter
network and the same amount of Writeable domain controllers on the
internal network. My concern here is to make sure that neither one of
the RODCs or the Writeables get overloaded with authentication
requests as we are talking a large number of users. The authentication
requests will come from a thid party application via LDAP and be
serviced intially by the RODC which will then refer to a writeable DC
(No caching of creds). How would it be best to acheive this, should I
manually configure the connection objects so that each RODC has a
secure channel with its own writeable DC so a one to one mapping? I am
more concerned about the referall traffic overload as opposed to the
initial authenctication request from the application to the RODC as
this will be handled by the application itself.

I hope I am making sense here.

Thanks for your advice.
From: AJ on
On 9 Feb, 16:58, AJ <andyjone...(a)hotmail.co.uk> wrote:
> On 9 Feb, 13:07, Meinolf Weber [MVP-DS] <meiweb@(nospam)gmx.de> wrote:
>
>
>
>
>
> > Hello AJ,
>
> > As a RODC normally is in a remote site, it uses the replication partner in
> > AD sites and services where it has connectivity with.
>
> > Best regards
>
> > Meinolf Weber
> > Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> > no rights.
> > ** Please do NOT email, only reply to Newsgroups
> > ** HELP us help YOU!!!http://www.blakjak.demon.co.uk/mul_crss.htm
>
> > > Hi Guys
>
> > > Can someone explain to me what process is used by a RODC to determine
> > > where it should forward an authentication request if caching of
> > > credentials on the RODC is not allowed? is it by using the DsGetDcName
> > > API?
>
> > > If there are multiple writeable DCs how does the RODC deal with
> > > spreading the load accordingly, as opposed to returning the same
> > > writeable DC for each request. In our situation this would overload a
> > > single DC.  I'm assuming here that DsGetDCName returns the domain
> > > controller that responds the quickest and in that case an I/O bound DC
> > > currently dealing with a lot of authentication requests should never
> > > be selected?
>
> > > Appreciate if someone could sanity check my thoughts on this.
>
> > > TIA
>
> > > AJ- Hide quoted text -
>
> > - Show quoted text -
>
> Hi Meinolf/Paul
>
> Thanks for your reply(s).
>
> To add to this, we will likely have 6 RODC's maybe more in a permiter
> network and the same amount of Writeable domain controllers on the
> internal network. My concern here is to make sure that neither one of
> the RODCs or the Writeables get overloaded with authentication
> requests as we are talking a large number of users. The authentication
> requests will come from a thid party application via LDAP and be
> serviced intially by the RODC which will then refer to a writeable DC
> (No caching of creds).  How would it be best to acheive this, should I
> manually configure the connection objects so that each RODC has a
> secure channel with its own writeable DC so a one to one mapping? I am
> more concerned about the referall traffic overload as opposed to the
> initial authenctication request from the application to the RODC as
> this will be handled by the application itself.
>
> I hope I am making sense here.
>
> Thanks for your advice.- Hide quoted text -
>
> - Show quoted text -

Maybe this is what I am after. Maybe this stuff just works and I
shouldn't worry about it!?

http://technet.microsoft.com/en-us/library/dd735927(WS.10).aspx

Will the RODC see all the writeable domain controllers as a valid
target for authentication and replication requests automatically? (Via
the connection objects)

TIA

AJ