| Author |
Message |
JX
Guest
|
 Posted:
Wed Nov 09, 2005 1:50 am Post subject:
AD bridgeheads. |
|
|
Hi all -
I was wondering how many AD bridgeheads (IP) can be assigned in AD at a
given time for a given child domain?? is it one or two?
Also, can the server designated as the bridgehead be used for KDC/Kerberos
user authentication/authorization?
thanks!
Jx |
|
| Back to top |
|
 |
Paul Williams [MVP]
Guest
|
| Posted:
Wed Nov 09, 2005 9:51 am Post subject:
Re: AD bridgeheads. |
|
|
Bridgeheads are more of a site thing than a domain. Yes, you need to select
preferred bridgeheads on a per domain basis for each site, but it is still
done at a site level.
You can select several, but it is not recommended you do so. Leave it up to
the ISTG. This way, the ISTG will automatically pick a new one if the
current one goes down. If you select preferred bridgeheads, you override
this behaviour.
The following is an excerpt from here:
--
http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/maintain/opsguide/part1/adogd06.mspx
"
Bridgehead Server Selection
By default, bridgehead servers are automatically selected by the intersite
topology generator (ISTG) in each site. Alternatively, you can use Active
Directory Sites and Services to select preferred bridgehead servers.
However, it is recommended for Windows 2000 deployments that you donot
select preferred bridgehead servers.
Selecting preferred bridgehead servers limits the bridgehead servers that
the KCC can use to those that you have selected. If you use Active Directory
Sites and Services to select any preferred bridgehead servers at all in a
site, you must select as many as possible and you must select them for all
domains that must be replicated to a different site. If you select preferred
bridgehead servers for a domain and all preferred bridgehead servers for
that domain become unavailable, replication of that domain to and from that
site does not occur.
If you have selected one or more bridgehead servers, removing them from the
bridgehead servers list restores the automatic selection functionality to
the ISTG."
| Quote: | Also, can the server designated as the bridgehead be used for KDC/Kerberos
user authentication/authorization? |
What do you mean? Can you limit logons to the bridgehead, or are you
looking at this from a non-Windows client perspective?
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net |
|
| Back to top |
|
|
JX
Guest
|
| Posted:
Wed Nov 09, 2005 9:51 pm Post subject:
Re: AD bridgeheads. |
|
|
Paul - thanks for your answer.
For the second part of the questions, I meant that if you have selected 2
servers as your bridgeheads would they also
be able to process security tokens, TGT, Kerberos authentication for clients
in that site ?
thx
Jx
"Paul Williams [MVP]" wrote:
| Quote: | Bridgeheads are more of a site thing than a domain. Yes, you need to select
preferred bridgeheads on a per domain basis for each site, but it is still
done at a site level.
You can select several, but it is not recommended you do so. Leave it up to
the ISTG. This way, the ISTG will automatically pick a new one if the
current one goes down. If you select preferred bridgeheads, you override
this behaviour.
The following is an excerpt from here:
--
http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/maintain/opsguide/part1/adogd06.mspx
"
Bridgehead Server Selection
By default, bridgehead servers are automatically selected by the intersite
topology generator (ISTG) in each site. Alternatively, you can use Active
Directory Sites and Services to select preferred bridgehead servers.
However, it is recommended for Windows 2000 deployments that you donot
select preferred bridgehead servers.
Selecting preferred bridgehead servers limits the bridgehead servers that
the KCC can use to those that you have selected. If you use Active Directory
Sites and Services to select any preferred bridgehead servers at all in a
site, you must select as many as possible and you must select them for all
domains that must be replicated to a different site. If you select preferred
bridgehead servers for a domain and all preferred bridgehead servers for
that domain become unavailable, replication of that domain to and from that
site does not occur.
If you have selected one or more bridgehead servers, removing them from the
bridgehead servers list restores the automatic selection functionality to
the ISTG."
Also, can the server designated as the bridgehead be used for KDC/Kerberos
user authentication/authorization?
What do you mean? Can you limit logons to the bridgehead, or are you
looking at this from a non-Windows client perspective?
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
|
|
|
| Back to top |
|
|
Paul Williams [MVP]
Guest
|
| Posted:
Thu Nov 10, 2005 1:51 am Post subject:
Re: AD bridgeheads. |
|
|
Yes. The role of bridgehead doesn't stop them from performing their normal
duties. Which is why in large organisations bridgehead servers might need
to be meaty. x64 is the way to go for DCs...
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net |
|
| Back to top |
|
|
JX
Guest
|
| Posted:
Thu Nov 10, 2005 5:51 pm Post subject:
Re: AD bridgeheads. |
|
|
thx.
"Paul Williams [MVP]" wrote:
| Quote: | Yes. The role of bridgehead doesn't stop them from performing their normal
duties. Which is why in large organisations bridgehead servers might need
to be meaty. x64 is the way to go for DCs...
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
|
|
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in