AD sites and services query

Carr, Darren 1 Reputation point
2022-11-09T16:25:23.313+00:00

Hi,

I have a scenario in which I am using a 3P RADIUS server to authenticate clients using LDAP/LDAPS.

The 3P RADIUS server is joined to the domain but is not a Microsoft Server.

The domain is distributed across three global regions and in each region there is at least one domain controller. Alongside the domain controller is a 3P RADIUS server. These servers are clustered together across the three regions.

We have configured AD Sites and Services with three regions representing the above.

For the authentication request we are targeting the domain name e.g. example.com and not the actual domain controllers. We were hoping that Sites and Services would ensure that if a DNS request for site1 came in from the 3P RADIUS server in site1 that DNS would respond with the local domain controller in site1. In DNS we have configured the SRV record such that the local domain controller in site one is preferred over others. However it does not appear to be working as we see requests being serviced from domain controllers outside of the site.

I'd like to understand if Sites and Services works for computers that are not Microsoft domain joined workstations and servers and what else I should configure to keep the authentication requests local to the site. We have ensured that the subnets have been added correctly for the site.

Thanks

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,622 questions
Windows DHCP
Windows DHCP
Windows: A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.DHCP: Dynamic Host Configuration Protocol (DHCP). A communications protocol that lets network administrators manage centrally and automate the assignment of Internet Protocol (IP) addresses in an organization's network.
1,039 questions

6 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vasileios Dionysopoulos 641 Reputation points
    2022-11-10T15:26:24.44+00:00

    259136-dcfile.png

    You have to check the DNS Servers and all the records, in the example is only LDAP, if you have configure LDAPs it will appear there also.
    Firewall ports 88 kerberos, 636 LDAPs, 389 LDAP
    Also keep in mind that the service is horizontal and if there is an error then the traffic is distribute in all of the DC/DNS service.

    Also check the Cost of the link on the site and services.
    Also check if there is an computer object on the Users and Computers.
    I suppose that the DNS entry's for the radius servers exists.

  2. Daisy Zhou 24,741 Reputation points Microsoft Vendor
    2022-11-11T02:17:18.65+00:00

    Hello CarrDarren-7409,

    Thank you for posting in our Q&A forum.

    Based on the description above, I understand you have a 3P RADIUS server (non-Microsoft Server) in the Windows domain.

    And you have three sites in the domain, each site has at least one Domain Controller (the Domain Controllers are Windows Domain Controllers).

    If there is anything I misunderstood, please correct me.

    Based on my knowledge, in Windows Domain and Windows Domain Controller, if one server/ one client in site1 (the IP address of this client/this server is contained in the subnet corresponding to site1.), then when one domain user logs on this server/ this client in site1, then this server/ this client will look for DCs in site1 to authenticate first. Unless it cannot find the domain control in site1 to authenticate, it will find the domain control in closest site to authenticate.

    Hope the information above is helpful.

    Best Regards,
    Daisy Zhou

    ===============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

  3. Daisy Zhou 24,741 Reputation points Microsoft Vendor
    2022-11-28T06:47:27.637+00:00

    Hello CarrDarren-7409,

    Thank you for your reply.

    You can try to change the Priority or Weight on SRV record.

    264629-capture.png

    I am not sure whether the method works in your case.
    Before you try the method or make any change, please read the links below to know more information about Priority or Weight on SRV record. And discuss it with your team.
    And if it is possible, please test it in your lab.

    https://www.cloudflare.com/learning/dns/dns-records/dns-srv-record/#:~:text=SRV%20records%20indicate%20the%20%22priority%22%20and%20%22weight%22%20of,value%20will%20receive%20more%20traffic%20than%20other%20servers.

    https://techgenix.com/domain-controllers-weight-priority/

    Hope the information above is helpful.

    Best Regards,
    Daisy Zhou

    ===============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments
  4. Carr, Darren 1 Reputation point
    2022-11-28T16:06:31.737+00:00

    Hi Daisy,

    The problem I have here with the above is if I change the priority or weight it changes it for all servers in all regions as right now they all have the same view. It seems as though for this machine, as it is not a Windows Server/Client that 'Sites and Services' is not sending the site specific Domain Controllers but all of them. This is confirmed by the result I get for the DNS query.

    Do you know if 'Sites and Services' only works for Windows Server/Clients? this is my current observation as for any Windows based machine I am getting the right results from there. Just non-Windows machines that appear to have the issue. If it does only work for Windows based machines, do you have any official Microsoft documents that confirm this and what you can do for non-Windows machines to take advantage of 'Sites and Services' or any other service to keep the DNS responses regional and not all Domain Controllers?

    0 comments
  5. Carr, Darren 1 Reputation point
    2022-11-28T16:08:02.697+00:00

    Using your snip as a reference, currently the DNS response is responding with the output of _ldap._tcp.dc._msdcs.acme.com and not from within the site configuration

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.