AD sites and services query

Carr, Darren 1 Reputation point
2022-11-09T16:25:23.313+00:00

Hi,

I have a scenario in which I am using a 3P RADIUS server to authenticate clients using LDAP/LDAPS.

The 3P RADIUS server is joined to the domain but is not a Microsoft Server.

The domain is distributed across three global regions and in each region there is at least one domain controller. Alongside the domain controller is a 3P RADIUS server. These servers are clustered together across the three regions.

We have configured AD Sites and Services with three regions representing the above.

For the authentication request we are targeting the domain name e.g. example.com and not the actual domain controllers. We were hoping that Sites and Services would ensure that if a DNS request for site1 came in from the 3P RADIUS server in site1 that DNS would respond with the local domain controller in site1. In DNS we have configured the SRV record such that the local domain controller in site one is preferred over others. However it does not appear to be working as we see requests being serviced from domain controllers outside of the site.

I'd like to understand if Sites and Services works for computers that are not Microsoft domain joined workstations and servers and what else I should configure to keep the authentication requests local to the site. We have ensured that the subnets have been added correctly for the site.

Thanks

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,765 questions
Windows DHCP
Windows DHCP
Windows: A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.DHCP: Dynamic Host Configuration Protocol (DHCP). A communications protocol that lets network administrators manage centrally and automate the assignment of Internet Protocol (IP) addresses in an organization's network.
1,044 questions
{count} votes

6 answers

Sort by: Most helpful
  1. Matt Judson 0 Reputation points
    2024-10-23T18:17:04.2+00:00

    I also Would like more info on this as well....

    I am seeing that LDAP /LDAPS configured integrations to Active Directory Domains do NOT obey the preferred domain controllers that are specified in AD Sites and servers for the particular source IP address that made the Authentication request.

    In my example we have 25 domain controllers in different locations. All the Windows devices using Integrated Windows Authentication will choose a domain controller based on the preferred configuration for the IP of the device as specified in sites and services.

    Any LDAP /LDAPS configured applicaiton with do authentication to any of the 25 random domain controllers basically by looking up the domain name. Since we have Domain Controllers in AWS and Azure and 3 different data Centers this sometimes makes for a slower login/authentication time depending on what DC is used.

    I realize we could specifically specify a specific domain controller but that eliminates and redundancy of using other DC's and makes migration of DC's very complicated.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.