Can I deploy a read-only DC that is dedicated only to handling authentication requests for a ProxySG?
search cancel

Can I deploy a read-only DC that is dedicated only to handling authentication requests for a ProxySG?

book

Article ID: 165440

calendar_today

Updated On:

Products

Asset Management Solution ProxySG Software - SGOS

Issue/Introduction

You are willing to deploy a read-only Domain Controller that is dedicated just to handling authentication requests for an SG, instead of using a regular, “writable” DC for that purpose.

Resolution

In SGOS 6.5.2.1 and above, the ProxySG administrator can specify a preferred Schannel DC and alternate Schannel DC for each domain. If the preferred Schannel DC is available, the SG will always connect to it, even if it sees another DC that appears to be faster. At this point you can dedicate a read-only DC server as a preferred DC (or alternate DC as well). 

  1. From the ProxySG Management Console, select Configuration > Authentication > Windows Domain > Windows Domain.
  2. Select a domain in the Domains list and click Edit.
    Note: Domain controller options are for NTLM authentication only
  3. Enter the preferred controller in the Preferred domain controller text box.
  4. (Optional) Enter an alternate domain controller in the Alternate domain controller text box
    The alternate domain controller is used if the preferred domain controller is not available.

    The preferred and alternate domain controllers can be read-only. However, if you use a read-only domain controller, you need to replicate user passwords to that domain controller. If the domain controller doesn’t have a copy of the user’s password, it must forward the request to a writable domain controller that has a copy, which will diminish performance. Consult Microsoft documentation to figure out how to do this in your environment.

    http://technet.microsoft.com/en-us/library/cc732801%28v=ws.10%29.aspx
     
  5. Enter the maximum number of concurrent Schannel connections you want in the Maximum number of concurrent Schannel connections text box. The range is 2-150

    Note:In order for the maximum number of concurrent connections to take effect, you must enter the same number in the registry for the Domain Controller(s). The registry setting on the Domain Controller is MaxConcurrentAPI. If you change the MaxConcurrent API setting, you must restart the NetLogon service on the Domain Controller, or reboot the Domain Controller after changing the MaxConcurrent API setting.
     
  6. Click OK.