For multiple domain controllers in a given domain, if sites and services are not configured for a given site, any Windows workstation creates a secure channel with a random domain controller in the domain.
This may introduce latency if the domain controller is across the WAN.
To minimize the impact on logons you want to establish BCAAA secure channels to specific domain controllers.
To establish a secure connection from BCAAA to a specific domain controller, you must use the nltest.exe
utility.
The nltest.exe
utility from Microsoft is a part of Windows Remote Server Administration tools. To install the Remote Server Adminstration tools, follow the instructions here:
For a list of all the available command line parameters, please run nltest /? from the command line. For more information see: NLTEST
nltest.exe
utility must be installed on the Windows workstation or server hosting the BCAAA agent. nltest
display which domain controller that the secure channel BCAA is currently connected:
nltest /sc_query:<domain name>
nltest /dclist:<domain name>
nltest /sc_reset:<domain name>\dcname
The secure channel selection is not persistent across reboots. The secure channel will reset when the Windows server is rebooted. If you want to force the BCAAA server to bind to a particular server after a reboot, create a Windows startup which includes the "nltest /sc_reset:<domain name>\dcname
" command to bind to a specific DC.