None Brdigehead AD generating out/inbound traffic

[Br4tt3]

So got a question... 3 site with 1 main site. 1 domain structure.

Site 1 DC = Infrastructure / Schema / Domain naming / Bridgehead

DC = PDC emulator / RID /

DC

DC

Site 2 DC = Bridgehead /

DC

Site 3 DC = Bridgehead /

DC

*********************************************

Question: when i run statistic's on the DC's.. the only machines that generate outbound / inbound repl. traffic is my bridgehead servers.. except my PDC emulator which generate outbound traffic aswell.. in which circumstances can they do this???

Also. all kerberos traffic seems to spread evenly on the DC's but I would assume that the PCD emulator would server most NTLM auth.. in my case the PDC almost doesnt serve any NTLM auth. Why? Any 1 got a hint on this?

Ohh... and i use win2003 on all the dc's... xp and some win98 on the clients

Regards

[morellana]

When having a multiple site infrastructure AD designates a bridgehead per site, this setting is automatic by default, although you can set it manually is not recommended. This is because each bridgehead communicate with the bridgehead of the other sites in order to use efficiently the network bandwith, when each bridgehead receives the repplication data then it propagates it to the servers that are in the same site.

Your PDC emu may generate outbound because it also has the RID master role. There are various reasons going through my head:

1. the pdc emu holds the GPOs, that are replicated thru the FRS, remember that when a PC boots or a user logs they poll a DC to check for the GPs, and each DC must check the GPOs with the PDC (Which holds the templates in the SYSVOL folder and that's what the FRS replicates to the other DC's)

2. The Rid master dessignates blocks of RID numbers to all servers in the domain, this numbers allows the creation of the objects of the AD, RID numbers are unique and are vital part of the SID that is generated when creatin and object.

3. the PDC holds "the last word" when authenticating a system in another DC Fails

4. It has the HOUR of the domain.

Kerberos is the authentication protocol in AD so it is spread in all DCs 'cause they all can authenticate users and generate Ticket Granting Tickets to access resources on a Domain. NTLM auth is not supported by win98 only LM, win 2k and after use Kerberos, AD supports LM, NTLM, NTLM v2 and Kerberos.

Mario.

[Br4tt3]

Thx dude..

I will sketch some on it and try it out, get back to u.