How to configure SQL authenticate user via specific Domain Controller

  • We have some trusted domains under the same forest, one of the domain has 400 domain controllers, sometimes some of the DC is down and as a result users might not be able to be authenticated. Is it possible for SQL to authenticate specific domain through specific domain controller?

    Thank you very much.

  • If it was authenticating against the domain that the server was a member of, then there is a preferred dc key that you can set in the registry I believe. However, if you are authenticating against a trusted domain, I am not sure you will be able to do what you want to. If the trusted domains are all a part of the same active directory forest then you may be able to setup which DC it authenticates to setting up ip ranges to sites, but I have never tried that, so I do not know how well it would work.

    Let us know what you find out though. I would be interested to find out if you are able to make it work.

    Joie Andrew
    "Since 1982"

  • Joie Andrew (2/24/2010)


    If it was authenticating against the domain that the server was a member of, then there is a preferred dc key that you can set in the registry I believe. However, if you are authenticating against a trusted domain, I am not sure you will be able to do what you want to. If the trusted domains are all a part of the same active directory forest then you may be able to setup which DC it authenticates to setting up ip ranges to sites, but I have never tried that, so I do not know how well it would work.

    Let us know what you find out though. I would be interested to find out if you are able to make it work.

    Thank you for your reply, here is a little bit more detail:

    My SQL is in Domain1, there are 4 DCs; Under the same forest there is a trusted Domain2 with 400 DCs. Occasionally Domain2's DCs will be down, I notice this because one account on Domain2 was created and searchable in Domain1 but sometimes "not found" in my SQL server in Domain1 --- AD manager (responsible for Domain1) told me it could be because one of the DC in Domain2 is down.

    I just don't understand why those accounts info are not being propagated across domains, or DCs, I thought it should be working like DNS name resolving.

    Or she is not aware of how to make those info propagated? or AD guy in Domain2 doesn't know that?

    Anyway, what do you mean by "set up ip ranges"? and how to set the preferred dc key for local DC for local users?

    Thanks again for your time and idea

  • The best way to do it is to have your AD administrators have an AD site created (if there is not one already) for the IP range your server is in. An AD site is a collection of subnets, and is designed to help replication and setting which DCs authenticate to what clients. After the AD site is ready There needs to be a DC that is assigned to the site. AD sites can cross AD domains, so there should be a DC for the domain your server is a member of and one from the other domain in there. As long as that happens, any authentication the SQL server tries will be performed against that specific DC, unless it cannot be contacted. Your AD administrators should be able to do all of this.

    An alternative would be to setup an lmhosts file specifying the DCs for the domain you want. This is not as good of a solution however, because you are bypassing AD, so if things change, you may not know about it until things start breaking.

    How to Write an LMHOSTS File for Domain Validation and Other Name Resolution Issues

    Joie Andrew
    "Since 1982"

Viewing 4 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic. Login to reply