Hi all,

I was wondering on one thing regarding ACS deployment with multiple instances.

To simplify this let us consider that

- there are only 2 locations (HQ and Remote, each with its own ACS, AD controler, DNS service)

- ACS are in HA  (in HQ is primary, in Remote is secondary)

- there is one domain (one forest)  - companydomain.local

- ACS is intergrated with AD and utilizes group membership in rule definition

- Each Windows Server is running DNS service as well

If I want to split AAA traffic amongs these 2 ACS according to location and I if want ACS to look up only local AD controller how this is organized?

Configuration of AD integration is done on Primary instance and it is synchronized with secondary ACS. On the primary ACS I can only put the name of the domain which is for example companydomain.local.

Ok, ACS2 (in Remote location) can have individual DNS configuration and ask for companydomain.local his controller, but as far as I know in such scenario both controllers will answer with the same structure of DNS records (first the main controler and others subsequently).

Windows have the ability to distinguish local controllers from remote by using SRV records and registry key which are responsible for geolocation. According to this main controller should know that the user moved to different location and order him to ask remote controller.

ACS does not use registry keys so there is no way it can use this mechanizm.

So thats why Im asking for help  and explanaition how to make ACS2 (on the remote site) to look up LDAP only his controller.

regards

Przemek