asked on

AD Sites & Services and Client Authentication for Login

Our AD Setup is as follows (Implemented by an outsourced vendor)

Single Forest with One Root DC and 15 + Additional DC's (All Servers running W2K3) [all the Servers are located in different sites geographically]

ROOT DC with 15 + ADDITIONAL DC (DNS integrated AD)

Initially this setup was running smoothly, till one of our administrators disturbed the Default domain policy by enabling Disk-Quota Setting. This resulted in slow login for clients (Mostly XP), system will seem to hanged an "APPLYING COMPUTER SETTINGS" during boot-up. If we unplug from network, then CTRL+ALT+DEL, would flash up in a second.

While troubleshooting this we found the command SET LOGONSERVER, and discovered that the clients are not authenticating with the local DC instead authenticating over WAN, and when running GPRESULT the Computer & User configuration policies were fetched from DCs over WAN. Drilling down further, we came to know that SITES & SERVICES were not configured. Immediately we configured S&S.

Still we have the clients authenticating over WAN, but now the system boot time is improved. Now we have lot of Error Events related to DIRECTORY SERVICE & FILE REPLICATION SERVICE.

My Queries are,

1. How to make clients to authenticate with local DC instead of over WAN?
2. We have configured Sites & Services, but still all the sites are in Default Site link, will site-link needs to be configured? (Presently there is no Network Restriction between these sites)

KKVP

ASKER

Considering the nature of this issue i am increasing the points

jlprasadreddy

Add a Subnet to each site.

Here is a site which will you configure sites

http://www.activewin.com/win2000/step_by_step/active_directory/adsites.shtml

Let me know if you need further help

JLP

DrDave242

You should absolutely create site links to represent the physical links between your sites. This way, if you've got links that are slower or have lower bandwidth than others, you can configure the site link costs accordingly (lower bandwidth = higher cost). As has already been said, it's also vital to configure subnets for all of your sites. AD uses those subnet objects to determine which client machines reside in each site.

mikeleebrla

jlprasadreddy has you going in the right direction for sure.

basically all you need to to is go into AD sites and services and create a subnet for each subnet that you have physically on your network. Since you already have the sites configured, just choose the site that matches the subnet from the list.... now a "link' has been created between the site and subnet....

go back into sites and you should see a DC under 'servers' in each site, drill down further and you can see the NTDS settings.... a 'replication ink' between that DC and another DC in another site should have been automatically created.... create as many as you would like according to your needs.

Also, right-click on NTDS settings and make sure you have at least on "Global Catalog" server in each site. Remember a GC server is required for AD authentication by default. If a site doesn't have a GC in it, that is PROBABLY why PCs aren't authenticating with their local DC but rather over the WAN.

remember, wait for replication to take place after you make a change and test it,, it just takes time.

Never use that vendor again for AD work, they have no clue what they are doing.

KKVP

ASKER

Hi jlprasadreddy, DrDave242, mikeleebrla,

Many thanks for your patience to read my question and answered it. As I have already said, SITES & SERVICES has been configured already. Currently the available Site Link is Default Site Link, which contains all the SItes.

Should I need to create Site Links for all the 16+ Sites, if yes, please guide me and let me know whether the Default Site Link needs to removed.

SET LOGONSERVER in client displays it is authenticated over WAN, can this be due to any misconfiguration in DNS. Since all the Reverse Lookup Zone contains all the Name Server records for all the available DC.

To summarize,
1. Should I need to create site link for 16 + DCs, and the Default site link to be removed? If yes please guide me.
2. Clients authenticating Over WAN, will this be due to DNS?

If further information required, please let me know.

I will greatly appreciate, if there is any web portal (like ActiveWin), which provides the information about practical implementation of AD.

DrDave242

I personally believe it is a good idea to create those site links to mirror the actual physical links between sites. You don't need to delete the default site link, just use it like any of the new links you create and rename it to something more descriptive.

Clients authenticating over the WAN is almost always due to incorrect site configuration rather than a problem in DNS. You did say that the sites are all configures, but have you confirmed that they're all associated with the correct subnets?

KKVP

ASKER

Hi DrDave242,

Thanks for the immediate reply. Yes Sites has been created and associated with appropriate Subnet.

When I explored the DNS, I found SRV (_ldap,_kerberos,_gc) records for other DC's (located over WAN) in the below paths,

_kerberos & _ldap records
Forward Lookup Zones--> _msdcs.domain.com --> dc --> _sites --> Site1 and Site2 it goes till Site 16+.
And also in all the available zones in the DNS, is this correct?

KKVP

ASKER

"DrDave242:I personally believe it is a good idea to create those site links to mirror the actual physical
links between sites. You don't need to delete the default site link,"

What is the Best Practice for this?

jlprasadreddy

Best Practce is the create site links based on your physical sites, for example
if you have physical sites where you have a domain controller in the followign fassion
3 - 4 offices in US
2 -3 office in Europe
5 - 6 in asia
and so on
then first create sites for each physical location
i have attached a example linking

SOLUTION

jlprasadreddy

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

KKVP

ASKER

Hi jlprasadreddy

Thanks for your effort, a small (might be silly) doubt,

We have the Root DC (Site A - holds Schema & Domain Naming FSMO Roles) and a ADC in my site (Site B - holds other 3 FSMO Roles). Both are in different geographical locations.

And we have remaining 15+ ADC, each located in different geographical locations. Based on your input and our Physical setup, i should create site link as follows,

1. Site Links from ROOT DC (Site A) to all other ADC.
2. Site Links from ADC (PDC, IM, RID holder) to all other ADC.
3. Should I remove Default Site Link (which holds all the Sites)?

KKVP

ASKER

Well there is no further guidance for me on this.

Mean while my management has escalated this to the Problem Management team and they are looking into, give me some time i will update the status.

DrDave242

Sorry for disappearing over the weekend; I had other things I had to work on. Please give us a status update when you get the chance.

KKVP

ASKER

Hi DrDave242:

Thanks for reply. Just give one or two days i will post the improvement.

ASKER CERTIFIED SOLUTION

KKVP

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

jlprasadreddy