My users are logged in by a DC/GC accross the WAN when a local one is available

Environment -- Windows 2000 Server SP4 (Native)

When some of my corporate office users login they are logged in by a DC/GC that is located in another office accross the WAN...

Why does this occur when we have a local DC/GC at the corporate office???

I think this is somehow related -- Sometimes when Outlook requests data from the exchange server... it requests data from a GC accross the WAN that isn't even an Exchange server!?!?

Can anyone assist with this?

Thanks in advance for your assistance,

Who is Participating?
JFrederick29Connect With a Mentor Commented:
Well that is exactly why some users are being authenticated by DC's in your branch offices.  As far as AD is concerned, all the DC's are in the same local physical site.  If you were to have a site for the corporate office and a site for each branch office with their own local subnet and DC, authentication would then take place at each local physical site.

Not sure though how difficult or what is involved in changing around the site configuration and how it will impact your AD structure.  I would consult Microsoft or someone with more knowledge than myself on how to proceed.

I would setup a site for each physical location. Seems like a better solution than having all in one site...IMHO.

Check to make sure your subnets are setup correctly in AD Sites and Services.
Joe_CAuthor Commented:
Thanks for your suggesstion...

My environment has one site (corporate-site) with three subnets...

Example of one of my subnets: (linked to the corporate site)

I believe I have them setup correctly...

But... you have just made me notice something new!!

When I click on "Corporate-Site" I see the following on the right hand side of the screen...

Servers Folder
Licensing Site Settings
NTDS Site Settings

Under the "NTDS Site Settings" properties, I see that one of my branch office servers is the server responsible for the Corporate-Site Inter-Site Topology Generator.

My feeling is that there is something wrong with that... what do you think???

Thanks again,

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

Yes, the Inter-Site Topology Generator should be a Domain Controller that resides in the local site.

In other words, a Domain Controller in the "Corporate-Site" should be the Inter-Site Topology Generator for the "Corporate-Site".

Do you have your locations setup as individual sites in AD Sites and Services with their proper subnets setup for each site?  AD Sites and Services will use the subnet information to determine the location of the Domain Controllers based on their IP configuration.
Joe_CAuthor Commented:
OK, but it will not let me change it... I would have to delete the "NTDS Site Settings" object and then recreate it.  I always get a little uneasy with things like this... Is it reversable?

Would a remote ISTG cause this, or, is it more involved?

I did place a call with Microsoft a while ago and they indicated that I only needed one domain with one site, so I configured my environment as follows (per their recomendation):

I have one site - "Corporate-Site" which consists of the corporate office and two branch offices connected via site to site VPN's.  All FSMO roles are held at the corporate office.  Each branch office has a DC/GC Server running AD Integrated DNS, WINS & DHCP.  Branch office servers have WINS configured to push/pull with a server at the corporate office.  All client computers obtain TCP/IP settings via the local DHCP Server.  All client computers point to a local DNS server as their primary and a corporate DNS server as their secondary.  All DNS servers themselves are configured with a minimum of two forwarders.

Of course, Microsoft could be wrong...

Do you, or, anyone else out there suggest that I break my organization up into multiple sites so that I can set the cost based on subnet? or, (as per Microsoft) should it be ok that I have one site with multiple subnets listed?

Thanks again...
Joe_CAuthor Commented:
Well... I just went ahead and created two more sites and moved the DC's with associated subnets into those sites.  I probably should have consulted someone, but... oh well.

Now I'm just waiting for the KCC to run again so that I can see what it creates... do you know of a way to force the KCC to run?

I'll know tomorrow...

Thanks again!
You can try the below command or just wait for it to take place on its own...

The link is the full article on the repadmin command.

repadmin /kcc <DCname>
Joe_CAuthor Commented:
I think I'm good...

Final Resolution:

Corporate-Site = A
Branch-Site1 = B
Branch-Site2 = C

NOTE: This is not a fully routable WAN - There is a VPN between the Corporate Site and each branch, but, not branch to branch (B to C).

So, deleted the DefaultIPSiteLink and created the following Site Links:

A to B Site Link
A to C Site Link

AB to AC Site Link Bridge

And I disabled "Bridge all Site Links" checkbox.

Looks like it's working...

Thanks for all you're help!

You're welcome, glad to hear its working!

Sounds like you set it up nicely!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.