?
Solved

My users are logged in by a DC/GC accross the WAN when a local one is available

Posted on 2003-10-27
9
Medium Priority
?
279 Views
Last Modified: 2010-04-14
Environment -- Windows 2000 Server SP4 (Native)

When some of my corporate office users login they are logged in by a DC/GC that is located in another office accross the WAN...

Why does this occur when we have a local DC/GC at the corporate office???

I think this is somehow related -- Sometimes when Outlook requests data from the exchange server... it requests data from a GC accross the WAN that isn't even an Exchange server!?!?

Can anyone assist with this?

Thanks in advance for your assistance,

Joe
0
Comment
Question by:Joe_C
  • 5
  • 4
9 Comments
 
LVL 43

Expert Comment

by:JFrederick29
ID: 9629883
Check to make sure your subnets are setup correctly in AD Sites and Services.
0
 

Author Comment

by:Joe_C
ID: 9629971
Thanks for your suggesstion...

My environment has one site (corporate-site) with three subnets...

Example of one of my subnets:

192.168.110.0/24 (linked to the corporate site)

I believe I have them setup correctly...

But... you have just made me notice something new!!

When I click on "Corporate-Site" I see the following on the right hand side of the screen...

Servers Folder
Licensing Site Settings
NTDS Site Settings
TS-Enterprise-License-Server

Under the "NTDS Site Settings" properties, I see that one of my branch office servers is the server responsible for the Corporate-Site Inter-Site Topology Generator.

My feeling is that there is something wrong with that... what do you think???

Thanks again,

Joe
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 9633275
Yes, the Inter-Site Topology Generator should be a Domain Controller that resides in the local site.

In other words, a Domain Controller in the "Corporate-Site" should be the Inter-Site Topology Generator for the "Corporate-Site".

Do you have your locations setup as individual sites in AD Sites and Services with their proper subnets setup for each site?  AD Sites and Services will use the subnet information to determine the location of the Domain Controllers based on their IP configuration.
0
Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 

Author Comment

by:Joe_C
ID: 9633627
OK, but it will not let me change it... I would have to delete the "NTDS Site Settings" object and then recreate it.  I always get a little uneasy with things like this... Is it reversable?

Would a remote ISTG cause this, or, is it more involved?

I did place a call with Microsoft a while ago and they indicated that I only needed one domain with one site, so I configured my environment as follows (per their recomendation):

I have one site - "Corporate-Site" which consists of the corporate office and two branch offices connected via site to site VPN's.  All FSMO roles are held at the corporate office.  Each branch office has a DC/GC Server running AD Integrated DNS, WINS & DHCP.  Branch office servers have WINS configured to push/pull with a server at the corporate office.  All client computers obtain TCP/IP settings via the local DHCP Server.  All client computers point to a local DNS server as their primary and a corporate DNS server as their secondary.  All DNS servers themselves are configured with a minimum of two forwarders.

Of course, Microsoft could be wrong...

Do you, or, anyone else out there suggest that I break my organization up into multiple sites so that I can set the cost based on subnet? or, (as per Microsoft) should it be ok that I have one site with multiple subnets listed?

Thanks again...
0
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 2000 total points
ID: 9633776
Well that is exactly why some users are being authenticated by DC's in your branch offices.  As far as AD is concerned, all the DC's are in the same local physical site.  If you were to have a site for the corporate office and a site for each branch office with their own local subnet and DC, authentication would then take place at each local physical site.

Not sure though how difficult or what is involved in changing around the site configuration and how it will impact your AD structure.  I would consult Microsoft or someone with more knowledge than myself on how to proceed.

I would setup a site for each physical location. Seems like a better solution than having all in one site...IMHO.

0
 

Author Comment

by:Joe_C
ID: 9636842
Well... I just went ahead and created two more sites and moved the DC's with associated subnets into those sites.  I probably should have consulted someone, but... oh well.

Now I'm just waiting for the KCC to run again so that I can see what it creates... do you know of a way to force the KCC to run?

I'll know tomorrow...

Thanks again!
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 9636883
You can try the below command or just wait for it to take place on its own...

The link is the full article on the repadmin command.

repadmin /kcc <DCname>

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnw2kmag01/html/ForcingADReplication.asp
0
 

Author Comment

by:Joe_C
ID: 9650214
I think I'm good...

Final Resolution:

Corporate-Site = A
Branch-Site1 = B
Branch-Site2 = C

NOTE: This is not a fully routable WAN - There is a VPN between the Corporate Site and each branch, but, not branch to branch (B to C).

So, deleted the DefaultIPSiteLink and created the following Site Links:

A to B Site Link
A to C Site Link

AB to AC Site Link Bridge

And I disabled "Bridge all Site Links" checkbox.

Looks like it's working...

Thanks for all you're help!

Joe
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 9650238
You're welcome, glad to hear its working!

Sounds like you set it up nicely!
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Tech giants such as Amazon and Google have sold Alexa and Echo to such an extent that they have become household names. And soon they are expected to be used by commoners in their homes, ordering takeout, picking out a song, answering trivia questio…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…
Look below the covers at a subform control , and the form that is inside it. Explore properties and see how easy it is to aggregate, get statistics, and synchronize results for your data. A Microsoft Access subform is used to show relevant calcul…
Suggested Courses
Course of the Month14 days, 11 hours left to enroll

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question