My users are logged in by a DC/GC accross the WAN when a local one is available

Environment -- Windows 2000 Server SP4 (Native)

When some of my corporate office users login they are logged in by a DC/GC that is located in another office accross the WAN...

Why does this occur when we have a local DC/GC at the corporate office???

I think this is somehow related -- Sometimes when Outlook requests data from the exchange server... it requests data from a GC accross the WAN that isn't even an Exchange server!?!?

Can anyone assist with this?

Thanks in advance for your assistance,

Joe
Joe_CAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JFrederick29Commented:
Check to make sure your subnets are setup correctly in AD Sites and Services.
0
Joe_CAuthor Commented:
Thanks for your suggesstion...

My environment has one site (corporate-site) with three subnets...

Example of one of my subnets:

192.168.110.0/24 (linked to the corporate site)

I believe I have them setup correctly...

But... you have just made me notice something new!!

When I click on "Corporate-Site" I see the following on the right hand side of the screen...

Servers Folder
Licensing Site Settings
NTDS Site Settings
TS-Enterprise-License-Server

Under the "NTDS Site Settings" properties, I see that one of my branch office servers is the server responsible for the Corporate-Site Inter-Site Topology Generator.

My feeling is that there is something wrong with that... what do you think???

Thanks again,

Joe
0
JFrederick29Commented:
Yes, the Inter-Site Topology Generator should be a Domain Controller that resides in the local site.

In other words, a Domain Controller in the "Corporate-Site" should be the Inter-Site Topology Generator for the "Corporate-Site".

Do you have your locations setup as individual sites in AD Sites and Services with their proper subnets setup for each site?  AD Sites and Services will use the subnet information to determine the location of the Domain Controllers based on their IP configuration.
0
Cloud Class® Course: Microsoft Office 2010

This course will introduce you to the interfaces and features of Microsoft Office 2010 Word, Excel, PowerPoint, Outlook, and Access. You will learn about the features that are shared between all products in the Office suite, as well as the new features that are product specific.

Joe_CAuthor Commented:
OK, but it will not let me change it... I would have to delete the "NTDS Site Settings" object and then recreate it.  I always get a little uneasy with things like this... Is it reversable?

Would a remote ISTG cause this, or, is it more involved?

I did place a call with Microsoft a while ago and they indicated that I only needed one domain with one site, so I configured my environment as follows (per their recomendation):

I have one site - "Corporate-Site" which consists of the corporate office and two branch offices connected via site to site VPN's.  All FSMO roles are held at the corporate office.  Each branch office has a DC/GC Server running AD Integrated DNS, WINS & DHCP.  Branch office servers have WINS configured to push/pull with a server at the corporate office.  All client computers obtain TCP/IP settings via the local DHCP Server.  All client computers point to a local DNS server as their primary and a corporate DNS server as their secondary.  All DNS servers themselves are configured with a minimum of two forwarders.

Of course, Microsoft could be wrong...

Do you, or, anyone else out there suggest that I break my organization up into multiple sites so that I can set the cost based on subnet? or, (as per Microsoft) should it be ok that I have one site with multiple subnets listed?

Thanks again...
0
JFrederick29Commented:
Well that is exactly why some users are being authenticated by DC's in your branch offices.  As far as AD is concerned, all the DC's are in the same local physical site.  If you were to have a site for the corporate office and a site for each branch office with their own local subnet and DC, authentication would then take place at each local physical site.

Not sure though how difficult or what is involved in changing around the site configuration and how it will impact your AD structure.  I would consult Microsoft or someone with more knowledge than myself on how to proceed.

I would setup a site for each physical location. Seems like a better solution than having all in one site...IMHO.

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Joe_CAuthor Commented:
Well... I just went ahead and created two more sites and moved the DC's with associated subnets into those sites.  I probably should have consulted someone, but... oh well.

Now I'm just waiting for the KCC to run again so that I can see what it creates... do you know of a way to force the KCC to run?

I'll know tomorrow...

Thanks again!
0
JFrederick29Commented:
You can try the below command or just wait for it to take place on its own...

The link is the full article on the repadmin command.

repadmin /kcc <DCname>

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnw2kmag01/html/ForcingADReplication.asp
0
Joe_CAuthor Commented:
I think I'm good...

Final Resolution:

Corporate-Site = A
Branch-Site1 = B
Branch-Site2 = C

NOTE: This is not a fully routable WAN - There is a VPN between the Corporate Site and each branch, but, not branch to branch (B to C).

So, deleted the DefaultIPSiteLink and created the following Site Links:

A to B Site Link
A to C Site Link

AB to AC Site Link Bridge

And I disabled "Bridge all Site Links" checkbox.

Looks like it's working...

Thanks for all you're help!

Joe
0
JFrederick29Commented:
You're welcome, glad to hear its working!

Sounds like you set it up nicely!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 2000

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.