Solved

My users are logged in by a DC/GC accross the WAN when a local one is available

Posted on 2003-10-27
9
258 Views
Last Modified: 2010-04-14
Environment -- Windows 2000 Server SP4 (Native)

When some of my corporate office users login they are logged in by a DC/GC that is located in another office accross the WAN...

Why does this occur when we have a local DC/GC at the corporate office???

I think this is somehow related -- Sometimes when Outlook requests data from the exchange server... it requests data from a GC accross the WAN that isn't even an Exchange server!?!?

Can anyone assist with this?

Thanks in advance for your assistance,

Joe
0
Comment
Question by:Joe_C
  • 5
  • 4
9 Comments
 
LVL 43

Expert Comment

by:JFrederick29
ID: 9629883
Check to make sure your subnets are setup correctly in AD Sites and Services.
0
 

Author Comment

by:Joe_C
ID: 9629971
Thanks for your suggesstion...

My environment has one site (corporate-site) with three subnets...

Example of one of my subnets:

192.168.110.0/24 (linked to the corporate site)

I believe I have them setup correctly...

But... you have just made me notice something new!!

When I click on "Corporate-Site" I see the following on the right hand side of the screen...

Servers Folder
Licensing Site Settings
NTDS Site Settings
TS-Enterprise-License-Server

Under the "NTDS Site Settings" properties, I see that one of my branch office servers is the server responsible for the Corporate-Site Inter-Site Topology Generator.

My feeling is that there is something wrong with that... what do you think???

Thanks again,

Joe
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 9633275
Yes, the Inter-Site Topology Generator should be a Domain Controller that resides in the local site.

In other words, a Domain Controller in the "Corporate-Site" should be the Inter-Site Topology Generator for the "Corporate-Site".

Do you have your locations setup as individual sites in AD Sites and Services with their proper subnets setup for each site?  AD Sites and Services will use the subnet information to determine the location of the Domain Controllers based on their IP configuration.
0
 

Author Comment

by:Joe_C
ID: 9633627
OK, but it will not let me change it... I would have to delete the "NTDS Site Settings" object and then recreate it.  I always get a little uneasy with things like this... Is it reversable?

Would a remote ISTG cause this, or, is it more involved?

I did place a call with Microsoft a while ago and they indicated that I only needed one domain with one site, so I configured my environment as follows (per their recomendation):

I have one site - "Corporate-Site" which consists of the corporate office and two branch offices connected via site to site VPN's.  All FSMO roles are held at the corporate office.  Each branch office has a DC/GC Server running AD Integrated DNS, WINS & DHCP.  Branch office servers have WINS configured to push/pull with a server at the corporate office.  All client computers obtain TCP/IP settings via the local DHCP Server.  All client computers point to a local DNS server as their primary and a corporate DNS server as their secondary.  All DNS servers themselves are configured with a minimum of two forwarders.

Of course, Microsoft could be wrong...

Do you, or, anyone else out there suggest that I break my organization up into multiple sites so that I can set the cost based on subnet? or, (as per Microsoft) should it be ok that I have one site with multiple subnets listed?

Thanks again...
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 43

Accepted Solution

by:
JFrederick29 earned 500 total points
ID: 9633776
Well that is exactly why some users are being authenticated by DC's in your branch offices.  As far as AD is concerned, all the DC's are in the same local physical site.  If you were to have a site for the corporate office and a site for each branch office with their own local subnet and DC, authentication would then take place at each local physical site.

Not sure though how difficult or what is involved in changing around the site configuration and how it will impact your AD structure.  I would consult Microsoft or someone with more knowledge than myself on how to proceed.

I would setup a site for each physical location. Seems like a better solution than having all in one site...IMHO.

0
 

Author Comment

by:Joe_C
ID: 9636842
Well... I just went ahead and created two more sites and moved the DC's with associated subnets into those sites.  I probably should have consulted someone, but... oh well.

Now I'm just waiting for the KCC to run again so that I can see what it creates... do you know of a way to force the KCC to run?

I'll know tomorrow...

Thanks again!
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 9636883
You can try the below command or just wait for it to take place on its own...

The link is the full article on the repadmin command.

repadmin /kcc <DCname>

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnw2kmag01/html/ForcingADReplication.asp
0
 

Author Comment

by:Joe_C
ID: 9650214
I think I'm good...

Final Resolution:

Corporate-Site = A
Branch-Site1 = B
Branch-Site2 = C

NOTE: This is not a fully routable WAN - There is a VPN between the Corporate Site and each branch, but, not branch to branch (B to C).

So, deleted the DefaultIPSiteLink and created the following Site Links:

A to B Site Link
A to C Site Link

AB to AC Site Link Bridge

And I disabled "Bridge all Site Links" checkbox.

Looks like it's working...

Thanks for all you're help!

Joe
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 9650238
You're welcome, glad to hear its working!

Sounds like you set it up nicely!
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Moving applications to the cloud or switching services to cloud-based ones, is a stressful job.  Here's how you can make it easier.
This video discusses moving either the default database or any database to a new volume.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now