• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 812
  • Last Modified:

Computers are using the wrong Domain Controllers.

We have 20 campuses, and a district office. The Primary DC is at the district office, and each campus has its own backup DC, and at least 2 T1 lines running to the district office. We are running all XP pro clients and win 2003 servers in native mode. We have had problems with group policies being pushed down from the DCs. We think it is caused by latency in the wan links. When I run the “set” command and “gpresult” command I find that computers at my campus are using the DCs from other campuses. None of them are using the local DC or the primary DC at the district office. Is there a way to force the clients to use the local DC for logon and group policies?  Why wouldn't they use the local DC by default?
0
masterface
Asked:
masterface
  • 3
  • 3
1 Solution
 
Justin CAWS Solutions ArchitectCommented:
I posted about it in your other thread, but how are your sites and site links configured?
0
 
masterfaceAuthor Commented:
I have 16 subnets/Vlans at my site; district wide there must be over a hundred. My site is 10.23.0.0 255.255.255.0. All switches in the IDFs are run with fiber to the core switch in the MDF. The District office is 10.1.0.0. 255.255.255.0, other schools follow the same 10.X.0.0 255.255.255.0. All of my servers, switches and router are on 10.23.1.X. My router has IP helper-address running to forward broadcasts to the DHCP server, and occasionally I have it forward PXE broadcasts to my Altiris server for initial deployment. I just don’t know why clients would cross the WAN to the District Office, and then cross another WAN to another school and use their DC.

0
 
masterfaceAuthor Commented:
I think this is happeing because our domain only has one site in AD sites and services. It is just the default-first-site-name.
0
Cloud Class® Course: SQL Server Core 2016

This course will introduce you to SQL Server Core 2016, as well as teach you about SSMS, data tools, installation, server configuration, using Management Studio, and writing and executing queries.

 
Justin CAWS Solutions ArchitectCommented:
Yeah, that could do it.  With only the default site configured, clients will try to authenticate to the DC with the highest DNS SRV record priority, which is probably not the one closest to them.  Defining sites is a way to tell AD that two there is a slow link between one location and another, or that you simply want them to look to a certain DC/GC first, clients will try to authenticate to the DC in their site to avoid authenticating across a slower WAN link.  If the DC/GC in the site fails, clients will authenticate to either the hub site's DC or another pre-configured site's DC depending on your configuration.  This prevents a client in one remote site from trying to authenticate to a DC/GC in another remote site, since that wouldn't exactly be efficient.  Here's an MS KB article that describes how AD sites tie into authentication, and how to configure the authentication to suit your needs.

http://support.microsoft.com/?kbid=306602
0
 
masterfaceAuthor Commented:
Well, we setup AD sites and it worked. Folder redirection works every time now too.
0
 
Justin CAWS Solutions ArchitectCommented:
Glad to hear it's working for you!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now