OK, I'll try to be as descriptive as possible here. I have users that are VPN home users that cannot authenticate to Active Directory. We are using these Proventia VPN appliances at the users locations.
Our AD topology here is hub and spoke. With our home office being the hub, and all the remote offices (not the home VPN users) being spokes with DCs at all the spoke locations, as well as DCs at the main office.
Due to security restrictions, these VPN users are only allowed to communicate with the Hub home office location, and all communication to spokes is restricted.
So, here's my understanding of AD authentication. First a PC looks for a DC on its local subnet (There are none on the VPN users subnets) If it fails to find a local DC, it does an LDAP query to DNS to locate a DC. Once a non preffered DC responds, it tells the PC its AD site information, and then caches in what preffered DC it should be using.
So the PC successfully queries DNS for a list of DCs, but since communcation to spoke DCs is shut off, these DCs do not respond, and the PC sits forever at a login screen and never receives its site information.
Placing a DC on the local subnet for the VPN users is not possible, since each PC is on its own subnet.
My question is, is there a way to force a PC to only look at specific DCs during initial authentication before it is able to grab its site information from AD?