?
Solved

group policy problem

Posted on 2008-10-08
17
Medium Priority
?
255 Views
Last Modified: 2012-05-05
Group Policies are applied intermittantly.  I checked the log  and found out that the clients are binding to a domain controller in another building, even thought there is a domain controller in this building.   What determines whcih domain controller users are authenticated from?  What determines which domain controller policies are read from?  As far as I know, the domain controller in this building is the main one (used to be called primary).  These are both 2003 domain controllers, clients are Vista and XP Pro.
thanks
0
Comment
Question by:hage1
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
  • 3
  • +1
17 Comments
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 22672812
Well there are a couple of things that determine where a user is logged on. First is the DC on a different subnet? Is the DC a global catalog? Is the DNS server that is preferred DNS server on the clients point to the local DNS server?
0
 
LVL 18

Expert Comment

by:sk_raja_raja
ID: 22672825
Subnet defined the logon priority on multiple sites...probably you should go to the active directroy sites and services and see if the DC's are in the proper site.....
0
 
LVL 26

Expert Comment

by:DrDave242
ID: 22673068
Yep, sk_raja_raja is probably correct.  Make sure your AD sites (in the AD Sites and Services snap-in) are set up to mirror your physical locations and that they have the correct IP subnets associated with them.  If necessary create site link objects to mirror the links between locations.
0
Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 

Author Comment

by:hage1
ID: 22673554
In my directory, both domain controllers are in the "Domain Controllers" OU.  However, the two domain controllers are on different subnets.  According tto the Group Policy log in event viewer on my Vista clients, when the client searches for a domain controller, it is finding the one that is on a different subnet even though there is a domain controller on the same subnet as the client PC>
0
 
LVL 26

Expert Comment

by:DrDave242
ID: 22673580
If you go into Active Directory Sites and Services, do you have AD site objects configured and associated with their respective IP subnets?
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 22673581
If you go into sites and services is the DC a global catalog? The clients will look for the nearest GC to login into.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 22673591
Also, are the clients pointing to the local DC for primary DNS?
0
 

Author Comment

by:hage1
ID: 22673692
This is my first trip into "sites and services".  I see my two servers listed there under "Default -First-Site-Name" and they appear to have the same properties.  There is also an old server listed there that no longer exists.  There is nothing under the subnet folder.
0
 

Author Comment

by:hage1
ID: 22673762
Looking into this, I see that the domain controller the clients are choosing does NOT have a check in the global catalog box, and the one that they are not choosing DOES have the check. hmmm
BTW thanks to all helping.
0
 
LVL 26

Accepted Solution

by:
DrDave242 earned 500 total points
ID: 22673767
You may have more than one problem to work on.  First, create a new site object for one of your servers and move the server into that site.  Then create two subnet objects, one for the IP subnet that exists at each site, and associate the subnets with the correct sites.  It's important to get this right, because those subnet objects are used by AD to determine where the client machines are located.
The presence of the server that no longer exists could hint at a bigger problem.  If it was a domain controller that was not properly demoted before being removed from the network, there will still be references to it in Active Directory, and you'll need to do a metadata cleanup to remove them.  The metadata cleanup process is detailed here:
http://support.microsoft.com/kb/216498
0
 

Author Comment

by:hage1
ID: 22673884
OK I've done the site thing.  It was intuitive. I also see a "Licensing Site Settings" and it is pointing to the server in the other building.  Does that matter?  The server that does not esist any longer does not have an NTDS Settings object under it.  Is that a good sign?
0
 
LVL 26

Expert Comment

by:DrDave242
ID: 22673930
You're better off ignoring the licensing site settings unless you run into a problem that is unquestionably related, but that's unlikely.  It probably is a good sign that that server doesn't have an NTDS Settings object.  You should run through the metadata cleanup, though, just to be sure.  If that server doesn't show up when you run the "list servers in site" command, you're in the clear and can just delete it from AD Sites and Services.
0
 

Author Comment

by:hage1
ID: 22674115
Now that I have the sites and subnets sorted out, should I make both servers global catalogs?  The idea is to have computers at the elementary (one of the subnets) use the server in that building, and the computers at the high school (the other subnet) use the server there.
0
 
LVL 18

Expert Comment

by:sk_raja_raja
ID: 22674123
oops..it looks like missed a lot... yeah you should make those dc's to be GC's
0
 
LVL 26

Expert Comment

by:DrDave242
ID: 22674126
It is recommended to have at least one GC in every site to speed up the login process, so yes, go ahead and make them both GCs.
0
 
LVL 18

Expert Comment

by:sk_raja_raja
ID: 22674130
Also make sure both the dc's are in their own subnet under AD sites and services....this will make all the other workstations to get authenticated from the dc's matching their subnet
0
 

Author Closing Comment

by:hage1
ID: 31504408
It is working correctly!  I was also able to get rid of that non existent server as a bonus.  Great job and thanks.
0

Featured Post

Introducing Priority Question

Increase expert visibility of your issues by participating in Priority Question, our latest feature for Premium and Team Account holders. Adjust the priority of your question to get emergent issues in front of subject-matter experts for help when you need it most.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Suggested Courses

741 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question