Active directory authenication problem.

I a domain that are in two countries, my office is the primary, they are two dcs in the main office and one in the remote office in another country.  We have an ipsec tunnel between them.

Then we have a QA environment in its own domain, we setup a trust relationship between the two and grant users from the main domain access.  But a few days ago a strange thing started to happen.  I started getting login errors and other complains from users.

After investigating i realized that the QA domain controller kept trying to contact the DC in another country , a dc it cant possible route to.  We want to keep it that way.

In sites and services i made sure to add the subnet of  the QA environment and the main office enviroment in the same site.

When i do a flushdns the qa dc picks up and authenticates against the correct domain controller, but then after awhile it starts looking only for the one it cant reach.

I don't understand this logic. they are 3 DC, the master role holder is listed on a site your a member of , but yet you try contact that server over and over again like a retard.

Maybe im the retard is there a setting that i dont know about in AD or a role on that server in the other country that could be forcing this server to try to contact it.
vannyxAsked:
Who is Participating?
 
MightySWCommented:
Hi, Also run a netdiag /fix on the local DC.
0
 
zelron22Commented:
You have a separate site set up for the foreign DC?

Any errors on the DC's?  Have you run DCDIAG on any of them, including the QA domain controller?
0
 
vannyxAuthor Commented:
they all pass.  no failures.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
MightySWCommented:
Event logs?
0
 
vannyxAuthor Commented:
almost everything green except errors about unable to laod GPO from other domain or unable to locate login server ( cross domain trust).
0
 
vannyxAuthor Commented:
hmmm, they DC of the local domain and the DC o fhte QA domain have a time difference of 5 minutes. The local domain syncs with NIST , the QA doesnt.  Could time be causing an issue with the DC selection process ?
0
 
zelron22Commented:
It's possible.  Machines within a domain need to have a time difference of less than 5 minutes.  
0
 
vannyxAuthor Commented:
turns out there was an error with the physical machine that was causing the issue.
0
 
vannyxAuthor Commented:
Thanks for the help i figured it out myself.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.