Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 265
  • Last Modified:

Active directory authenication problem.

I a domain that are in two countries, my office is the primary, they are two dcs in the main office and one in the remote office in another country.  We have an ipsec tunnel between them.

Then we have a QA environment in its own domain, we setup a trust relationship between the two and grant users from the main domain access.  But a few days ago a strange thing started to happen.  I started getting login errors and other complains from users.

After investigating i realized that the QA domain controller kept trying to contact the DC in another country , a dc it cant possible route to.  We want to keep it that way.

In sites and services i made sure to add the subnet of  the QA environment and the main office enviroment in the same site.

When i do a flushdns the qa dc picks up and authenticates against the correct domain controller, but then after awhile it starts looking only for the one it cant reach.

I don't understand this logic. they are 3 DC, the master role holder is listed on a site your a member of , but yet you try contact that server over and over again like a retard.

Maybe im the retard is there a setting that i dont know about in AD or a role on that server in the other country that could be forcing this server to try to contact it.
0
vannyx
Asked:
vannyx
  • 5
  • 2
  • 2
1 Solution
 
zelron22Commented:
You have a separate site set up for the foreign DC?

Any errors on the DC's?  Have you run DCDIAG on any of them, including the QA domain controller?
0
 
MightySWCommented:
Hi, Also run a netdiag /fix on the local DC.
0
 
vannyxAuthor Commented:
they all pass.  no failures.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
MightySWCommented:
Event logs?
0
 
vannyxAuthor Commented:
almost everything green except errors about unable to laod GPO from other domain or unable to locate login server ( cross domain trust).
0
 
vannyxAuthor Commented:
hmmm, they DC of the local domain and the DC o fhte QA domain have a time difference of 5 minutes. The local domain syncs with NIST , the QA doesnt.  Could time be causing an issue with the DC selection process ?
0
 
zelron22Commented:
It's possible.  Machines within a domain need to have a time difference of less than 5 minutes.  
0
 
vannyxAuthor Commented:
turns out there was an error with the physical machine that was causing the issue.
0
 
vannyxAuthor Commented:
Thanks for the help i figured it out myself.
0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

  • 5
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now