vannyx
asked on
Active directory authenication problem.
I a domain that are in two countries, my office is the primary, they are two dcs in the main office and one in the remote office in another country. We have an ipsec tunnel between them.
Then we have a QA environment in its own domain, we setup a trust relationship between the two and grant users from the main domain access. But a few days ago a strange thing started to happen. I started getting login errors and other complains from users.
After investigating i realized that the QA domain controller kept trying to contact the DC in another country , a dc it cant possible route to. We want to keep it that way.
In sites and services i made sure to add the subnet of the QA environment and the main office enviroment in the same site.
When i do a flushdns the qa dc picks up and authenticates against the correct domain controller, but then after awhile it starts looking only for the one it cant reach.
I don't understand this logic. they are 3 DC, the master role holder is listed on a site your a member of , but yet you try contact that server over and over again like a retard.
Maybe im the retard is there a setting that i dont know about in AD or a role on that server in the other country that could be forcing this server to try to contact it.
Then we have a QA environment in its own domain, we setup a trust relationship between the two and grant users from the main domain access. But a few days ago a strange thing started to happen. I started getting login errors and other complains from users.
After investigating i realized that the QA domain controller kept trying to contact the DC in another country , a dc it cant possible route to. We want to keep it that way.
In sites and services i made sure to add the subnet of the QA environment and the main office enviroment in the same site.
When i do a flushdns the qa dc picks up and authenticates against the correct domain controller, but then after awhile it starts looking only for the one it cant reach.
I don't understand this logic. they are 3 DC, the master role holder is listed on a site your a member of , but yet you try contact that server over and over again like a retard.
Maybe im the retard is there a setting that i dont know about in AD or a role on that server in the other country that could be forcing this server to try to contact it.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
they all pass. no failures.
Event logs?
ASKER
almost everything green except errors about unable to laod GPO from other domain or unable to locate login server ( cross domain trust).
ASKER
hmmm, they DC of the local domain and the DC o fhte QA domain have a time difference of 5 minutes. The local domain syncs with NIST , the QA doesnt. Could time be causing an issue with the DC selection process ?
It's possible. Machines within a domain need to have a time difference of less than 5 minutes.
ASKER
turns out there was an error with the physical machine that was causing the issue.
ASKER
Thanks for the help i figured it out myself.
Any errors on the DC's? Have you run DCDIAG on any of them, including the QA domain controller?