Need Script to set LOGONSERVER in Windows

I have an issue where some of my remote sites will not connect to the proper DC. This of course brings the login to a crawl. I would like a script to set the %LOGONSERVER% to my server. INPADHQDC1. So far I am having some problems finding out about the %LOGONSERVER% variable. All my users login to our DC but some of the other sites will try and connect too the wrong DC. We have multiple DC's and no roamers. I can't use the NET commands. TIA

Open in new window

Who is Participating?
JimInLakelandConnect With a Mentor Commented:
The solution is in Active Directory Sites and Services.

In sites and services, find the site that has your domain controller. That DC should also be configured as a Global Catalog server. If it is not, set it. Let's call that site "Orlando"

If you want computers using a subnet to use the DC in the Orlando site, you assign the subnet to Orlando site.

If you do not have subnets assigned specifically, the client machines will organicly find the DC it feels like using (and it is always the one you don't want it to use.)

Sites and Services is your solution. If you don't manage that correctly, no amount of DHCP work will help.
Do you have sites setup in AD Sites and Services?
sporggConnect With a Mentor Commented:
Hi there

Having a script that sets the %LOGONSERVER% variable will not solve your problem.

Have a look at this article explaining the logon process, I hope this will point you in the right direction. If not let me know.


Train for your Pen Testing Engineer Certification

Enroll today in this bundle of courses to gain experience in the logistics of pen testing, Linux fundamentals, vulnerability assessments, detecting live systems, and more! This series, valued at $3,000, is free for Premium members, Team Accounts, and Qualified Experts.

Henrik JohanssonConnect With a Mentor Systems engineerCommented:
Clients will automatically try to authenticate to the closest DC. If they can't find a DC in the local site, they will search for a DC at the next closest site link for redundance when the normal DC is unavailable.
If you want a preferred DC for the local/remote locations, create different sites by using AD Sites and Services and assign the different subnets to the site they belong with the preferred DC they should authenticate to.
If you want to avoid WAN links for authentication, make sure you have atleast two DC/GCs in each site.
MarkIsraelAuthor Commented:
You all have hit the nail on the head. Which in my case there isn't a solution I can do from where I sit. We have a small group of contractors that control all the AD Forests in our company. I have a DC at my site but I can't logon, or do a damm thing with it. Also, the same group has the DNS server. From what I have seen they are clueless about the workings of what DNS Servers do. It appears I'll have to see if they do anything about the local site.
Unless there is something I can do with DHCP or something of another fashion. I'll wait to see if anything else comes down and award points next week.
Henrik JohanssonConnect With a Mentor Systems engineerCommented:
Sites/subnets nead as said to be correctly configured in ADSS to get the clients to authenticate with the local preferred site and avoid WAN-communication.

Is there a firewall between the sites preventing communication between clients and DCs causing authentication problems or is it just that they doesn't use the closest DC/GC and uses WAN-link when not neaded?

Some technet articles about site/subnet management:
MarkIsraelAuthor Commented:
We are talking about a WAN site. It is supposed use our DC but it tends to use the Denver DC. Even after it was setup on a differant TCP/IP address. At HQ we have a regular IP address. One that is registered with ICANN but the remote sites are on a private addressing scheme. We use the IP Helper command on our Cisco Routers to tell the computer where to find the DHCP Server which I have control over.
Also, I am wondering if the DC could be added to the HOSTS or LMHOSTS file to help the workstation look at our DC.  I am not sure how many DC's we have but the top of tree is Denver and Washington. When it hits the Denver DC all traffic runs at a snails pace.
Henrik JohanssonSystems engineerCommented:
As you can't do it by your self, ask the networking guys to use AD Sites and Services for configuring the network to have separate sites for Denver and Washington and assign the different subnets to the correct site.
Hi there,

If you have a firewall installed on the computers you could set the firewall to deny access to the AD ports on outside server. This should force the computers to use your local ad server. The ports you would need to restrict are Kerberos: 750 & LDAP: 389. Would recommend testing this out before trying it on a live system.


Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.