Wrong 2003 DC Server Processing User Logons

We have several locations that have 2003 Server DCs/DNS/DHCP servers.  Our main location, that is supposed to have our Primary and Backup domain controller seems to be processing logons from users at other locations.  Your primary DC/DNS/AD server should be processing all the logons, however I see that the backup DC (also a backup DNS/AD/Exchange server) seems to be processing all the user logons.  

This seems to be happening at the main site, computers are chooosing to logon to SERVERB instead of SERVERA as they are supposed to.  And also computers that are on different subnets, in different geographic locations appear to be authenticating to SERVERB at the main site, when they should be authenticating to the servers at their location.

Why is this happening, and how do I change it.
Who is Participating?
gvalsekConnect With a Mentor Commented:
have you checked that GC (global catalogs) are present in all site ?
check also that in dns management, under forward lookup zones, in _msdcs.yourdomain/gc/sites..... all global catalogs are correctly listed
Configure AD Sites & Services properly.  Create multiple sites, and then add the proper subnets to each site, and then it will work properly.

Oh, and in the main site, you can't control which DC they authenticate against (not without modifying the registry on each workstation, anyway, which would be bad).

Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

Brian PierceConnect With a Mentor PhotographerCommented:
When you have a Domian with multiple subnets, you should configure the subnets in AD sites and services. The DCs should then be allocated to the site. Once you do that then clients will first attempt to authenticate with a DC on their own subnet first, and the noly seek another DC if their own DC is not available.

Incidently, if you want to make this more efficient, then at least one DC in each subnet should also be a Global Catalog Server, and DNS should alos be installed in each subnet and clients configured to use a DNS server in their own subnet as the preferred DNS server.
fireguy1125Author Commented:
The subnets have been configured for several years, I just double checked them and they are all setup correctly with the corresponding server at each subnet.  One thing I did notice however is that under the main site, the NTDS settings list all the server objects for all the sites, except some are listed as <automatically generated>, one is listed as d4282887-d6d2-4eac-8611-67212e930af4, and the remaining are shown by the DNS server name.  The one listed as d428.... is the remote server that should have users authenticating to it, but are instead authenticating to SERVERB at our main site. Also running the net session command on the SERVERA, also shows that a few logons came from other subnets.
fireguy1125Author Commented:
Issue with the particular remote site was it was not a GC, and checked other sites and some were also not GC. The main site both SERVERA and SERVERB were GCs.  Still wondering why SERVERB seems to get more logons than SERVER A though, it would seem that since SERVERB handles more network traffic, as it is also an Exchange server, the logons would go to SERVERA. Thanks to both of you though!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.