Solved

Active Directory Connects To Remote Domain Controller Instead of Local DC

Posted on 2010-08-12
11
931 Views
Last Modified: 2012-05-10
Hello,

We have domain controllers at most sites all around the world. When I open Active Directory Users and Computers at most locations or on servers, it connects to the local DC. Client logins also mostly connecting to local DC's too.

However, sometimes servers and clients, for some reason unknown, connect/authenticate against DC's which are located elsewhere around the world. I can tell with the client when login is really slow and login script shows the DC. I can tell on servers for the obvious reason that it shows the DC hostname on the top, and also is really slow to work with.

Any ideas why some machines would do this? It appears to be rare and random, but confusing (???) Are there ways to force a client / server to default to a DC?

Thanks for your time and any insight!
0
Comment
Question by:ottobock
  • 3
  • 2
  • 2
  • +3
11 Comments
 
LVL 5

Expert Comment

by:TechnicallyMaybe
ID: 33421271
Do you have sites and subnets configured in Active Directory Sites and Services?
0
 
LVL 9

Expert Comment

by:ThaVWMan
ID: 33421456
Yes, Sites and Services must be configured, otherwise clients will assume that all of your DC's and GC's are in the same area, even if they are located accross WAN links.  Once you create the sites, and link the subnets to the sites, the KCC will automatically generate site links to the different sites.  If you want to control how and with what servers a specfic site syncs with (Because of slow links, etc), you can manullay create your site links, and manually set your replication times.  

To access sites and services, log into a DC and goto the admin tools, then AD Sites and Services.  This is a must setup if you have any more than one physical subnet in your active directory domain!
0
 
LVL 10

Expert Comment

by:dhruvarajp
ID: 33421489
if you have new sites and services configured as recomended in above posts
this case might arise for new clients or clients who do not know what site they belong to ..like new installations and or disk re image ect

as client does not what site it belogs to it choses random dc from Getdc query
query reslults
0
Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

 
LVL 7

Author Comment

by:ottobock
ID: 33421525
Yes - Sites and Services was configured long ago. Tthere is no change needed here.

Out of a thousand clients/servers, only a few experience this issue from time-to-time. I never put much analysis into it to determine if after a few reboots, the issue resolves itself.

wondering if there was some client registry entry or something similar...
0
 
LVL 9

Accepted Solution

by:
ThaVWMan earned 150 total points
ID: 33421550
It could also be that if the local DC is overtaxed, the client will move onto the next avaliable DC.  So, if you only have one DC in a site, and it is too busy to process the logon request, the client has no choice but to traverse the WAN to authenticate.

You should see if this only happens at specific sites.  If so, either add a second DC, or upgrade the hardware on the current one.
0
 
LVL 7

Expert Comment

by:frajico
ID: 33421579
The DC's are W2000/2003/2008?

How they have DNSs configured?
0
 
LVL 5

Assisted Solution

by:TechnicallyMaybe
TechnicallyMaybe earned 75 total points
ID: 33421584
Also, if the client can't resolve or connect to the local DC they will roam.
0
 
LVL 10

Assisted Solution

by:dhruvarajp
dhruvarajp earned 150 total points
ID: 33421644
yes, it it clients not beeing aware of the sites they belong to, if the dns query for SRV records for doamin controller DOES not contain the clients site
they might get connected to the dcs out of site

however dcs out of site do send the cient back to their origonal dcs for futher logons by telling the cleint your site is "siteA" or whatever that turns out to be
0
 
LVL 38

Assisted Solution

by:ChiefIT
ChiefIT earned 125 total points
ID: 33422532
DHCP might be passing down DNS servers that are used to discover the authoritative server for authentication.

Let's say within DHCP scope options, you set an internal DNS server to provide DNS resolution and an external one.

Once in a while your external one will handle DNS requests, meaning providing DNS resolution for the SRV records. The SRV records in DNS, point the way to the authentication server. The only place on a domain that should have ANY outside DNS servers is in DNS forwarders or Root Hints.

Go into DHCP scope options and change your DNS servers to Internal DNS servers. Also make sure that your router is not supplying DHCP, (and therefore DNS), for this same reason.

0
 
LVL 7

Author Comment

by:ottobock
ID: 33423796
Big Thanks to everyone - I have some things to check the next time I come across this again!
0
 
LVL 7

Author Closing Comment

by:ottobock
ID: 33469089
Thanks for the great information everyone! I have a better idea now of what to look at next time I come across this.
0

Featured Post

Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
This article outlines the process to identify and resolve account lockout in an Active Directory environment.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question