Active Directory Connects To Remote Domain Controller Instead of Local DC

Hello,

We have domain controllers at most sites all around the world. When I open Active Directory Users and Computers at most locations or on servers, it connects to the local DC. Client logins also mostly connecting to local DC's too.

However, sometimes servers and clients, for some reason unknown, connect/authenticate against DC's which are located elsewhere around the world. I can tell with the client when login is really slow and login script shows the DC. I can tell on servers for the obvious reason that it shows the DC hostname on the top, and also is really slow to work with.

Any ideas why some machines would do this? It appears to be rare and random, but confusing (???) Are there ways to force a client / server to default to a DC?

Thanks for your time and any insight!
LVL 7
ottobockAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
ThaVWManConnect With a Mentor Commented:
It could also be that if the local DC is overtaxed, the client will move onto the next avaliable DC.  So, if you only have one DC in a site, and it is too busy to process the logon request, the client has no choice but to traverse the WAN to authenticate.

You should see if this only happens at specific sites.  If so, either add a second DC, or upgrade the hardware on the current one.
0
 
TechnicallyMaybeCommented:
Do you have sites and subnets configured in Active Directory Sites and Services?
0
 
ThaVWManCommented:
Yes, Sites and Services must be configured, otherwise clients will assume that all of your DC's and GC's are in the same area, even if they are located accross WAN links.  Once you create the sites, and link the subnets to the sites, the KCC will automatically generate site links to the different sites.  If you want to control how and with what servers a specfic site syncs with (Because of slow links, etc), you can manullay create your site links, and manually set your replication times.  

To access sites and services, log into a DC and goto the admin tools, then AD Sites and Services.  This is a must setup if you have any more than one physical subnet in your active directory domain!
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
dhruvarajpCommented:
if you have new sites and services configured as recomended in above posts
this case might arise for new clients or clients who do not know what site they belong to ..like new installations and or disk re image ect

as client does not what site it belogs to it choses random dc from Getdc query
query reslults
0
 
ottobockAuthor Commented:
Yes - Sites and Services was configured long ago. Tthere is no change needed here.

Out of a thousand clients/servers, only a few experience this issue from time-to-time. I never put much analysis into it to determine if after a few reboots, the issue resolves itself.

wondering if there was some client registry entry or something similar...
0
 
frajicoCommented:
The DC's are W2000/2003/2008?

How they have DNSs configured?
0
 
TechnicallyMaybeConnect With a Mentor Commented:
Also, if the client can't resolve or connect to the local DC they will roam.
0
 
dhruvarajpConnect With a Mentor Commented:
yes, it it clients not beeing aware of the sites they belong to, if the dns query for SRV records for doamin controller DOES not contain the clients site
they might get connected to the dcs out of site

however dcs out of site do send the cient back to their origonal dcs for futher logons by telling the cleint your site is "siteA" or whatever that turns out to be
0
 
ChiefITConnect With a Mentor Commented:
DHCP might be passing down DNS servers that are used to discover the authoritative server for authentication.

Let's say within DHCP scope options, you set an internal DNS server to provide DNS resolution and an external one.

Once in a while your external one will handle DNS requests, meaning providing DNS resolution for the SRV records. The SRV records in DNS, point the way to the authentication server. The only place on a domain that should have ANY outside DNS servers is in DNS forwarders or Root Hints.

Go into DHCP scope options and change your DNS servers to Internal DNS servers. Also make sure that your router is not supplying DHCP, (and therefore DNS), for this same reason.

0
 
ottobockAuthor Commented:
Big Thanks to everyone - I have some things to check the next time I come across this again!
0
 
ottobockAuthor Commented:
Thanks for the great information everyone! I have a better idea now of what to look at next time I come across this.
0
All Courses

From novice to tech pro — start learning today.