Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Active Directory Connects To Remote Domain Controller Instead of Local DC

Posted on 2010-08-12
11
Medium Priority
?
935 Views
Last Modified: 2012-05-10
Hello,

We have domain controllers at most sites all around the world. When I open Active Directory Users and Computers at most locations or on servers, it connects to the local DC. Client logins also mostly connecting to local DC's too.

However, sometimes servers and clients, for some reason unknown, connect/authenticate against DC's which are located elsewhere around the world. I can tell with the client when login is really slow and login script shows the DC. I can tell on servers for the obvious reason that it shows the DC hostname on the top, and also is really slow to work with.

Any ideas why some machines would do this? It appears to be rare and random, but confusing (???) Are there ways to force a client / server to default to a DC?

Thanks for your time and any insight!
0
Comment
Question by:ottobock
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +3
11 Comments
 
LVL 5

Expert Comment

by:TechnicallyMaybe
ID: 33421271
Do you have sites and subnets configured in Active Directory Sites and Services?
0
 
LVL 9

Expert Comment

by:ThaVWMan
ID: 33421456
Yes, Sites and Services must be configured, otherwise clients will assume that all of your DC's and GC's are in the same area, even if they are located accross WAN links.  Once you create the sites, and link the subnets to the sites, the KCC will automatically generate site links to the different sites.  If you want to control how and with what servers a specfic site syncs with (Because of slow links, etc), you can manullay create your site links, and manually set your replication times.  

To access sites and services, log into a DC and goto the admin tools, then AD Sites and Services.  This is a must setup if you have any more than one physical subnet in your active directory domain!
0
 
LVL 10

Expert Comment

by:dhruvarajp
ID: 33421489
if you have new sites and services configured as recomended in above posts
this case might arise for new clients or clients who do not know what site they belong to ..like new installations and or disk re image ect

as client does not what site it belogs to it choses random dc from Getdc query
query reslults
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 7

Author Comment

by:ottobock
ID: 33421525
Yes - Sites and Services was configured long ago. Tthere is no change needed here.

Out of a thousand clients/servers, only a few experience this issue from time-to-time. I never put much analysis into it to determine if after a few reboots, the issue resolves itself.

wondering if there was some client registry entry or something similar...
0
 
LVL 9

Accepted Solution

by:
ThaVWMan earned 600 total points
ID: 33421550
It could also be that if the local DC is overtaxed, the client will move onto the next avaliable DC.  So, if you only have one DC in a site, and it is too busy to process the logon request, the client has no choice but to traverse the WAN to authenticate.

You should see if this only happens at specific sites.  If so, either add a second DC, or upgrade the hardware on the current one.
0
 
LVL 7

Expert Comment

by:frajico
ID: 33421579
The DC's are W2000/2003/2008?

How they have DNSs configured?
0
 
LVL 5

Assisted Solution

by:TechnicallyMaybe
TechnicallyMaybe earned 300 total points
ID: 33421584
Also, if the client can't resolve or connect to the local DC they will roam.
0
 
LVL 10

Assisted Solution

by:dhruvarajp
dhruvarajp earned 600 total points
ID: 33421644
yes, it it clients not beeing aware of the sites they belong to, if the dns query for SRV records for doamin controller DOES not contain the clients site
they might get connected to the dcs out of site

however dcs out of site do send the cient back to their origonal dcs for futher logons by telling the cleint your site is "siteA" or whatever that turns out to be
0
 
LVL 39

Assisted Solution

by:ChiefIT
ChiefIT earned 500 total points
ID: 33422532
DHCP might be passing down DNS servers that are used to discover the authoritative server for authentication.

Let's say within DHCP scope options, you set an internal DNS server to provide DNS resolution and an external one.

Once in a while your external one will handle DNS requests, meaning providing DNS resolution for the SRV records. The SRV records in DNS, point the way to the authentication server. The only place on a domain that should have ANY outside DNS servers is in DNS forwarders or Root Hints.

Go into DHCP scope options and change your DNS servers to Internal DNS servers. Also make sure that your router is not supplying DHCP, (and therefore DNS), for this same reason.

0
 
LVL 7

Author Comment

by:ottobock
ID: 33423796
Big Thanks to everyone - I have some things to check the next time I come across this again!
0
 
LVL 7

Author Closing Comment

by:ottobock
ID: 33469089
Thanks for the great information everyone! I have a better idea now of what to look at next time I come across this.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Suggested Courses

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question