Solved

Active Directory Connects To Remote Domain Controller Instead of Local DC

Posted on 2010-08-12
11
928 Views
Last Modified: 2012-05-10
Hello,

We have domain controllers at most sites all around the world. When I open Active Directory Users and Computers at most locations or on servers, it connects to the local DC. Client logins also mostly connecting to local DC's too.

However, sometimes servers and clients, for some reason unknown, connect/authenticate against DC's which are located elsewhere around the world. I can tell with the client when login is really slow and login script shows the DC. I can tell on servers for the obvious reason that it shows the DC hostname on the top, and also is really slow to work with.

Any ideas why some machines would do this? It appears to be rare and random, but confusing (???) Are there ways to force a client / server to default to a DC?

Thanks for your time and any insight!
0
Comment
Question by:ottobock
  • 3
  • 2
  • 2
  • +3
11 Comments
 
LVL 5

Expert Comment

by:TechnicallyMaybe
ID: 33421271
Do you have sites and subnets configured in Active Directory Sites and Services?
0
 
LVL 9

Expert Comment

by:ThaVWMan
ID: 33421456
Yes, Sites and Services must be configured, otherwise clients will assume that all of your DC's and GC's are in the same area, even if they are located accross WAN links.  Once you create the sites, and link the subnets to the sites, the KCC will automatically generate site links to the different sites.  If you want to control how and with what servers a specfic site syncs with (Because of slow links, etc), you can manullay create your site links, and manually set your replication times.  

To access sites and services, log into a DC and goto the admin tools, then AD Sites and Services.  This is a must setup if you have any more than one physical subnet in your active directory domain!
0
 
LVL 10

Expert Comment

by:dhruvarajp
ID: 33421489
if you have new sites and services configured as recomended in above posts
this case might arise for new clients or clients who do not know what site they belong to ..like new installations and or disk re image ect

as client does not what site it belogs to it choses random dc from Getdc query
query reslults
0
 
LVL 7

Author Comment

by:ottobock
ID: 33421525
Yes - Sites and Services was configured long ago. Tthere is no change needed here.

Out of a thousand clients/servers, only a few experience this issue from time-to-time. I never put much analysis into it to determine if after a few reboots, the issue resolves itself.

wondering if there was some client registry entry or something similar...
0
 
LVL 9

Accepted Solution

by:
ThaVWMan earned 150 total points
ID: 33421550
It could also be that if the local DC is overtaxed, the client will move onto the next avaliable DC.  So, if you only have one DC in a site, and it is too busy to process the logon request, the client has no choice but to traverse the WAN to authenticate.

You should see if this only happens at specific sites.  If so, either add a second DC, or upgrade the hardware on the current one.
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 7

Expert Comment

by:frajico
ID: 33421579
The DC's are W2000/2003/2008?

How they have DNSs configured?
0
 
LVL 5

Assisted Solution

by:TechnicallyMaybe
TechnicallyMaybe earned 75 total points
ID: 33421584
Also, if the client can't resolve or connect to the local DC they will roam.
0
 
LVL 10

Assisted Solution

by:dhruvarajp
dhruvarajp earned 150 total points
ID: 33421644
yes, it it clients not beeing aware of the sites they belong to, if the dns query for SRV records for doamin controller DOES not contain the clients site
they might get connected to the dcs out of site

however dcs out of site do send the cient back to their origonal dcs for futher logons by telling the cleint your site is "siteA" or whatever that turns out to be
0
 
LVL 38

Assisted Solution

by:ChiefIT
ChiefIT earned 125 total points
ID: 33422532
DHCP might be passing down DNS servers that are used to discover the authoritative server for authentication.

Let's say within DHCP scope options, you set an internal DNS server to provide DNS resolution and an external one.

Once in a while your external one will handle DNS requests, meaning providing DNS resolution for the SRV records. The SRV records in DNS, point the way to the authentication server. The only place on a domain that should have ANY outside DNS servers is in DNS forwarders or Root Hints.

Go into DHCP scope options and change your DNS servers to Internal DNS servers. Also make sure that your router is not supplying DHCP, (and therefore DNS), for this same reason.

0
 
LVL 7

Author Comment

by:ottobock
ID: 33423796
Big Thanks to everyone - I have some things to check the next time I come across this again!
0
 
LVL 7

Author Closing Comment

by:ottobock
ID: 33469089
Thanks for the great information everyone! I have a better idea now of what to look at next time I come across this.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Join & Write a Comment

Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
Learn about cloud computing and its benefits for small business owners.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now