Solved

AD sites & authentication question

Posted on 2012-03-23
2
410 Views
Last Modified: 2012-08-14
I've got an interesting issue with what site my machines are authenticating against.

We are a single forest/domain company. We recently purchased another company. We purchased a new domain controller, which we set up locally. We did not create a subdomain for the new company, as we decided to simply leave them as part of our existing domain.

Once the DC was setup, i shipped it to the remote office and traveled out there. I created a new site in ADSS, defined the local subnet and moved the domain controller into the new site.

*note* - The new subnet i created is the only subnet defined under subnets.
            - There was au automatic site created right after the name of the new site, with some letters like CNF:c05d7 etc.

Back here, in the primary site, when i add computers to the domain, they are showing up in AD on the remote domain controller, and then syncing back here to the main office once replication takes place. I checked the NETLOGON parameters in the registry and the machines seem to think they are part of the remote site, and not the local site. they have a Dynamic Site Name of the remote site in question.

I was in the middle of doing a /prepareschema in the midst of an Exchange 2010 transition when i discovered that the computer wasn't using the correct site, as it was giving me errors about not being in the same site as the schema master. I had to add a registry entry under NETLOGON/PARAMETERS of "SiteName" and give it the value of my primary site, and restart the netlogon services, for the machine to recognize it was in the correct site.

Do i need to define a local subnet and add that to my primary site to force computers here to use our local domain controllers first? I want to make sure computers here are using the correct site. I'm worried my machines are authenticating to the wrong domain controllers here in the main office.
0
Comment
Question by:HornAlum
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 6

Accepted Solution

by:
netjgrnaut earned 500 total points
ID: 37757511
Do i need to define a local subnet and add that to my primary site to force computers here to use our local domain controllers first?

Yes.  You should define all sites and subnets to get the results you're looking for.  Important for the KCC to work.
0
 
LVL 5

Author Comment

by:HornAlum
ID: 37757530
yup, i figured that was it.

Added the subnet, replicated the settings. removed and readded the computer and now it's showing up on the correct domain controller first, under AD U&C

Thanks!
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question