2008 R2 DomainController connects to wrong AD Site

Hello Experts

i have two AD sites witch are connectetd with vpn. the first one is site1 with the DC1 (server 2003)  were all fsmo rolles are hosted. the second one ist site2 with DC2 (server 2008 R2) and no fsmo roles, but has the GC. At the same site2 there also is a exchange server 2010.

my problem is that when i start the "ad user and computer" snap-in on the DC2 at site2 it connects to the DC1 at site1. as the two sites are connected over WAN it takes some time till the snap-in connects. also the exchange server acts very sluggish.

what can i do to solve these problems. the first one is what can i do to connect the ad snapin at the same site.

Who is Participating?
SandeshdubeyConnect With a Mentor Senior Server EngineerCommented:
If AD site and services are set correctly ensure that client dns setting is set correctly.Also check dc dns setting too.http://abhijitw.wordpress.com/2012/03/03/best-practices-for-dns-client-settings-on-domain-controller/

See tis thread too.
Client going to different Domain Controller randomly for authentications

Sites and Services - Client authenticating on wrong DC|
Will SzymkowskiSenior Solution ArchitectCommented:
In AD sites and Services you need to make sure that you have created subnets for each site and then associate both sites to the default Site link.

Also under the NTDS settings for both set that you have connections to the other DC's that have been automatically created from the KCC.

You can also run the command repadmin /bridgeheads to find out if your DC's are correctly acting as bridgehead servers as well.

Check your DNS settings on the servers/workstations in each site as well because you do not want to make DNS requests across the WAN

If this is not set properly this is why servers or computer are not always authenticating to the correct DC. I would also check the event logs on your DC's as well to see if you are encountering any other issues if you have site and services configured properly.


Pramod UbheCommented:
at site 2 on the machine where you are trying to open ADUC, run 'Set logonserver' command.
If the output is not the local dc then there is some issue with the IP subnet mappings in AD sites and services.
Get 10% Off Your First Squarespace Website

Ready to showcase your work, publish content or promote your business online? With Squarespace’s award-winning templates and 24/7 customer service, getting started is simple. Head to Squarespace.com and use offer code ‘EXPERTS’ to get 10% off your first purchase.

1) Right click the "ad user and computer" connect to domain controller check the DC2 at site2 listed and select it. Its a temporary fix.

2) check DC2 acting as DC for the site2 Nltest /dsgetsite.

3) run command Set L in DC2

4) check the DC2 IP address and subnet are configured properly with Site 2 and check for any subnet conflicts.

5) Take one current user from site2 and run the command eg: nltest /whowill:ESS bob


Also check the replication, time sync of DC2
deibelAuthor Commented:
Set logonserver on dc2/site2 shows dc1/site1

Under AD sites and Services i have subnets for each site and both sites are associated to the default Site link.

Under the NTDS settings there is only one automatically created connection on dc2/site2 on dc1/site its missing. thats curios cause the logonserver is the one that is missing.

The DC's are acting correctly as bridgehead servers.

the DNS Settings are each server points first to himself and the to the other one.

The only Eventlog that i can find is NtFRs warning 13508
Pramod UbheCommented:
In AD sites and services you need to create new site, associate IP range of site 2 to it and move dc2 to this new site.
Also you will need to create new site- link for this.
Pramod UbheCommented:
Also there should be 13509 followed by 13508, if not it is likely that both DCs are out of sync
deibelAuthor Commented:
there are 2 sites and the ip range is also associated and the servers are on the wright site.

there is no 13509 event.
Pramod UbheCommented:
Then you have issues in frs and it can be confirmed by running GPUPDATE /force command on dc2, there. Should be some errors applying GPO

Check port 49152 and 49153 are assigned to ntfrs by this command -- netstat -bano
If not you have to exclude them from dynamic assignment and reboot dc2
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.