2008 R2 DomainController connects to wrong AD Site

Hello Experts

i have two AD sites witch are connectetd with vpn. the first one is site1 with the DC1 (server 2003)  were all fsmo rolles are hosted. the second one ist site2 with DC2 (server 2008 R2) and no fsmo roles, but has the GC. At the same site2 there also is a exchange server 2010.

my problem is that when i start the "ad user and computer" snap-in on the DC2 at site2 it connects to the DC1 at site1. as the two sites are connected over WAN it takes some time till the snap-in connects. also the exchange server acts very sluggish.

what can i do to solve these problems. the first one is what can i do to connect the ad snapin at the same site.


regards
deibel
LVL 5
deibelAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Will SzymkowskiSenior Solution ArchitectCommented:
In AD sites and Services you need to make sure that you have created subnets for each site and then associate both sites to the default Site link.

Also under the NTDS settings for both set that you have connections to the other DC's that have been automatically created from the KCC.

You can also run the command repadmin /bridgeheads to find out if your DC's are correctly acting as bridgehead servers as well.

Check your DNS settings on the servers/workstations in each site as well because you do not want to make DNS requests across the WAN


If this is not set properly this is why servers or computer are not always authenticating to the correct DC. I would also check the event logs on your DC's as well to see if you are encountering any other issues if you have site and services configured properly.

Thanks

Will
0
Pramod UbheCommented:
at site 2 on the machine where you are trying to open ADUC, run 'Set logonserver' command.
If the output is not the local dc then there is some issue with the IP subnet mappings in AD sites and services.
0
JaihuntCommented:
1) Right click the "ad user and computer" connect to domain controller check the DC2 at site2 listed and select it. Its a temporary fix.

2) check DC2 acting as DC for the site2 Nltest /dsgetsite.

3) run command Set L in DC2

4) check the DC2 IP address and subnet are configured properly with Site 2 and check for any subnet conflicts.

5) Take one current user from site2 and run the command eg: nltest /whowill:ESS bob

http://support.microsoft.com/kb/158148/en-us
http://windowsitpro.com/windows-server/nltest

Also check the replication, time sync of DC2
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

deibelAuthor Commented:
Set logonserver on dc2/site2 shows dc1/site1

Under AD sites and Services i have subnets for each site and both sites are associated to the default Site link.

Under the NTDS settings there is only one automatically created connection on dc2/site2 on dc1/site its missing. thats curios cause the logonserver is the one that is missing.

The DC's are acting correctly as bridgehead servers.

the DNS Settings are each server points first to himself and the to the other one.

The only Eventlog that i can find is NtFRs warning 13508
0
Pramod UbheCommented:
In AD sites and services you need to create new site, associate IP range of site 2 to it and move dc2 to this new site.
Also you will need to create new site- link for this.
0
Pramod UbheCommented:
Also there should be 13509 followed by 13508, if not it is likely that both DCs are out of sync
0
deibelAuthor Commented:
there are 2 sites and the ip range is also associated and the servers are on the wright site.

there is no 13509 event.
0
Pramod UbheCommented:
Then you have issues in frs and it can be confirmed by running GPUPDATE /force command on dc2, there. Should be some errors applying GPO

Check port 49152 and 49153 are assigned to ntfrs by this command -- netstat -bano
If not you have to exclude them from dynamic assignment and reboot dc2
0
SandeshdubeySenior Server EngineerCommented:
If AD site and services are set correctly ensure that client dns setting is set correctly.Also check dc dns setting too.http://abhijitw.wordpress.com/2012/03/03/best-practices-for-dns-client-settings-on-domain-controller/

See tis thread too.
Client going to different Domain Controller randomly for authentications
http://sgwindowsgroup.org/blogs/panda/archive/2010/03/19/client-going-to-different-domain-controller-randomly-for-authentications-cause-and-solution.aspx

Sites and Services - Client authenticating on wrong DC|
http://social.technet.microsoft.com/Forums/windowsserver/en-US/f93e9293-d207-4fc4-b670-de99f7f9d029/sites-and-services-client-authenticating-on-wrong-dc
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.