Solved

Active Directory

Posted on 2013-11-07
14
110 Views
Last Modified: 2014-03-04
Hello,

We are experiencing a strange problem with AD.

In our network, with 5 sites, one HQ, 4 other offices connected using VPN tunnels we use AD. At the HQ we have a primary DC/DNS Windows 2008 R2 server, at the sites we have Domain controllers aswell. DNS Sites and Services is setup with subnets connected to the remote office DCs and subnets.

Problem: when a computer tries to ping our domain.local from lets say Remote Office A sometimes a DC from Remote Office C for ex is resolved as the DC to respond - and as the sites are not all connected there is no response.

Is this possible to resolve in DNS, seems like a DNS problem?

Thanks,
josef
0
Comment
Question by:joebilek
  • 6
  • 2
  • 2
  • +4
14 Comments
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 39631620
If you have a DC/DNS in every site when you ping your domain from say "Site A" the DC in Site A should reply back with the results. If this is not working correctly I would be looking at your Sites and Services setup.

Make sure that in your Sites and Services each physical site (that has a DC present) has an IP Subnet associated with the Default Site Link or another Site Link in your environment.

AD Sites and Services guide - http://technet.microsoft.com/en-us/library/cc730868.aspx

Will.
0
 
LVL 1

Author Comment

by:joebilek
ID: 39631670
Hello Will,

I think this is whats been done. There it looks fine. But for ex looking at site A dc and dns, its also full of records referencing the other dcs, so any ip can be the one pointed out as supposed to respond on a domain ping.

Could it be anything else weve missed,?

Thanks, Josef
0
 
LVL 17

Expert Comment

by:Emmanuel Adebayo
ID: 39631674
If you have DC at each site the local client should contact the DC at site.
During a search for a domain controller, the Locator attempts to find a domain controller in the site closest to the client.

As Spec01 said, there issue with your sites setup configuration and I would looking at that.
0
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

 
LVL 16

Expert Comment

by:Dirk Mare
ID: 39631876
What happens if you run the command..
Echo %logonserver%

From one of your clients that you are testing from?
0
 
LVL 1

Expert Comment

by:elchermans
ID: 39631934
0
 
LVL 1

Expert Comment

by:elchermans
ID: 39631948
If you run "ipconfig /flushdns" and ping the domain again, do you receive different values each time?
0
 
LVL 24

Accepted Solution

by:
Sandeshdubey earned 500 total points
ID: 39632555
Ensure correct dns setting on DC and client as this:
http://abhijitw.wordpress.com/2012/03/03/best-practices-for-dns-client-settings-on-domain-controller/

Do not set public DNS server in TCP/IP setting of client/member server.

Run set l command to check which dc is used for authentication.Ensure that IP subnet information is properly defined in Active Directory:http://technet.microsoft.com/en-in/magazine/2009.06.subnets(en-us).aspx
0
 
LVL 1

Author Comment

by:joebilek
ID: 39636934
Thanks everyone, will do some tests and get back!
0
 
LVL 1

Author Comment

by:joebilek
ID: 39659580
Still awaiting customer feedback, will update when we have final data.
0
 
LVL 1

Author Comment

by:joebilek
ID: 39685277
Hi all, appreciate all your help. I perhaps need to be a little bit more detailed.

The Client A sits at Site B. Site B has no DC, but a VPN tunnel to Site A where DC X is located.
Client As primary DNS server is DC X.

Site A and Site B have different subnets.

When client A pings the domain.local name we get different responses each time, I guess from DC X. What we would like is for DC X to always respond with its own IP so that client A when logging on to the network and AD can process GPO etc.

How can we accomplish this? Is there a way..

Thanks,
josef
0
 
LVL 16

Expert Comment

by:Dirk Mare
ID: 39685302
If you have no DNS on the client side I would recommend the following.

Add the DNS server (DC X) and IP (of DC X) to your router on the client side so that you can use the router as DNS and Gateway for you clients on the client side.

or.

Install a DNS server on site

or.

Use your Windows Host file. Edit the file and add your server name and ip address to your host file.
0
 
LVL 1

Author Comment

by:joebilek
ID: 39715960
Hello,

I am trying to get the DNS records working in our router, not so easy though with our firewall. Is there no way that just giving the clients the DC IP on the other side of the tunnel can work?

regards,
josef
0
 
LVL 6

Expert Comment

by:Brad Held
ID: 39738026
So here is what is going on - When you ping the domain name - dns returns a round robin request of domain controllers listed as name servers for the domain - assuming all DC's are dns then it just returns one.

similarly when you originally login a random dc will redirect you back to a DC in your local site if one is available, if one is not available then based on the site layouts the next closest site.

So when you say a vpn tunnel, you mean dc to dc vpn or site to site vpn?

There is a branch office active directory guide that may be able to help you resolve the issue http://www.microsoft.com/en-us/download/details.aspx?id=5838 - its a free download but a little long winded
0
 
LVL 1

Author Comment

by:joebilek
ID: 39743648
Sorry about the delay, due to xmas I havent been able to test yet. Brb.
joe
0

Featured Post

Free eBook: Backup on AWS

Everything you need to know about backup and disaster recovery with AWS, for FREE!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This script can help you clean up your user profile database by comparing profiles to Active Directory users in a particular OU, and removing the profiles that don't match.
This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

679 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question