Solved

Active Directory

Posted on 2013-11-07
14
106 Views
Last Modified: 2014-03-04
Hello,

We are experiencing a strange problem with AD.

In our network, with 5 sites, one HQ, 4 other offices connected using VPN tunnels we use AD. At the HQ we have a primary DC/DNS Windows 2008 R2 server, at the sites we have Domain controllers aswell. DNS Sites and Services is setup with subnets connected to the remote office DCs and subnets.

Problem: when a computer tries to ping our domain.local from lets say Remote Office A sometimes a DC from Remote Office C for ex is resolved as the DC to respond - and as the sites are not all connected there is no response.

Is this possible to resolve in DNS, seems like a DNS problem?

Thanks,
josef
0
Comment
Question by:joebilek
  • 6
  • 2
  • 2
  • +4
14 Comments
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 39631620
If you have a DC/DNS in every site when you ping your domain from say "Site A" the DC in Site A should reply back with the results. If this is not working correctly I would be looking at your Sites and Services setup.

Make sure that in your Sites and Services each physical site (that has a DC present) has an IP Subnet associated with the Default Site Link or another Site Link in your environment.

AD Sites and Services guide - http://technet.microsoft.com/en-us/library/cc730868.aspx

Will.
0
 
LVL 1

Author Comment

by:joebilek
ID: 39631670
Hello Will,

I think this is whats been done. There it looks fine. But for ex looking at site A dc and dns, its also full of records referencing the other dcs, so any ip can be the one pointed out as supposed to respond on a domain ping.

Could it be anything else weve missed,?

Thanks, Josef
0
 
LVL 16

Expert Comment

by:Emmanuel Adebayo
ID: 39631674
If you have DC at each site the local client should contact the DC at site.
During a search for a domain controller, the Locator attempts to find a domain controller in the site closest to the client.

As Spec01 said, there issue with your sites setup configuration and I would looking at that.
0
 
LVL 16

Expert Comment

by:Dirk Mare
ID: 39631876
What happens if you run the command..
Echo %logonserver%

From one of your clients that you are testing from?
0
 
LVL 1

Expert Comment

by:elchermans
ID: 39631934
0
 
LVL 1

Expert Comment

by:elchermans
ID: 39631948
If you run "ipconfig /flushdns" and ping the domain again, do you receive different values each time?
0
 
LVL 24

Accepted Solution

by:
Sandeshdubey earned 500 total points
ID: 39632555
Ensure correct dns setting on DC and client as this:
http://abhijitw.wordpress.com/2012/03/03/best-practices-for-dns-client-settings-on-domain-controller/

Do not set public DNS server in TCP/IP setting of client/member server.

Run set l command to check which dc is used for authentication.Ensure that IP subnet information is properly defined in Active Directory:http://technet.microsoft.com/en-in/magazine/2009.06.subnets(en-us).aspx
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 1

Author Comment

by:joebilek
ID: 39636934
Thanks everyone, will do some tests and get back!
0
 
LVL 1

Author Comment

by:joebilek
ID: 39659580
Still awaiting customer feedback, will update when we have final data.
0
 
LVL 1

Author Comment

by:joebilek
ID: 39685277
Hi all, appreciate all your help. I perhaps need to be a little bit more detailed.

The Client A sits at Site B. Site B has no DC, but a VPN tunnel to Site A where DC X is located.
Client As primary DNS server is DC X.

Site A and Site B have different subnets.

When client A pings the domain.local name we get different responses each time, I guess from DC X. What we would like is for DC X to always respond with its own IP so that client A when logging on to the network and AD can process GPO etc.

How can we accomplish this? Is there a way..

Thanks,
josef
0
 
LVL 16

Expert Comment

by:Dirk Mare
ID: 39685302
If you have no DNS on the client side I would recommend the following.

Add the DNS server (DC X) and IP (of DC X) to your router on the client side so that you can use the router as DNS and Gateway for you clients on the client side.

or.

Install a DNS server on site

or.

Use your Windows Host file. Edit the file and add your server name and ip address to your host file.
0
 
LVL 1

Author Comment

by:joebilek
ID: 39715960
Hello,

I am trying to get the DNS records working in our router, not so easy though with our firewall. Is there no way that just giving the clients the DC IP on the other side of the tunnel can work?

regards,
josef
0
 
LVL 6

Expert Comment

by:Brad Held
ID: 39738026
So here is what is going on - When you ping the domain name - dns returns a round robin request of domain controllers listed as name servers for the domain - assuming all DC's are dns then it just returns one.

similarly when you originally login a random dc will redirect you back to a DC in your local site if one is available, if one is not available then based on the site layouts the next closest site.

So when you say a vpn tunnel, you mean dc to dc vpn or site to site vpn?

There is a branch office active directory guide that may be able to help you resolve the issue http://www.microsoft.com/en-us/download/details.aspx?id=5838 - its a free download but a little long winded
0
 
LVL 1

Author Comment

by:joebilek
ID: 39743648
Sorry about the delay, due to xmas I havent been able to test yet. Brb.
joe
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Redirected folders in a windows domain can be quite useful for a number of reasons, one of them being that with redirected application data, you can give users more seamless experience when logging into different workstations.  For example, if a use…
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now