Solved

Active Directory

Posted on 2013-11-07
14
112 Views
Last Modified: 2014-03-04
Hello,

We are experiencing a strange problem with AD.

In our network, with 5 sites, one HQ, 4 other offices connected using VPN tunnels we use AD. At the HQ we have a primary DC/DNS Windows 2008 R2 server, at the sites we have Domain controllers aswell. DNS Sites and Services is setup with subnets connected to the remote office DCs and subnets.

Problem: when a computer tries to ping our domain.local from lets say Remote Office A sometimes a DC from Remote Office C for ex is resolved as the DC to respond - and as the sites are not all connected there is no response.

Is this possible to resolve in DNS, seems like a DNS problem?

Thanks,
josef
0
Comment
Question by:joebilek
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 2
  • 2
  • +4
14 Comments
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 39631620
If you have a DC/DNS in every site when you ping your domain from say "Site A" the DC in Site A should reply back with the results. If this is not working correctly I would be looking at your Sites and Services setup.

Make sure that in your Sites and Services each physical site (that has a DC present) has an IP Subnet associated with the Default Site Link or another Site Link in your environment.

AD Sites and Services guide - http://technet.microsoft.com/en-us/library/cc730868.aspx

Will.
0
 
LVL 1

Author Comment

by:joebilek
ID: 39631670
Hello Will,

I think this is whats been done. There it looks fine. But for ex looking at site A dc and dns, its also full of records referencing the other dcs, so any ip can be the one pointed out as supposed to respond on a domain ping.

Could it be anything else weve missed,?

Thanks, Josef
0
 
LVL 17

Expert Comment

by:Emmanuel Adebayo
ID: 39631674
If you have DC at each site the local client should contact the DC at site.
During a search for a domain controller, the Locator attempts to find a domain controller in the site closest to the client.

As Spec01 said, there issue with your sites setup configuration and I would looking at that.
0
Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

 
LVL 16

Expert Comment

by:Dirk Mare
ID: 39631876
What happens if you run the command..
Echo %logonserver%

From one of your clients that you are testing from?
0
 
LVL 1

Expert Comment

by:elchermans
ID: 39631948
If you run "ipconfig /flushdns" and ping the domain again, do you receive different values each time?
0
 
LVL 24

Accepted Solution

by:
Sandeshdubey earned 500 total points
ID: 39632555
Ensure correct dns setting on DC and client as this:
http://abhijitw.wordpress.com/2012/03/03/best-practices-for-dns-client-settings-on-domain-controller/

Do not set public DNS server in TCP/IP setting of client/member server.

Run set l command to check which dc is used for authentication.Ensure that IP subnet information is properly defined in Active Directory:http://technet.microsoft.com/en-in/magazine/2009.06.subnets(en-us).aspx
0
 
LVL 1

Author Comment

by:joebilek
ID: 39636934
Thanks everyone, will do some tests and get back!
0
 
LVL 1

Author Comment

by:joebilek
ID: 39659580
Still awaiting customer feedback, will update when we have final data.
0
 
LVL 1

Author Comment

by:joebilek
ID: 39685277
Hi all, appreciate all your help. I perhaps need to be a little bit more detailed.

The Client A sits at Site B. Site B has no DC, but a VPN tunnel to Site A where DC X is located.
Client As primary DNS server is DC X.

Site A and Site B have different subnets.

When client A pings the domain.local name we get different responses each time, I guess from DC X. What we would like is for DC X to always respond with its own IP so that client A when logging on to the network and AD can process GPO etc.

How can we accomplish this? Is there a way..

Thanks,
josef
0
 
LVL 16

Expert Comment

by:Dirk Mare
ID: 39685302
If you have no DNS on the client side I would recommend the following.

Add the DNS server (DC X) and IP (of DC X) to your router on the client side so that you can use the router as DNS and Gateway for you clients on the client side.

or.

Install a DNS server on site

or.

Use your Windows Host file. Edit the file and add your server name and ip address to your host file.
0
 
LVL 1

Author Comment

by:joebilek
ID: 39715960
Hello,

I am trying to get the DNS records working in our router, not so easy though with our firewall. Is there no way that just giving the clients the DC IP on the other side of the tunnel can work?

regards,
josef
0
 
LVL 6

Expert Comment

by:Brad Held
ID: 39738026
So here is what is going on - When you ping the domain name - dns returns a round robin request of domain controllers listed as name servers for the domain - assuming all DC's are dns then it just returns one.

similarly when you originally login a random dc will redirect you back to a DC in your local site if one is available, if one is not available then based on the site layouts the next closest site.

So when you say a vpn tunnel, you mean dc to dc vpn or site to site vpn?

There is a branch office active directory guide that may be able to help you resolve the issue http://www.microsoft.com/en-us/download/details.aspx?id=5838 - its a free download but a little long winded
0
 
LVL 1

Author Comment

by:joebilek
ID: 39743648
Sorry about the delay, due to xmas I havent been able to test yet. Brb.
joe
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
Suggested Courses

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question