Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Windows domain login server

Posted on 2014-01-06
7
Medium Priority
?
452 Views
Last Modified: 2014-01-07
I have four offices, each with their own DC, a mix of 2003 and 2008 servers. They are connected via a hardware VPN. My question is, how can you control what DC they login on in each office? I'm trying to retire an old 2003 server DC in one location, and I have transferred all five FSMO roles to the 2008 server that's been promoted. When I checked one of the users logon server, they showed a server in a remote office as being the logon server, rather than either the old 2003 server or the newly promoted 2008 server in their office. I just want to make sure the newly promoted '08 server is handling logins properly before I demote the old '03 machine. Thx for any help anyone can offer.
0
Comment
Question by:BScott52
  • 4
  • 2
7 Comments
 
LVL 13

Assisted Solution

by:dhoffman_98
dhoffman_98 earned 1000 total points
ID: 39759879
You don't have sites set up.

Each office is hopefully on their own subnet, and each subnet should be allocated to a site.
Then when a client machine is attempting to authenticate to a domain controller, it will prefer to contact a domain controller that is in the same site.

If a DC in the same site is not available, THEN it will traverse the network to talk to a remote one. But if you have one on the same site, then why waste the bandwidth and latency to talk to a remote location?
0
 

Author Comment

by:BScott52
ID: 39759914
That's what I'm puzzled about. Each office is on a different subnet, which the VPN requires.
The local subnet of the office I'm doing the work is on a 192.168.99.x subnet, and the user in that office that I checked had logged into the DC in an office with a 2.x subnet. I don't understand why. Thx.
0
 

Author Comment

by:BScott52
ID: 39759917
Not sure what you mean by not having the sites set up.
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
LVL 13

Expert Comment

by:dhoffman_98
ID: 39759942
You have to go into Active Directory Site and Subnets and create an actual SITE for each location. Otherwise, there is nothing that prevents a machine in Los Angeles from connecting to a domain controller in Australia.

You identify a Los Angeles site and you attribute the subnet for the Los Angeles location to that site. Then when the machine comes online and gets its IP address and queries the domain for a domain controller to authenticate against, it can connect to the domain controller in Los Angeles.

http://technet.microsoft.com/en-us/library/bb727051.aspx
0
 
LVL 36

Accepted Solution

by:
Seth Simmons earned 1000 total points
ID: 39759953
you have to go into AD Sites and Services and define sites there
you create subnets that exist in each site then associate that subnet with the appropriate site
the servers will then be part of that AD site and create site connections automatically for replication

computers will find a domain controller to authenticate with that's in the same site
if there are no domain controllers in a site then it will find other domain controllers in other sites which (depending on your topology) could cause network latency

your local office should be defined and associated with the 192.168.99.0 subnet while the other office would be a different site associated with the 192.168.2.0 subnet.

here is more documentation explaining everything
for this exercise, you want to focus on the second section "configure an additional site"

Active Directory Sites and Services
http://technet.microsoft.com/en-us/library/cc730868.aspx
0
 

Author Comment

by:BScott52
ID: 39759969
Wow, after all these years I can't believe I didn't know that. I'll take care of it. Thanks to both for your help.
0
 

Author Comment

by:BScott52
ID: 39763996
Thanks to you both for your assistance. Sorry for the delay in closing this out.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A safe way to clean winsxs folder from your windows server 2008 R2 editions
Resolving an irritating Remote Desktop connection that stops your saved credentials from being used.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question