• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 453
  • Last Modified:

Windows domain login server

I have four offices, each with their own DC, a mix of 2003 and 2008 servers. They are connected via a hardware VPN. My question is, how can you control what DC they login on in each office? I'm trying to retire an old 2003 server DC in one location, and I have transferred all five FSMO roles to the 2008 server that's been promoted. When I checked one of the users logon server, they showed a server in a remote office as being the logon server, rather than either the old 2003 server or the newly promoted 2008 server in their office. I just want to make sure the newly promoted '08 server is handling logins properly before I demote the old '03 machine. Thx for any help anyone can offer.
0
BScott52
Asked:
BScott52
  • 4
  • 2
2 Solutions
 
dhoffman_98Commented:
You don't have sites set up.

Each office is hopefully on their own subnet, and each subnet should be allocated to a site.
Then when a client machine is attempting to authenticate to a domain controller, it will prefer to contact a domain controller that is in the same site.

If a DC in the same site is not available, THEN it will traverse the network to talk to a remote one. But if you have one on the same site, then why waste the bandwidth and latency to talk to a remote location?
0
 
BScott52Author Commented:
That's what I'm puzzled about. Each office is on a different subnet, which the VPN requires.
The local subnet of the office I'm doing the work is on a 192.168.99.x subnet, and the user in that office that I checked had logged into the DC in an office with a 2.x subnet. I don't understand why. Thx.
0
 
BScott52Author Commented:
Not sure what you mean by not having the sites set up.
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
dhoffman_98Commented:
You have to go into Active Directory Site and Subnets and create an actual SITE for each location. Otherwise, there is nothing that prevents a machine in Los Angeles from connecting to a domain controller in Australia.

You identify a Los Angeles site and you attribute the subnet for the Los Angeles location to that site. Then when the machine comes online and gets its IP address and queries the domain for a domain controller to authenticate against, it can connect to the domain controller in Los Angeles.

http://technet.microsoft.com/en-us/library/bb727051.aspx
0
 
Seth SimmonsSr. Systems AdministratorCommented:
you have to go into AD Sites and Services and define sites there
you create subnets that exist in each site then associate that subnet with the appropriate site
the servers will then be part of that AD site and create site connections automatically for replication

computers will find a domain controller to authenticate with that's in the same site
if there are no domain controllers in a site then it will find other domain controllers in other sites which (depending on your topology) could cause network latency

your local office should be defined and associated with the 192.168.99.0 subnet while the other office would be a different site associated with the 192.168.2.0 subnet.

here is more documentation explaining everything
for this exercise, you want to focus on the second section "configure an additional site"

Active Directory Sites and Services
http://technet.microsoft.com/en-us/library/cc730868.aspx
0
 
BScott52Author Commented:
Wow, after all these years I can't believe I didn't know that. I'll take care of it. Thanks to both for your help.
0
 
BScott52Author Commented:
Thanks to you both for your assistance. Sorry for the delay in closing this out.
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now