I have three Active Directory sites (A, B & C). Sites A & B have been in operation for many years and have no issue. Site C is new.
Site C consists of the following subnets
- 10.0.1.0/24 - web servers
- 10.0.2.0/24 - app servers
- 10.0.3.0/24 - domain controllers
All Subnets, Sites and Site Links etc have been created in Sites and Services.
Site C has 2 domain controllers up and running fine (in 10.0.3.0/24 subnet)
Replication between all domain controllers in all sites works without error. I've run the following to confirm replication is working:
dcdiag /test:checksecurityerror /replsource: Site-B domain controller
I've used the nltest /dsgetsite command on member servers in Site C to check which site each server is associated with. Each Site C member server shows it's a member of either Site A or B, but not C. Also, the system variable LOGONSERVER= on all Site C member servers shows a domain controller in Site A or B. When I run nltest /dsgetsite on the Site C domain controllers, they both show correctly that they belong to Site C. There have been rare cases where, very briefly, I've seen the nltest /dsgetsite command return the correct site for Site C member servers, but shortly after the value changes to either Site A or B.
This above problem scenario has been reproduced in all of the Site C subnets, even 10.0.3.0/24, where the domain controllers themselves are ok. Test servers have been created in each Site C subnet to check if correct site associate occurs - it doesn't.
I've confirmed that the firewall config between all subnets in Site C is correct - I've basically opened an bidirectional any/any rule to assist with troubleshooting. A similar rule has been created for the bridgehead servers in Sites A & B to the bridgehead server in Site C. Every port in every direction is open.
I've been working on this issue for a while now but haven't been able to crack it. Any and all suggestion are welcomed.