• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 230
  • Last Modified:

Sites and services without NTDS settings

Hello Experts,

I have a customer that AD is running into some replication issues. After further investigation, we realized that Inside Active Directory Sites and Subnets are listed two servers. Server 2 and Server 2 which are not currently Domain Controllers.

They are listed inside sites and services but do not contain the NTDS settings that would associate it to DC authentications. The result is that it may take longer for clients to authenticate from the sites those servers are associated to.


Below are the IP sites those servers are currently configured for.
• Server1 – Site 10.21.0.0/16
• Server2 – Site 10.100.0.0/16


Would it be OK if I remove those sites?

How can I validate that there are no users/computers authenticating against those sites? Any way to prevent this and make sure they will pick another DC?

Do you believe that by removing those sites that could fix our replication issues?

Please advise
0
Jerry Seinfield
Asked:
Jerry Seinfield
2 Solutions
 
Brad GrouxSenior Manager (Wintel Engineering)Commented:

1.

You can have a site without domain controllers.

2.

Site costing is the only way site settings affect authentication, but is generally no longer needed with today's abundance of bandwidth.

3.

The KCC (Knowledge Consistency Checker) determines authentication responses from domain controllers... and YOU ARE NOTE SMARTER THAN THE KCC.
Long story short, the only way having computers in a separate site will affect replication times is if Site Costing is enabled, and in this day and age for most environments, site costing is a waste of time and effort. See Troubleshooting Active Directory Replication Problems for the proper course of action.
0
 
Walter PadrónCommented:
You can remove the Servers if they aren't DCs anymore.

You can remove the Sites but ensure that
- The Subnets assigned to this site now points to a Site with a working DC.
- You don't have a Group Policy Object applied to the Site

You must also check the DNS zone _msdcs.yourdomain.com for staled or wrong records pointing to non-existing DCs, do the same in your domainname.com zone for NS records.
0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now