Solved

Sites and services without NTDS settings

Posted on 2014-12-22
2
186 Views
Last Modified: 2014-12-23
Hello Experts,

I have a customer that AD is running into some replication issues. After further investigation, we realized that Inside Active Directory Sites and Subnets are listed two servers. Server 2 and Server 2 which are not currently Domain Controllers.

They are listed inside sites and services but do not contain the NTDS settings that would associate it to DC authentications. The result is that it may take longer for clients to authenticate from the sites those servers are associated to.


Below are the IP sites those servers are currently configured for.
• Server1 – Site 10.21.0.0/16
• Server2 – Site 10.100.0.0/16


Would it be OK if I remove those sites?

How can I validate that there are no users/computers authenticating against those sites? Any way to prevent this and make sure they will pick another DC?

Do you believe that by removing those sites that could fix our replication issues?

Please advise
0
Comment
Question by:Jerry Seinfield
2 Comments
 
LVL 14

Accepted Solution

by:
Brad Groux earned 250 total points
ID: 40513182

1.

You can have a site without domain controllers.

2.

Site costing is the only way site settings affect authentication, but is generally no longer needed with today's abundance of bandwidth.

3.

The KCC (Knowledge Consistency Checker) determines authentication responses from domain controllers... and YOU ARE NOTE SMARTER THAN THE KCC.
Long story short, the only way having computers in a separate site will affect replication times is if Site Costing is enabled, and in this day and age for most environments, site costing is a waste of time and effort. See Troubleshooting Active Directory Replication Problems for the proper course of action.
0
 
LVL 10

Assisted Solution

by:Walter Padrón
Walter Padrón earned 250 total points
ID: 40513323
You can remove the Servers if they aren't DCs anymore.

You can remove the Sites but ensure that
- The Subnets assigned to this site now points to a Site with a working DC.
- You don't have a Group Policy Object applied to the Site

You must also check the DNS zone _msdcs.yourdomain.com for staled or wrong records pointing to non-existing DCs, do the same in your domainname.com zone for NS records.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now