Solved

Active Directory: Sites issue - Connection to Site Specific DC

Posted on 2015-01-15
13
95 Views
Last Modified: 2015-06-29
Good Day Experts

Have a problem that is driving us NUST surround our Multi Site Active Directory - sure asked many times before but here goes. (Will attach an image as well)

* ALL Connectivity via stable VPN's with pretty good bandwidth.
* 3 x DC's in London UK in a single location (offices all over the UK authenticating via the VPN to these DC's no problem)
* 1 x DC in Johannesburg South Africa in the same location as a few PC's (PC's authentically via the local lan to this DC no problem)
* 1 x DC in Frankfurt Germany with multiple German locations (cities with PCs)
Setup as follows:
Site:  UK: - 3 x DC's (2 x GC's and Exchange 1 x FSMO 'host')
Site:  ZA: - 1 x DC (GC)
Site:  DE: - 1 x DC (GC)
All Server 2008 R2's All PCs Win 7 x64
AD replication between all the DC's works fine without any error and quite quick as well.
10 Subnets associated with the UK Site
1 Subnet associated with the ZA site
8 Subnets associated with the DE site
Looking at the 'right click properties' of any of the sites under 'General' I can see the correct subnets associated.

So here is my problem:
Trying to join to the domain any PC's from our DE locations or for those PC's that managed to join the domain after hours of retrying and messing around with resetting network adaptors etc just logging in/authenticating  results in failure.  Looking at the Resource Monitor (networking) while joining a PC to the domain from say Hamburg Germany I can see authentication attempts against the UK/London DC's even against the ZA/Johannesburg DC which is obviously not accessible - I say obviously not assessable as our VPN is setup in a way that all country locations can only has tunnels to their local DC location (DC locations has VPN tunnels to one another for replication which works fine).  The prompt when joining the domain for security credentials is instant (it finds the domain) but then the above occurs hunting around for a DC and then after several minutes it fails with a domain is not available error.  Same goes for PC's logging on to the domain hunting around and eventually timing out (can be 15 minutes) or using local cached passwords.

All DHCP servers provided the correct DNS servers for the subnets ie Hamburg Germany PC's points to the DNS of the Germany/DE DC.

In my mind the point of having a Site with a DC and associated subnets should allow for all authenticating (and joins to domain etc) to occur within the site.  Appreciate there might be a quick retry on any available DCs as it's all in a single forest with a single domain but as soon as not contactable should be able to carryout any Active Directory type 'tasks' with in the site.

APOLOGIES for a lot of information but trying to be as thorough as possible.  Attached a basic Visio scribble of the relevant part of the network.
Please Help - SOS (Thank You)

J
Document1.pdf
0
Comment
Question by:ComPo-IT
  • 5
  • 5
13 Comments
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40551850
Has there been any changes in Active Directory to the site architecture? Is it possible that there is some sort of routing issue at the DE sites trying to find the DC's?

Is this problem intermittent?

Are there any events in the event viewer that would point something out? If you run dcdiag /v do you get any errors?

Will.
0
 

Author Comment

by:ComPo-IT
ID: 40551963
This is the weird thing.  There are errors in the event log of course like any server but going through them nothing that stands out

No changes to AD - the Germany setup and "brand new".  Clean build fully patched DC, joined to the domain with no errors

Running the MS AD Replication Status Tool (which is really cool BTW) I get NO errors on replication between any DC's or any sites (kind of know replication works for sure)

Intermittent - no.  It is a persistent problem

Creating a secondary VPN from one of the German locations results in the PC's logon on (all be it slow) to one of my London DC or even the Germany DC but needs to establish a connection to London first (as if the PDC FSMO cannot be reached other wise - just a thought)

Best practise analyser fro AD and DNS on al my DC's has no significant warning and no errors(*)

As far as routing goes all traffic passed through an IPSEC VPN with no restrictions on the tunnels.

the only error I have on a dcdiag /v is The Key Distribution Center (KDC) cannot find a suitable certificate to use smart card logons (should I be worried about that hmmm) - good shout - did not think about running this.

(*) one error on the DC which no matter if I make the required change persists is on the DNS BPA ... I get an error about the loop back adapter must not be the first IP in the DNS setting s of the NIC ... I made it second/third etc but the error remains (been reading about this and seems like a non-issues but might be wrong)

Thank You so much for your quick response

J
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40552020
Can you run the following commands...
repadmin /replsum
repadmin /showrepl
repadmin /bridgeheads

Will.
0
 

Author Comment

by:ComPo-IT
ID: 40552517
repadmin /replsum
Result:
Source DSA no fails no errors
Destination DSA no fails no errors
(*) There is once DC that is not contactable - by design as VPN from Germany does not Extend to South Africa where we have one DC located.

repadmin /showrepl
Result:
Inbound Neighbours - all 5 x was successful

repadmin /bridgeheads
Result:
The operation completed successfully for all

Interestingly I do get an error at the beginning of the report:  LDAP error 81 (Server Down) Win32 Err 58

Starting to wonder if I need a VPN tunnel between South Africa and Germany (DC locations) as well just to ensure all DC's can contact one another although in theory this should not be necessary if would have thought

Thank You for you help!

J.
0
 

Author Comment

by:ComPo-IT
ID: 40552559
dcdiag /test:dns
Result:

Directory Server Diagnosis


Performing initial setup:

   Trying to find home server...

   Home Server = xxADserverNAMExx

   * Identified AD Forest.
   Done gathering initial info.


Doing initial required tests

   
   Testing server: DE\xxADserverNAMExx

      Starting test: Connectivity

         ......................... xxADserverNAMExx passed test Connectivity



Doing primary tests

   
   Testing server: DE\xxADserverNAMExx

   
      Starting test: DNS

         

         DNS Tests are running and not hung. Please wait a few minutes...

         ......................... xxADserverNAMExx passed test DNS

   
   Running partition tests on : DomainDnsZones

   
   Running partition tests on : ForestDnsZones

   
   Running partition tests on : Schema

   
   Running partition tests on : Configuration

   
   Running partition tests on : xxNETBIOSnameOFdomainxx

   
   Running enterprise tests on : xxFQDNnameOFdomainxx

      Starting test: DNS

         ......................... xxFQDNnameOFdomainxx passed test DNS
0
 
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 500 total points
ID: 40552578
Do you have site link connections created between Germany and South Africa? If there are bridge head issues then DC replication will not make it to the connecting site. This can cause issues when the site that does not have the FSMO role holder. Essentially all of the Domain Controllers are time servers to the clients, but if DC's that do not hold the PDC role cannot update the time from the PDC emulator you can run into time sync issues. Which can cause weird symptoms like users not being able to login or computers not being able to join the domain or re-establish their trust with the domain.

I would definitely correct some of the issues that you have encountered already as it may be a part of the issue you are trying to resolve.

Will.
0
 

Author Comment

by:ComPo-IT
ID: 40552625
Bit of context:
Germany (DC location) VPN tunnel to UK (DC location)
South Africa (DC location) VPN tunnel to UK (DC location)
NO tunnel between Germany and South Africa
UK:  DC01, DC02, DC03 (DC01=FSMO(all))(ALL DC's are GC's)
ZA:  ZADC01 (GC)
DE:  DCDC01 (GC

Inter-Site Transports:
SMTP: non setup
IP: "DEFAULTIPSITELINK" in place as per default MS config cost 100 replication interval 15
"Sites in this site link" - all 3 sites are in there

NTDS Setting (replication partners)
ZA - replicates with DC01(FSMO) in London
DE - replicates with DC01(FSMO) in London
3 UK DC's replicate with one another DC01 with DC02 and DC03, DC02 with DC01 and DC03, DC03 with DC01 and DC02

Would separate IP site links help ?  Thought this is only for replication and replication works 100% from what I can see

Thank You

J
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40552631
Did the KCC create automatic connections between the 2 sites that do not have VPN tunnels between?

Will.
0
 

Accepted Solution

by:
ComPo-IT earned 0 total points
ID: 40553255
Hello,

This is what I have in the DCDIAG /V log:
Starting test: KccEvent

         * The KCC Event log test
         Found no KCC errors in "Directory Service" Event log in the last 15 minutes.
         ......................... DEAD01 passed test KccEvent

Can I look for this anywhere else ?

Now have a tunnel between ZA and DE as well so all DCs "can see one another"
One or two smaller insignificant errors when away because of this configuration - obvious things like cannot find ZA DC
As this does not cause any security issue I will leave this in place.

Unfortunately after fixing all errors (must have the cleanse AD on the planet by now :-)) the problem persists.
PC's in the Subnet belonging to the site with the DE DC are still trying to authenticate with the UK/London based DC's and times out (authenticate or join).  Adding a second VPN tunnel form one of the locations in DE to the London does allow the PC to logon to the domain (as expected) but this is not the desired configuration and renders the "local DE DC" useless.

A thought is to move the DE DC to the ZA site over the weekend for 24 hours and let replication do it's thing then move it back to the DE site and let replication do it's stuff and see if by some miracle this resolved the issues in case a misconfiguration caused it from before (crazy YES worth a try hmm maybe)

Thank You so much for all your help

J
0
 
LVL 34

Expert Comment

by:Seth Simmons
ID: 40851582
I've requested that this question be deleted for the following reason:

The question has either no comments or not enough useful information to be called an "answer".
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40851583
I have provided this user helpful information correcting the outstanding issues that were a result of failed replicaiton. Specifically. ID: 40552578

I obviously helped this user to some degree based on the comment below...
Thank You so much for all your help

Also this user has a more systemic issue outside of this question. I have provided as much detail as i could have to assist this user.

Will.
0

Join & Write a Comment

You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now