• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 127
  • Last Modified:

Active Directory: Sites issue - Connection to Site Specific DC

Good Day Experts

Have a problem that is driving us NUST surround our Multi Site Active Directory - sure asked many times before but here goes. (Will attach an image as well)

* ALL Connectivity via stable VPN's with pretty good bandwidth.
* 3 x DC's in London UK in a single location (offices all over the UK authenticating via the VPN to these DC's no problem)
* 1 x DC in Johannesburg South Africa in the same location as a few PC's (PC's authentically via the local lan to this DC no problem)
* 1 x DC in Frankfurt Germany with multiple German locations (cities with PCs)
Setup as follows:
Site:  UK: - 3 x DC's (2 x GC's and Exchange 1 x FSMO 'host')
Site:  ZA: - 1 x DC (GC)
Site:  DE: - 1 x DC (GC)
All Server 2008 R2's All PCs Win 7 x64
AD replication between all the DC's works fine without any error and quite quick as well.
10 Subnets associated with the UK Site
1 Subnet associated with the ZA site
8 Subnets associated with the DE site
Looking at the 'right click properties' of any of the sites under 'General' I can see the correct subnets associated.

So here is my problem:
Trying to join to the domain any PC's from our DE locations or for those PC's that managed to join the domain after hours of retrying and messing around with resetting network adaptors etc just logging in/authenticating  results in failure.  Looking at the Resource Monitor (networking) while joining a PC to the domain from say Hamburg Germany I can see authentication attempts against the UK/London DC's even against the ZA/Johannesburg DC which is obviously not accessible - I say obviously not assessable as our VPN is setup in a way that all country locations can only has tunnels to their local DC location (DC locations has VPN tunnels to one another for replication which works fine).  The prompt when joining the domain for security credentials is instant (it finds the domain) but then the above occurs hunting around for a DC and then after several minutes it fails with a domain is not available error.  Same goes for PC's logging on to the domain hunting around and eventually timing out (can be 15 minutes) or using local cached passwords.

All DHCP servers provided the correct DNS servers for the subnets ie Hamburg Germany PC's points to the DNS of the Germany/DE DC.

In my mind the point of having a Site with a DC and associated subnets should allow for all authenticating (and joins to domain etc) to occur within the site.  Appreciate there might be a quick retry on any available DCs as it's all in a single forest with a single domain but as soon as not contactable should be able to carryout any Active Directory type 'tasks' with in the site.

APOLOGIES for a lot of information but trying to be as thorough as possible.  Attached a basic Visio scribble of the relevant part of the network.
Please Help - SOS (Thank You)

  • 5
  • 5
2 Solutions
Will SzymkowskiSenior Solution ArchitectCommented:
Has there been any changes in Active Directory to the site architecture? Is it possible that there is some sort of routing issue at the DE sites trying to find the DC's?

Is this problem intermittent?

Are there any events in the event viewer that would point something out? If you run dcdiag /v do you get any errors?

ComPo-ITAuthor Commented:
This is the weird thing.  There are errors in the event log of course like any server but going through them nothing that stands out

No changes to AD - the Germany setup and "brand new".  Clean build fully patched DC, joined to the domain with no errors

Running the MS AD Replication Status Tool (which is really cool BTW) I get NO errors on replication between any DC's or any sites (kind of know replication works for sure)

Intermittent - no.  It is a persistent problem

Creating a secondary VPN from one of the German locations results in the PC's logon on (all be it slow) to one of my London DC or even the Germany DC but needs to establish a connection to London first (as if the PDC FSMO cannot be reached other wise - just a thought)

Best practise analyser fro AD and DNS on al my DC's has no significant warning and no errors(*)

As far as routing goes all traffic passed through an IPSEC VPN with no restrictions on the tunnels.

the only error I have on a dcdiag /v is The Key Distribution Center (KDC) cannot find a suitable certificate to use smart card logons (should I be worried about that hmmm) - good shout - did not think about running this.

(*) one error on the DC which no matter if I make the required change persists is on the DNS BPA ... I get an error about the loop back adapter must not be the first IP in the DNS setting s of the NIC ... I made it second/third etc but the error remains (been reading about this and seems like a non-issues but might be wrong)

Thank You so much for your quick response

Will SzymkowskiSenior Solution ArchitectCommented:
Can you run the following commands...
repadmin /replsum
repadmin /showrepl
repadmin /bridgeheads

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

ComPo-ITAuthor Commented:
repadmin /replsum
Source DSA no fails no errors
Destination DSA no fails no errors
(*) There is once DC that is not contactable - by design as VPN from Germany does not Extend to South Africa where we have one DC located.

repadmin /showrepl
Inbound Neighbours - all 5 x was successful

repadmin /bridgeheads
The operation completed successfully for all

Interestingly I do get an error at the beginning of the report:  LDAP error 81 (Server Down) Win32 Err 58

Starting to wonder if I need a VPN tunnel between South Africa and Germany (DC locations) as well just to ensure all DC's can contact one another although in theory this should not be necessary if would have thought

Thank You for you help!

ComPo-ITAuthor Commented:
dcdiag /test:dns

Directory Server Diagnosis

Performing initial setup:

   Trying to find home server...

   Home Server = xxADserverNAMExx

   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: DE\xxADserverNAMExx

      Starting test: Connectivity

         ......................... xxADserverNAMExx passed test Connectivity

Doing primary tests

   Testing server: DE\xxADserverNAMExx

      Starting test: DNS


         DNS Tests are running and not hung. Please wait a few minutes...

         ......................... xxADserverNAMExx passed test DNS

   Running partition tests on : DomainDnsZones

   Running partition tests on : ForestDnsZones

   Running partition tests on : Schema

   Running partition tests on : Configuration

   Running partition tests on : xxNETBIOSnameOFdomainxx

   Running enterprise tests on : xxFQDNnameOFdomainxx

      Starting test: DNS

         ......................... xxFQDNnameOFdomainxx passed test DNS
Will SzymkowskiSenior Solution ArchitectCommented:
Do you have site link connections created between Germany and South Africa? If there are bridge head issues then DC replication will not make it to the connecting site. This can cause issues when the site that does not have the FSMO role holder. Essentially all of the Domain Controllers are time servers to the clients, but if DC's that do not hold the PDC role cannot update the time from the PDC emulator you can run into time sync issues. Which can cause weird symptoms like users not being able to login or computers not being able to join the domain or re-establish their trust with the domain.

I would definitely correct some of the issues that you have encountered already as it may be a part of the issue you are trying to resolve.

ComPo-ITAuthor Commented:
Bit of context:
Germany (DC location) VPN tunnel to UK (DC location)
South Africa (DC location) VPN tunnel to UK (DC location)
NO tunnel between Germany and South Africa
UK:  DC01, DC02, DC03 (DC01=FSMO(all))(ALL DC's are GC's)
ZA:  ZADC01 (GC)

Inter-Site Transports:
SMTP: non setup
IP: "DEFAULTIPSITELINK" in place as per default MS config cost 100 replication interval 15
"Sites in this site link" - all 3 sites are in there

NTDS Setting (replication partners)
ZA - replicates with DC01(FSMO) in London
DE - replicates with DC01(FSMO) in London
3 UK DC's replicate with one another DC01 with DC02 and DC03, DC02 with DC01 and DC03, DC03 with DC01 and DC02

Would separate IP site links help ?  Thought this is only for replication and replication works 100% from what I can see

Thank You

Will SzymkowskiSenior Solution ArchitectCommented:
Did the KCC create automatic connections between the 2 sites that do not have VPN tunnels between?

ComPo-ITAuthor Commented:

This is what I have in the DCDIAG /V log:
Starting test: KccEvent

         * The KCC Event log test
         Found no KCC errors in "Directory Service" Event log in the last 15 minutes.
         ......................... DEAD01 passed test KccEvent

Can I look for this anywhere else ?

Now have a tunnel between ZA and DE as well so all DCs "can see one another"
One or two smaller insignificant errors when away because of this configuration - obvious things like cannot find ZA DC
As this does not cause any security issue I will leave this in place.

Unfortunately after fixing all errors (must have the cleanse AD on the planet by now :-)) the problem persists.
PC's in the Subnet belonging to the site with the DE DC are still trying to authenticate with the UK/London based DC's and times out (authenticate or join).  Adding a second VPN tunnel form one of the locations in DE to the London does allow the PC to logon to the domain (as expected) but this is not the desired configuration and renders the "local DE DC" useless.

A thought is to move the DE DC to the ZA site over the weekend for 24 hours and let replication do it's thing then move it back to the DE site and let replication do it's stuff and see if by some miracle this resolved the issues in case a misconfiguration caused it from before (crazy YES worth a try hmm maybe)

Thank You so much for all your help

Seth SimmonsSr. Systems AdministratorCommented:
I've requested that this question be deleted for the following reason:

The question has either no comments or not enough useful information to be called an "answer".
Will SzymkowskiSenior Solution ArchitectCommented:
I have provided this user helpful information correcting the outstanding issues that were a result of failed replicaiton. Specifically. ID: 40552578

I obviously helped this user to some degree based on the comment below...
Thank You so much for all your help

Also this user has a more systemic issue outside of this question. I have provided as much detail as i could have to assist this user.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell┬« is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

  • 5
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now