Solved

Active Directory: Sites issue - Connection to Site Specific DC

Posted on 2015-01-15
13
100 Views
Last Modified: 2015-06-29
Good Day Experts

Have a problem that is driving us NUST surround our Multi Site Active Directory - sure asked many times before but here goes. (Will attach an image as well)

* ALL Connectivity via stable VPN's with pretty good bandwidth.
* 3 x DC's in London UK in a single location (offices all over the UK authenticating via the VPN to these DC's no problem)
* 1 x DC in Johannesburg South Africa in the same location as a few PC's (PC's authentically via the local lan to this DC no problem)
* 1 x DC in Frankfurt Germany with multiple German locations (cities with PCs)
Setup as follows:
Site:  UK: - 3 x DC's (2 x GC's and Exchange 1 x FSMO 'host')
Site:  ZA: - 1 x DC (GC)
Site:  DE: - 1 x DC (GC)
All Server 2008 R2's All PCs Win 7 x64
AD replication between all the DC's works fine without any error and quite quick as well.
10 Subnets associated with the UK Site
1 Subnet associated with the ZA site
8 Subnets associated with the DE site
Looking at the 'right click properties' of any of the sites under 'General' I can see the correct subnets associated.

So here is my problem:
Trying to join to the domain any PC's from our DE locations or for those PC's that managed to join the domain after hours of retrying and messing around with resetting network adaptors etc just logging in/authenticating  results in failure.  Looking at the Resource Monitor (networking) while joining a PC to the domain from say Hamburg Germany I can see authentication attempts against the UK/London DC's even against the ZA/Johannesburg DC which is obviously not accessible - I say obviously not assessable as our VPN is setup in a way that all country locations can only has tunnels to their local DC location (DC locations has VPN tunnels to one another for replication which works fine).  The prompt when joining the domain for security credentials is instant (it finds the domain) but then the above occurs hunting around for a DC and then after several minutes it fails with a domain is not available error.  Same goes for PC's logging on to the domain hunting around and eventually timing out (can be 15 minutes) or using local cached passwords.

All DHCP servers provided the correct DNS servers for the subnets ie Hamburg Germany PC's points to the DNS of the Germany/DE DC.

In my mind the point of having a Site with a DC and associated subnets should allow for all authenticating (and joins to domain etc) to occur within the site.  Appreciate there might be a quick retry on any available DCs as it's all in a single forest with a single domain but as soon as not contactable should be able to carryout any Active Directory type 'tasks' with in the site.

APOLOGIES for a lot of information but trying to be as thorough as possible.  Attached a basic Visio scribble of the relevant part of the network.
Please Help - SOS (Thank You)

J
Document1.pdf
0
Comment
Question by:ComPo-IT
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
13 Comments
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40551850
Has there been any changes in Active Directory to the site architecture? Is it possible that there is some sort of routing issue at the DE sites trying to find the DC's?

Is this problem intermittent?

Are there any events in the event viewer that would point something out? If you run dcdiag /v do you get any errors?

Will.
0
 

Author Comment

by:ComPo-IT
ID: 40551963
This is the weird thing.  There are errors in the event log of course like any server but going through them nothing that stands out

No changes to AD - the Germany setup and "brand new".  Clean build fully patched DC, joined to the domain with no errors

Running the MS AD Replication Status Tool (which is really cool BTW) I get NO errors on replication between any DC's or any sites (kind of know replication works for sure)

Intermittent - no.  It is a persistent problem

Creating a secondary VPN from one of the German locations results in the PC's logon on (all be it slow) to one of my London DC or even the Germany DC but needs to establish a connection to London first (as if the PDC FSMO cannot be reached other wise - just a thought)

Best practise analyser fro AD and DNS on al my DC's has no significant warning and no errors(*)

As far as routing goes all traffic passed through an IPSEC VPN with no restrictions on the tunnels.

the only error I have on a dcdiag /v is The Key Distribution Center (KDC) cannot find a suitable certificate to use smart card logons (should I be worried about that hmmm) - good shout - did not think about running this.

(*) one error on the DC which no matter if I make the required change persists is on the DNS BPA ... I get an error about the loop back adapter must not be the first IP in the DNS setting s of the NIC ... I made it second/third etc but the error remains (been reading about this and seems like a non-issues but might be wrong)

Thank You so much for your quick response

J
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40552020
Can you run the following commands...
repadmin /replsum
repadmin /showrepl
repadmin /bridgeheads

Will.
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 

Author Comment

by:ComPo-IT
ID: 40552517
repadmin /replsum
Result:
Source DSA no fails no errors
Destination DSA no fails no errors
(*) There is once DC that is not contactable - by design as VPN from Germany does not Extend to South Africa where we have one DC located.

repadmin /showrepl
Result:
Inbound Neighbours - all 5 x was successful

repadmin /bridgeheads
Result:
The operation completed successfully for all

Interestingly I do get an error at the beginning of the report:  LDAP error 81 (Server Down) Win32 Err 58

Starting to wonder if I need a VPN tunnel between South Africa and Germany (DC locations) as well just to ensure all DC's can contact one another although in theory this should not be necessary if would have thought

Thank You for you help!

J.
0
 

Author Comment

by:ComPo-IT
ID: 40552559
dcdiag /test:dns
Result:

Directory Server Diagnosis


Performing initial setup:

   Trying to find home server...

   Home Server = xxADserverNAMExx

   * Identified AD Forest.
   Done gathering initial info.


Doing initial required tests

   
   Testing server: DE\xxADserverNAMExx

      Starting test: Connectivity

         ......................... xxADserverNAMExx passed test Connectivity



Doing primary tests

   
   Testing server: DE\xxADserverNAMExx

   
      Starting test: DNS

         

         DNS Tests are running and not hung. Please wait a few minutes...

         ......................... xxADserverNAMExx passed test DNS

   
   Running partition tests on : DomainDnsZones

   
   Running partition tests on : ForestDnsZones

   
   Running partition tests on : Schema

   
   Running partition tests on : Configuration

   
   Running partition tests on : xxNETBIOSnameOFdomainxx

   
   Running enterprise tests on : xxFQDNnameOFdomainxx

      Starting test: DNS

         ......................... xxFQDNnameOFdomainxx passed test DNS
0
 
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 500 total points
ID: 40552578
Do you have site link connections created between Germany and South Africa? If there are bridge head issues then DC replication will not make it to the connecting site. This can cause issues when the site that does not have the FSMO role holder. Essentially all of the Domain Controllers are time servers to the clients, but if DC's that do not hold the PDC role cannot update the time from the PDC emulator you can run into time sync issues. Which can cause weird symptoms like users not being able to login or computers not being able to join the domain or re-establish their trust with the domain.

I would definitely correct some of the issues that you have encountered already as it may be a part of the issue you are trying to resolve.

Will.
0
 

Author Comment

by:ComPo-IT
ID: 40552625
Bit of context:
Germany (DC location) VPN tunnel to UK (DC location)
South Africa (DC location) VPN tunnel to UK (DC location)
NO tunnel between Germany and South Africa
UK:  DC01, DC02, DC03 (DC01=FSMO(all))(ALL DC's are GC's)
ZA:  ZADC01 (GC)
DE:  DCDC01 (GC

Inter-Site Transports:
SMTP: non setup
IP: "DEFAULTIPSITELINK" in place as per default MS config cost 100 replication interval 15
"Sites in this site link" - all 3 sites are in there

NTDS Setting (replication partners)
ZA - replicates with DC01(FSMO) in London
DE - replicates with DC01(FSMO) in London
3 UK DC's replicate with one another DC01 with DC02 and DC03, DC02 with DC01 and DC03, DC03 with DC01 and DC02

Would separate IP site links help ?  Thought this is only for replication and replication works 100% from what I can see

Thank You

J
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40552631
Did the KCC create automatic connections between the 2 sites that do not have VPN tunnels between?

Will.
0
 

Accepted Solution

by:
ComPo-IT earned 0 total points
ID: 40553255
Hello,

This is what I have in the DCDIAG /V log:
Starting test: KccEvent

         * The KCC Event log test
         Found no KCC errors in "Directory Service" Event log in the last 15 minutes.
         ......................... DEAD01 passed test KccEvent

Can I look for this anywhere else ?

Now have a tunnel between ZA and DE as well so all DCs "can see one another"
One or two smaller insignificant errors when away because of this configuration - obvious things like cannot find ZA DC
As this does not cause any security issue I will leave this in place.

Unfortunately after fixing all errors (must have the cleanse AD on the planet by now :-)) the problem persists.
PC's in the Subnet belonging to the site with the DE DC are still trying to authenticate with the UK/London based DC's and times out (authenticate or join).  Adding a second VPN tunnel form one of the locations in DE to the London does allow the PC to logon to the domain (as expected) but this is not the desired configuration and renders the "local DE DC" useless.

A thought is to move the DE DC to the ZA site over the weekend for 24 hours and let replication do it's thing then move it back to the DE site and let replication do it's stuff and see if by some miracle this resolved the issues in case a misconfiguration caused it from before (crazy YES worth a try hmm maybe)

Thank You so much for all your help

J
0
 
LVL 34

Expert Comment

by:Seth Simmons
ID: 40851582
I've requested that this question be deleted for the following reason:

The question has either no comments or not enough useful information to be called an "answer".
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40851583
I have provided this user helpful information correcting the outstanding issues that were a result of failed replicaiton. Specifically. ID: 40552578

I obviously helped this user to some degree based on the comment below...
Thank You so much for all your help

Also this user has a more systemic issue outside of this question. I have provided as much detail as i could have to assist this user.

Will.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article runs through the process of deploying a single EXE application selectively to a group of user.
This article explains the steps required to use the default Photos screensaver to display branding/corporate images
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question