Active Directory: Sites issue - Connection to Site Specific DC

Posted on 2015-01-15
Last Modified: 2015-06-29
Good Day Experts

Have a problem that is driving us NUST surround our Multi Site Active Directory - sure asked many times before but here goes. (Will attach an image as well)

* ALL Connectivity via stable VPN's with pretty good bandwidth.
* 3 x DC's in London UK in a single location (offices all over the UK authenticating via the VPN to these DC's no problem)
* 1 x DC in Johannesburg South Africa in the same location as a few PC's (PC's authentically via the local lan to this DC no problem)
* 1 x DC in Frankfurt Germany with multiple German locations (cities with PCs)
Setup as follows:
Site:  UK: - 3 x DC's (2 x GC's and Exchange 1 x FSMO 'host')
Site:  ZA: - 1 x DC (GC)
Site:  DE: - 1 x DC (GC)
All Server 2008 R2's All PCs Win 7 x64
AD replication between all the DC's works fine without any error and quite quick as well.
10 Subnets associated with the UK Site
1 Subnet associated with the ZA site
8 Subnets associated with the DE site
Looking at the 'right click properties' of any of the sites under 'General' I can see the correct subnets associated.

So here is my problem:
Trying to join to the domain any PC's from our DE locations or for those PC's that managed to join the domain after hours of retrying and messing around with resetting network adaptors etc just logging in/authenticating  results in failure.  Looking at the Resource Monitor (networking) while joining a PC to the domain from say Hamburg Germany I can see authentication attempts against the UK/London DC's even against the ZA/Johannesburg DC which is obviously not accessible - I say obviously not assessable as our VPN is setup in a way that all country locations can only has tunnels to their local DC location (DC locations has VPN tunnels to one another for replication which works fine).  The prompt when joining the domain for security credentials is instant (it finds the domain) but then the above occurs hunting around for a DC and then after several minutes it fails with a domain is not available error.  Same goes for PC's logging on to the domain hunting around and eventually timing out (can be 15 minutes) or using local cached passwords.

All DHCP servers provided the correct DNS servers for the subnets ie Hamburg Germany PC's points to the DNS of the Germany/DE DC.

In my mind the point of having a Site with a DC and associated subnets should allow for all authenticating (and joins to domain etc) to occur within the site.  Appreciate there might be a quick retry on any available DCs as it's all in a single forest with a single domain but as soon as not contactable should be able to carryout any Active Directory type 'tasks' with in the site.

APOLOGIES for a lot of information but trying to be as thorough as possible.  Attached a basic Visio scribble of the relevant part of the network.
Please Help - SOS (Thank You)

Question by:ComPo-IT
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40551850
Has there been any changes in Active Directory to the site architecture? Is it possible that there is some sort of routing issue at the DE sites trying to find the DC's?

Is this problem intermittent?

Are there any events in the event viewer that would point something out? If you run dcdiag /v do you get any errors?


Author Comment

ID: 40551963
This is the weird thing.  There are errors in the event log of course like any server but going through them nothing that stands out

No changes to AD - the Germany setup and "brand new".  Clean build fully patched DC, joined to the domain with no errors

Running the MS AD Replication Status Tool (which is really cool BTW) I get NO errors on replication between any DC's or any sites (kind of know replication works for sure)

Intermittent - no.  It is a persistent problem

Creating a secondary VPN from one of the German locations results in the PC's logon on (all be it slow) to one of my London DC or even the Germany DC but needs to establish a connection to London first (as if the PDC FSMO cannot be reached other wise - just a thought)

Best practise analyser fro AD and DNS on al my DC's has no significant warning and no errors(*)

As far as routing goes all traffic passed through an IPSEC VPN with no restrictions on the tunnels.

the only error I have on a dcdiag /v is The Key Distribution Center (KDC) cannot find a suitable certificate to use smart card logons (should I be worried about that hmmm) - good shout - did not think about running this.

(*) one error on the DC which no matter if I make the required change persists is on the DNS BPA ... I get an error about the loop back adapter must not be the first IP in the DNS setting s of the NIC ... I made it second/third etc but the error remains (been reading about this and seems like a non-issues but might be wrong)

Thank You so much for your quick response

LVL 53

Expert Comment

by:Will Szymkowski
ID: 40552020
Can you run the following commands...
repadmin /replsum
repadmin /showrepl
repadmin /bridgeheads

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.


Author Comment

ID: 40552517
repadmin /replsum
Source DSA no fails no errors
Destination DSA no fails no errors
(*) There is once DC that is not contactable - by design as VPN from Germany does not Extend to South Africa where we have one DC located.

repadmin /showrepl
Inbound Neighbours - all 5 x was successful

repadmin /bridgeheads
The operation completed successfully for all

Interestingly I do get an error at the beginning of the report:  LDAP error 81 (Server Down) Win32 Err 58

Starting to wonder if I need a VPN tunnel between South Africa and Germany (DC locations) as well just to ensure all DC's can contact one another although in theory this should not be necessary if would have thought

Thank You for you help!


Author Comment

ID: 40552559
dcdiag /test:dns

Directory Server Diagnosis

Performing initial setup:

   Trying to find home server...

   Home Server = xxADserverNAMExx

   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: DE\xxADserverNAMExx

      Starting test: Connectivity

         ......................... xxADserverNAMExx passed test Connectivity

Doing primary tests

   Testing server: DE\xxADserverNAMExx

      Starting test: DNS


         DNS Tests are running and not hung. Please wait a few minutes...

         ......................... xxADserverNAMExx passed test DNS

   Running partition tests on : DomainDnsZones

   Running partition tests on : ForestDnsZones

   Running partition tests on : Schema

   Running partition tests on : Configuration

   Running partition tests on : xxNETBIOSnameOFdomainxx

   Running enterprise tests on : xxFQDNnameOFdomainxx

      Starting test: DNS

         ......................... xxFQDNnameOFdomainxx passed test DNS
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 500 total points
ID: 40552578
Do you have site link connections created between Germany and South Africa? If there are bridge head issues then DC replication will not make it to the connecting site. This can cause issues when the site that does not have the FSMO role holder. Essentially all of the Domain Controllers are time servers to the clients, but if DC's that do not hold the PDC role cannot update the time from the PDC emulator you can run into time sync issues. Which can cause weird symptoms like users not being able to login or computers not being able to join the domain or re-establish their trust with the domain.

I would definitely correct some of the issues that you have encountered already as it may be a part of the issue you are trying to resolve.


Author Comment

ID: 40552625
Bit of context:
Germany (DC location) VPN tunnel to UK (DC location)
South Africa (DC location) VPN tunnel to UK (DC location)
NO tunnel between Germany and South Africa
UK:  DC01, DC02, DC03 (DC01=FSMO(all))(ALL DC's are GC's)
ZA:  ZADC01 (GC)

Inter-Site Transports:
SMTP: non setup
IP: "DEFAULTIPSITELINK" in place as per default MS config cost 100 replication interval 15
"Sites in this site link" - all 3 sites are in there

NTDS Setting (replication partners)
ZA - replicates with DC01(FSMO) in London
DE - replicates with DC01(FSMO) in London
3 UK DC's replicate with one another DC01 with DC02 and DC03, DC02 with DC01 and DC03, DC03 with DC01 and DC02

Would separate IP site links help ?  Thought this is only for replication and replication works 100% from what I can see

Thank You

LVL 53

Expert Comment

by:Will Szymkowski
ID: 40552631
Did the KCC create automatic connections between the 2 sites that do not have VPN tunnels between?


Accepted Solution

ComPo-IT earned 0 total points
ID: 40553255

This is what I have in the DCDIAG /V log:
Starting test: KccEvent

         * The KCC Event log test
         Found no KCC errors in "Directory Service" Event log in the last 15 minutes.
         ......................... DEAD01 passed test KccEvent

Can I look for this anywhere else ?

Now have a tunnel between ZA and DE as well so all DCs "can see one another"
One or two smaller insignificant errors when away because of this configuration - obvious things like cannot find ZA DC
As this does not cause any security issue I will leave this in place.

Unfortunately after fixing all errors (must have the cleanse AD on the planet by now :-)) the problem persists.
PC's in the Subnet belonging to the site with the DE DC are still trying to authenticate with the UK/London based DC's and times out (authenticate or join).  Adding a second VPN tunnel form one of the locations in DE to the London does allow the PC to logon to the domain (as expected) but this is not the desired configuration and renders the "local DE DC" useless.

A thought is to move the DE DC to the ZA site over the weekend for 24 hours and let replication do it's thing then move it back to the DE site and let replication do it's stuff and see if by some miracle this resolved the issues in case a misconfiguration caused it from before (crazy YES worth a try hmm maybe)

Thank You so much for all your help

LVL 35

Expert Comment

by:Seth Simmons
ID: 40851582
I've requested that this question be deleted for the following reason:

The question has either no comments or not enough useful information to be called an "answer".
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40851583
I have provided this user helpful information correcting the outstanding issues that were a result of failed replicaiton. Specifically. ID: 40552578

I obviously helped this user to some degree based on the comment below...
Thank You so much for all your help

Also this user has a more systemic issue outside of this question. I have provided as much detail as i could have to assist this user.


Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor ( Top Charts is a view in which you can set seve…
Suggested Courses

628 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question