Clients authenticating HO DC instead of Site DC

Help Request:
Hi Support
we have 2 site in AD DS (HO & AWS), i have installed a new DC for AWS Site and associated the AWS subnet
now the machines in my AWS Site are logon to HO DC instead of AWS DC, this increase network latency (as 2 sites are connected through site to site VPN). how can we make sure AWS site clients authenticate AWS DC
Anwar ManhaAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Tom CieslikIT EngineerCommented:
To force a client to use a specific domain controller we need only do the following:

Start the registry editor
Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters
From the Edit menu select New - DWORD value
Enter a name of NodeType and press ENTER
Double click on the new value and set to 4 (this sets the network to an M-mode/mixed which means it will perform a broadcast before querying name servers for resolution). By default a system is 1 if no WINS servers are configured (B-node/broadcase) or 8 if at least one WINS server is configured (H-node/queries name resolution first then broadcasts)
Double click on the EnableLMHOSTS value and set to 1. If it does not exist select New - DWORD value from the Edit menu and enter a name of EnableLMHOSTS
Close the registry editor
Reboot the machine
The machine is now configured to broadcase for a domain controller on a local subnet and then query a name server. If no domain controllers are found on the WINS server, or WINS is not used it will then search the LMHOSTS file. The next stage is to edit this file.

Check for the LMHOSTS file
C:\>dir %systemroot%\system32\drivers\etc\lmhosts
If the file does not exist copy the sample host file
C:\>copy %systemroot%\system32\drivers\etc\lmhosts.sam %systemroot%\system32\drivers\etc\lmhosts
1 file(s) copied.
Edit the file using edit.exe, don't use notepad.exe
C:\>edit %systemroot%\system32\drivers\etc\lmhosts
Goto the end of the comments and add a new line of the format
<ip address> <name of DC> #PRE #DOM:<domain name> #<comment>
e.g. 200.200.200.50 titanic #PRE #DOM:savilltech #savilltech domain controller
Save the changes to the file and exit edit.exe
Force the machine to reload the LMHOSTS file (or just reboot)
C:\>NBTSTAT -R
Note: The -R must be in capitals, the command is case sensitive
Check the cache
C:\>NBTSTAT -c
At this point the configuration is complete and a reboot is advisable.
0
Blue Street TechLast KnightCommented:
Hi Anwar,

I'm not sure why reg/host hacks are being recommended here...all of the native configurations within AD DS allow you do achieve this by default. Think about enormous environments...do you think engineers are using reg/host hacks to direct traffic??? AD DS site topology provides client affinity, meaning that clients located within a specific site will prefer domain controllers in the same site. This is accomplished by a well-designed AD DS site topology, which will allow you to define subnets that can be associated with the Availability Zones within your VPC. These associations help ensure that traffic—such as directory service queries, AD DS replication, and client authentication—uses the most efficient path to a domain controller. They also provide you with granular control over replication traffic.

How many AZs (Availability Zones) do you have setup? Go to AD Sites and Services and assign the subnets to the respective Site Objects. The Sites in AD DS that represent each AZ in your VPC will associate the subnets with those sites ensuring that domain-joined instances will primarily use a domain controller closest to them. This is also a key design configuration for maintaining a highly available AD DS deployment in AWS.

Let me know if you have any other questions!

P.S. if you want more traffic, increase the priority of the question from Low to Medium or High or from Medium to High. There is no negative for doing so...only positives for you!
3

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Blue Street TechLast KnightCommented:
@Tom Cieslik - Don't you feel this is misleading to propose a hack when by design MSFT functions exactly how the OP wants this to work (they just don't know how to properly set it up)? Future readers are going to erroneously think the only way for a client to authenticate to the most efficient DC is to hack it and force it to do so - they are not actually learning how to setup it up properly so that it will perform the feat natively.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cloud Computing

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.