Client authenticating to remote DC

Hi Support
we have 2 site in AD DS (HO & AWS), i have installed a new DC for AWS Site and associated the AWS subnet
now the machines in my AWS Site are logon to HO DC instead of AWS DC, this increase network latency (as 2 sites are connected through site to site VPN). how can we make sure AWS site clients authenticate AWS DC
Anwar ManhaAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Shaun VermaakTechnical Specialist IVCommented:
Are subnets correctly assigned to sites?
Site links' costs correctly setup?
1
Tom CieslikIT EngineerCommented:
To force a client to use a specific domain controller you need only do the following:

Start the registry editor
Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters
From the Edit menu select New - DWORD value
Enter a name of NodeType and press ENTER
Double click on the new value and set to 4 (this sets the network to an M-mode/mixed which means it will perform a broadcast before querying name servers for resolution). By default a system is 1 if no WINS servers are configured (B-node/broadcase) or 8 if at least one WINS server is configured (H-node/queries name resolution first then broadcasts)
Double click on the EnableLMHOSTS value and set to 1. If it does not exist select New - DWORD value from the Edit menu and enter a name of EnableLMHOSTS
Close the registry editor
Reboot the machine
The machine is now configured to broadcase for a domain controller on a local subnet and then query a name server. If no domain controllers are found on the WINS server, or WINS is not used it will then search the LMHOSTS file. The next stage is to edit this file.

Check for the LMHOSTS file
C:\>dir %systemroot%\system32\drivers\etc\lmhosts
If the file does not exist copy the sample host file
C:\>copy %systemroot%\system32\drivers\etc\lmhosts.sam %systemroot%\system32\drivers\etc\lmhosts
1 file(s) copied.
Edit the file using edit.exe, don't use notepad.exe
C:\>edit %systemroot%\system32\drivers\etc\lmhosts
Goto the end of the comments and add a new line of the format
<ip address> <name of DC> #PRE #DOM:<domain name> #<comment>
e.g. 200.200.200.50 titanic #PRE #DOM:savilltech #savilltech domain controller
Save the changes to the file and exit edit.exe
Force the machine to reload the LMHOSTS file (or just reboot)
C:\>NBTSTAT -R
Note: The -R must be in capitals, the command is case sensitive
Check the cache
C:\>NBTSTAT -c
At this point the configuration is complete and a reboot is advisable.
0
Anwar ManhaAuthor Commented:
Hi Shaun
Yes subnet & cost  is correctely configured

HI Expertcomment
I am following your reccomendation, is edit.exe third party program, how can i install it
0
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

MaheshArchitectCommented:
The scenario should work correctly as long as correct subnet is attached to correct AD site and you have correctly configured site link - your case site link should contains HO and AWS site (both)
its look like clients are unable to find DC in local site (AWS site)

Can you post dcdiag /v results on AWS DC

U can hardcode AD site info with clients but its not recommended
http://techgenix.com/dynamicsitenameandsitenamewhichsiteaclientcomputerbelongsto/
0
Blue Street TechLast KnightCommented:
Hi Anwar,

Again, I'm not sure why reg/host hacks are being recommended here...all of the native configurations within AD DS allow you do achieve this by default. Think about enormous environments do you think engineers are using reg/host hacks to direct traffic??? AD DS site topology provides client affinity, meaning that clients located within a specific site will prefer domain controllers in the same site. This is accomplished by a well-designed AD DS site topology, which will allow you to define subnets that can be associated with the Availability Zones within your VPC. These associations help ensure that traffic—such as directory service queries, AD DS replication, and client authentication—uses the most efficient path to a domain controller. They also provide you with granular control over replication traffic.

How many AZs (Availability Zones) do you have setup? Go to AD Sites and Services and assign the subnets to the respective Site Objects. The Sites in AD DS that represent each AZ in your VPC will associate the subnets with those sites ensuring that domain-joined instances will primarily use a domain controller closest to them. This is also a key design configuration for maintaining a highly available AD DS deployment in AWS.

Let me know if you have any other questions!
0
Anwar ManhaAuthor Commented:
Hi Mahesh
Site and Subnet information is correct but i see some error on dcdiag /v output
 Testing server: AWSVPC\SRVAWSDC also am posting full output, i dont know where to look to resolve this issue, appreciate if you advise

      Starting test: Advertising

         Warning: DsGetDcName returned information for \\SRVDC.RID.LOCAL, when

         we were trying to reach SRVAWSDC.

         SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.

         ......................... SRVAWSDC failed test Advertising

FULL DCDIAG OUTPUT
------------------------------

Directory Server Diagnosis


Performing initial setup:

   Trying to find home server...

   * Verifying that the local machine SRVAWSDC, is a Directory Server.
   Home Server = SRVAWSDC

   * Connecting to directory service on server SRVAWSDC.

   * Identified AD Forest.
   Collecting AD specific global data
   * Collecting site info.

   Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=RID,DC=LOCAL,LDAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......
   The previous call succeeded
   Iterating through the sites
   Looking at base site object: CN=NTDS Site Settings,CN=HO,CN=Sites,CN=Configuration,DC=RID,DC=LOCAL
   Getting ISTG and options for the site
   Looking at base site object: CN=NTDS Site Settings,CN=AWSVPC,CN=Sites,CN=Configuration,DC=RID,DC=LOCAL
   Getting ISTG and options for the site
   * Identifying all servers.

   Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=RID,DC=LOCAL,LDAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......
   The previous call succeeded....
   The previous call succeeded
   Iterating through the list of servers
   Getting information for the server CN=NTDS Settings,CN=SRVDC,CN=Servers,CN=HO,CN=Sites,CN=Configuration,DC=RID,DC=LOCAL
   objectGuid obtained
   InvocationID obtained
   dnsHostname obtained
   site info obtained
   All the info for the server collected
   Getting information for the server CN=NTDS Settings,CN=APPSVR1,CN=Servers,CN=HO,CN=Sites,CN=Configuration,DC=RID,DC=LOCAL
   objectGuid obtained
   InvocationID obtained
   dnsHostname obtained
   site info obtained
   All the info for the server collected
   Getting information for the server CN=NTDS Settings,CN=SRVAWSDC,CN=Servers,CN=AWSVPC,CN=Sites,CN=Configuration,DC=RID,DC=LOCAL
   objectGuid obtained
   InvocationID obtained
   dnsHostname obtained
   site info obtained
   All the info for the server collected
   * Identifying all NC cross-refs.

   * Found 3 DC(s). Testing 1 of them.

   Done gathering initial info.


Doing initial required tests

   
   Testing server: AWSVPC\SRVAWSDC

      Starting test: Connectivity

         * Active Directory LDAP Services Check
         Determining IP4 connectivity
         * Active Directory RPC Services Check
         ......................... SRVAWSDC passed test Connectivity



Doing primary tests

   
   Testing server: AWSVPC\SRVAWSDC

      Starting test: Advertising

         Warning: DsGetDcName returned information for \\SRVDC.RID.LOCAL, when

         we were trying to reach SRVAWSDC.

         SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.

         ......................... SRVAWSDC failed test Advertising

      Test omitted by user request: CheckSecurityError

      Test omitted by user request: CutoffServers

      Starting test: FrsEvent

         * The File Replication Service Event log test
         There are warning or error events within the last 24 hours after the

         SYSVOL has been shared.  Failing SYSVOL replication problems may cause

         Group Policy problems.
         A warning event occurred.  EventID: 0x800034FD

            Time Generated: 12/17/2017   18:25:17

            Event String:

            File Replication Service is initializing the system volume with data from another domain controller. Computer SRVAWSDC cannot become a domain controller until this process is complete. The system volume will then be shared as SYSVOL.

             

            To check for the SYSVOL share, at the command prompt, type:

            net share

             

            When File Replication Service completes the initialization process, the SYSVOL share will appear.

             

            The initialization of the system volume can take some time. The time is dependent on the amount of data in the system volume, the availability of other domain controllers, and the replication interval between domain controllers.

         A warning event occurred.  EventID: 0x800034C4

            Time Generated: 12/17/2017   18:27:41

            Event String:

            The File Replication Service is having trouble enabling replication from SRVDC.RID.LOCAL to SRVAWSDC for c:\windows\sysvol\domain using the DNS name SRVDC.RID.LOCAL. FRS will keep retrying.

             Following are some of the reasons you would see this warning.

             

             [1] FRS can not correctly resolve the DNS name SRVDC.RID.LOCAL from this computer.

             [2] FRS is not running on SRVDC.RID.LOCAL.

             [3] The topology information in the Active Directory Domain Services for this replica has not yet replicated to all the Domain Controllers.

             

             This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established.

         A warning event occurred.  EventID: 0x800034C4

            Time Generated: 12/17/2017   18:47:09

            Event String:

            The File Replication Service is having trouble enabling replication from SRVDC to SRVAWSDC for c:\windows\sysvol\domain using the DNS name SRVDC.RID.LOCAL. FRS will keep retrying.

             Following are some of the reasons you would see this warning.

             

             [1] FRS can not correctly resolve the DNS name SRVDC.RID.LOCAL from this computer.

             [2] FRS is not running on SRVDC.RID.LOCAL.

             [3] The topology information in the Active Directory Domain Services for this replica has not yet replicated to all the Domain Controllers.

             

             This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established.

         ......................... SRVAWSDC passed test FrsEvent

      Starting test: DFSREvent

         The DFS Replication Event Log.
         Skip the test because the server is running FRS.

         ......................... SRVAWSDC passed test DFSREvent

      Starting test: SysVolCheck

         * The File Replication Service SYSVOL ready test
         The registry lookup failed to determine the state of the SYSVOL.  The

         error returned  was 0x0 "The operation completed successfully.".

         Check the FRS event log to see if the SYSVOL has successfully been

         shared.
         ......................... SRVAWSDC passed test SysVolCheck

      Starting test: KccEvent

         * The KCC Event log test
         Found no KCC errors in "Directory Service" Event log in the last 15 minutes.
         ......................... SRVAWSDC passed test KccEvent

      Starting test: KnowsOfRoleHolders

         Role Schema Owner = CN=NTDS Settings,CN=SRVDC,CN=Servers,CN=HO,CN=Sites,CN=Configuration,DC=RID,DC=LOCAL
         Role Domain Owner = CN=NTDS Settings,CN=SRVDC,CN=Servers,CN=HO,CN=Sites,CN=Configuration,DC=RID,DC=LOCAL
         Role PDC Owner = CN=NTDS Settings,CN=SRVDC,CN=Servers,CN=HO,CN=Sites,CN=Configuration,DC=RID,DC=LOCAL
         Role Rid Owner = CN=NTDS Settings,CN=SRVDC,CN=Servers,CN=HO,CN=Sites,CN=Configuration,DC=RID,DC=LOCAL
         Role Infrastructure Update Owner = CN=NTDS Settings,CN=SRVDC,CN=Servers,CN=HO,CN=Sites,CN=Configuration,DC=RID,DC=LOCAL
         ......................... SRVAWSDC passed test KnowsOfRoleHolders

      Starting test: MachineAccount

         Checking machine account for DC SRVAWSDC on DC SRVAWSDC.
         * SPN found :LDAP/SRVAWSDC.RID.LOCAL/RID.LOCAL
         * SPN found :LDAP/SRVAWSDC.RID.LOCAL
         * SPN found :LDAP/SRVAWSDC
         * SPN found :LDAP/SRVAWSDC.RID.LOCAL/RID
         * SPN found :LDAP/6334d427-faa0-4a55-a715-5c49f23fa763._msdcs.RID.LOCAL
         * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/6334d427-faa0-4a55-a715-5c49f23fa763/RID.LOCAL
         * SPN found :HOST/SRVAWSDC.RID.LOCAL/RID.LOCAL
         * SPN found :HOST/SRVAWSDC.RID.LOCAL
         * SPN found :HOST/SRVAWSDC
         * SPN found :HOST/SRVAWSDC.RID.LOCAL/RID
         * SPN found :GC/SRVAWSDC.RID.LOCAL/RID.LOCAL
         ......................... SRVAWSDC passed test MachineAccount

      Starting test: NCSecDesc

         * Security Permissions check for all NC's on DC SRVAWSDC.
         * Security Permissions Check for

           DC=DomainDnsZones,DC=RID,DC=LOCAL
            (NDNC,Version 3)
         * Security Permissions Check for

           DC=ForestDnsZones,DC=RID,DC=LOCAL
            (NDNC,Version 3)
         * Security Permissions Check for

           CN=Schema,CN=Configuration,DC=RID,DC=LOCAL
            (Schema,Version 3)
         * Security Permissions Check for

           CN=Configuration,DC=RID,DC=LOCAL
            (Configuration,Version 3)
         * Security Permissions Check for

           DC=RID,DC=LOCAL
            (Domain,Version 3)
         ......................... SRVAWSDC passed test NCSecDesc

      Starting test: NetLogons

         * Network Logons Privileges Check
         Unable to connect to the NETLOGON share! (\\SRVAWSDC\netlogon)

         [SRVAWSDC] An net use or LsaPolicy operation failed with error 67,

         The network name cannot be found..

         ......................... SRVAWSDC failed test NetLogons

      Starting test: ObjectsReplicated

         SRVAWSDC is in domain DC=RID,DC=LOCAL
         Checking for CN=SRVAWSDC,OU=Domain Controllers,DC=RID,DC=LOCAL in domain DC=RID,DC=LOCAL on 1 servers
            Object is up-to-date on all servers.
         Checking for CN=NTDS Settings,CN=SRVAWSDC,CN=Servers,CN=AWSVPC,CN=Sites,CN=Configuration,DC=RID,DC=LOCAL in domain CN=Configuration,DC=RID,DC=LOCAL on 1 servers
            Object is up-to-date on all servers.
         ......................... SRVAWSDC passed test ObjectsReplicated

      Test omitted by user request: OutboundSecureChannels

      Starting test: Replications

         * Replications Check
         * Replication Latency Check
         REPLICATION-RECEIVED LATENCY WARNING

         SRVAWSDC:  Current time is 2017-12-18 09:20:59.

            DC=DomainDnsZones,DC=RID,DC=LOCAL
               Last replication received from APPSVR1 at
          2017-12-08 08:54:07
               Latency information for 3 entries in the vector were ignored.
                  3 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
            DC=ForestDnsZones,DC=RID,DC=LOCAL
               Last replication received from APPSVR1 at
          2017-12-08 08:54:07
               Latency information for 3 entries in the vector were ignored.
                  3 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
            CN=Schema,CN=Configuration,DC=RID,DC=LOCAL
               Last replication received from APPSVR1 at
          2017-12-08 08:54:07
               Latency information for 3 entries in the vector were ignored.
                  3 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
            CN=Configuration,DC=RID,DC=LOCAL
               Last replication received from APPSVR1 at
          2017-12-08 08:54:07
               Latency information for 3 entries in the vector were ignored.
                  3 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
            DC=RID,DC=LOCAL
               Last replication received from APPSVR1 at
          2017-12-07 12:19:51
               Latency information for 3 entries in the vector were ignored.
                  3 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
         ......................... SRVAWSDC passed test Replications

      Starting test: RidManager

         * Available RID Pool for the Domain is 5100 to 1073741823
         * SRVDC.RID.LOCAL is the RID Master
         * DsBind with RID Master was successful
         * rIDAllocationPool is 4600 to 5099
         * rIDPreviousAllocationPool is 4600 to 5099
         * rIDNextRID: 4600
         ......................... SRVAWSDC passed test RidManager

      Starting test: Services

         * Checking Service: EventSystem
         * Checking Service: RpcSs
         * Checking Service: NTDS
         * Checking Service: DnsCache
         * Checking Service: NtFrs
         * Checking Service: IsmServ
         * Checking Service: kdc
         * Checking Service: SamSs
         * Checking Service: LanmanServer
         * Checking Service: LanmanWorkstation
         * Checking Service: w32time
         * Checking Service: NETLOGON
         ......................... SRVAWSDC passed test Services

      Starting test: SystemLog

         * The System Event log test
         An error event occurred.  EventID: 0x00000457

            Time Generated: 12/18/2017   09:18:55

            Event String:

            Driver Kyocera TASKalfa 2552ci KX required for printer !!192.168.5.30!MainPrinter-AE is unknown. Contact the administrator to install the driver before you log in again.

         An error event occurred.  EventID: 0x00000457

            Time Generated: 12/18/2017   09:18:55

            Event String:

            Driver Fax - HP Officejet Pro 6830 required for printer Fax - HP Officejet Pro 6830 is unknown. Contact the administrator to install the driver before you log in again.

         An error event occurred.  EventID: 0x00000457

            Time Generated: 12/18/2017   09:18:57

            Event String:

            Driver Foxit PhantomPDF Printer Driver required for printer Foxit PhantomPDF Printer is unknown. Contact the administrator to install the driver before you log in again.

         An error event occurred.  EventID: 0x00000457

            Time Generated: 12/18/2017   09:18:57

            Event String:

            Driver HP ePrint required for printer HP ePrint is unknown. Contact the administrator to install the driver before you log in again.

         An error event occurred.  EventID: 0x00000457

            Time Generated: 12/18/2017   09:18:57

            Event String:

            Driver HP LaserJet 200 color MFP M276 PCL 6 required for printer HP LaserJet 200 color MFP M276 PCL 6 is unknown. Contact the administrator to install the driver before you log in again.

         An error event occurred.  EventID: 0x00000457

            Time Generated: 12/18/2017   09:18:57

            Event String:

            Driver HP Officejet Pro 6830 required for printer HP Officejet Pro 6830 is unknown. Contact the administrator to install the driver before you log in again.

         An error event occurred.  EventID: 0x00000457

            Time Generated: 12/18/2017   09:18:58

            Event String:

            Driver Microsoft XPS Document Writer required for printer Microsoft XPS Document Writer is unknown. Contact the administrator to install the driver before you log in again.

         An error event occurred.  EventID: 0x00000457

            Time Generated: 12/18/2017   09:18:58

            Event String:

            Driver Send to Microsoft OneNote 15 Driver required for printer Send To OneNote 2013 is unknown. Contact the administrator to install the driver before you log in again.

         An error event occurred.  EventID: 0x00000457

            Time Generated: 12/18/2017   09:18:58

            Event String:

            Driver HP Color LaserJet CM3530 MFP PCL6 required for printer SOHO is unknown. Contact the administrator to install the driver before you log in again.

         An error event occurred.  EventID: 0x00000457

            Time Generated: 12/18/2017   09:18:58

            Event String:

            Driver Zebra ZXP Series 3 USB Card Printer required for printer Zebra ZXP Series 3 USB Card Printer is unknown. Contact the administrator to install the driver before you log in again.

         ......................... SRVAWSDC failed test SystemLog

      Test omitted by user request: Topology

      Test omitted by user request: VerifyEnterpriseReferences

      Starting test: VerifyReferences

         The system object reference (serverReference)

         CN=SRVAWSDC,OU=Domain Controllers,DC=RID,DC=LOCAL and backlink on

         CN=SRVAWSDC,CN=Servers,CN=AWSVPC,CN=Sites,CN=Configuration,DC=RID,DC=LOCAL

         are correct.
         The system object reference (serverReferenceBL)

         CN=SRVAWSDC,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=RID,DC=LOCAL

         and backlink on

         CN=NTDS Settings,CN=SRVAWSDC,CN=Servers,CN=AWSVPC,CN=Sites,CN=Configuration,DC=RID,DC=LOCAL

         are correct.
         The system object reference (frsComputerReferenceBL)

         CN=SRVAWSDC,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=RID,DC=LOCAL

         and backlink on CN=SRVAWSDC,OU=Domain Controllers,DC=RID,DC=LOCAL are

         correct.
         ......................... SRVAWSDC passed test VerifyReferences

      Test omitted by user request: VerifyReplicas

   
      Test omitted by user request: DNS

      Test omitted by user request: DNS

   
   Running partition tests on : DomainDnsZones

      Starting test: CheckSDRefDom

         ......................... DomainDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... DomainDnsZones passed test

         CrossRefValidation

   
   Running partition tests on : ForestDnsZones

      Starting test: CheckSDRefDom

         ......................... ForestDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... ForestDnsZones passed test

         CrossRefValidation

   
   Running partition tests on : Schema

      Starting test: CheckSDRefDom

         ......................... Schema passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Schema passed test CrossRefValidation

   
   Running partition tests on : Configuration

      Starting test: CheckSDRefDom

         ......................... Configuration passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Configuration passed test CrossRefValidation

   
   Running partition tests on : RID

      Starting test: CheckSDRefDom

         ......................... RID passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... RID passed test CrossRefValidation

   
   Running enterprise tests on : RID.LOCAL

      Test omitted by user request: DNS

      Test omitted by user request: DNS

      Starting test: LocatorCheck

         GC Name: \\SRVDC.RID.LOCAL

         Locator Flags: 0xe000f37d
         PDC Name: \\SRVDC.RID.LOCAL
         Locator Flags: 0xe000f37d
         Time Server Name: \\SRVDC.RID.LOCAL
         Locator Flags: 0xe000f37d
         Preferred Time Server Name: \\SRVDC.RID.LOCAL
         Locator Flags: 0xe000f37d
         KDC Name: \\SRVDC.RID.LOCAL
         Locator Flags: 0xe000f37d
         ......................... RID.LOCAL passed test LocatorCheck

      Starting test: Intersite

         Skipping site HO, this site is outside the scope provided by the

         command line arguments provided.
         Skipping site AWSVPC, this site is outside the scope provided by the

         command line arguments provided.
         ......................... RID.LOCAL passed test Intersite
0
Anwar ManhaAuthor Commented:
Hi Bluestreet tech
i have only one availability zone in AWS that subnet is Correctely  mapped on AD Sites & Service
please see the attached pic
AWS DC -IP : 172.31.33.73
AWS Subnet : 172.31.0.0/16
ADSite1.JPG
AWS_Subnet.jpg
0
MaheshArchitectCommented:
you have problem with AWS DC netlogons and advertising tests are failing
Since netlogon test is failed, the DC is not able to authenticate
The reason for this is name resolution failure and global catalog unavailability probably

How you have configured your domain controller?
it is not acting as global catalog server...
AWS DC should be Global catalog so as to authenticate users..
if its not GC, make it GC
point it to itself as primary DNS and other DC as secondary DNS and then restart netlogon and DNS server service
This will register any missing records in DNS
after that check DNS zone and remove any stale entry from SRV, NS records etc and then check if its working fine
Run the test again, once tests are successful, it should authenticate clients in own site
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Anwar ManhaAuthor Commented:
Hi Mahesh
Thanks for taking time to read my question
I renamed Default-First-Site to HO & Created a new site (AWSVPC) and associated the subnet. then installed a new windows server(SRVAWSDC) and installed ADDS & DNS role , yes it is a GC

i check for DNS records, all the required records are registered there am attaching screenshot of DNS records from both DC
only differance i can see is the first records on AWSDC is showing start of Authority(SOA), does it matter?

There are 2 more input that could useful

1.when i do \\awsdc from HODC i could not see NetLogon & SysVol, but i can see when i do from AWSDC to HODC

2. i got a reply from aws support, thinking this might be helpful to figure out the issue

I took a look at the traces and this is what I observed and I will explain below my findings as per how the DC locator process should work. Would you be able to confirm if the AWS DC and HODC are both GC's for the RID.LOCAL domain.

1037      8:56:21 AM 12/16/2017      21.7324743            AWSTEST1.RID.LOCAL      srvawsad.rid.local      DNS      DNS:QueryId = 0x1062, QUERY (Standard query), Query  for _ldap._tcp.AWS._sites.dc._msdcs.RID.LOCAL of type SRV on class Internet      {DNS:20, UDP:19, IPv4:5}      ------ 1

1038      8:56:21 AM 12/16/2017      21.7330484            srvawsad.rid.local      AWSTEST1.RID.LOCAL      DNS      DNS:QueryId = 0x1062, QUERY (Standard query), Response - Success, 172.31.32.9       {DNS:20, UDP:19, IPv4:5}. ------2

1487      8:56:35 AM 12/16/2017      35.6147768            AWSTEST1.RID.LOCAL      srvawsad.rid.local      DNS      DNS:QueryId = 0x884E, QUERY (Standard query), Query  for _ldap._tcp.dc._msdcs.RID.LOCAL of type SRV on class Internet      {DNS:24, UDP:23, IPv4:5} ------3

1488      8:56:35 AM 12/16/2017      35.6153372            srvawsad.rid.local      AWSTEST1.RID.LOCAL      DNS      DNS:QueryId = 0x884E, QUERY (Standard query), Response - Success, 192.168.5.18, 172.31.32.9 ...       {DNS:24, UDP:23, IPv4:5}.  -----4


      1. In query 1, we see that the EC2 instance AWSTEST1.RID.LOCAL sends a DNS site specific query for the site AWS to the DC (srvawsad.rid.local) as this is your preferred DNS server.
      2. In response 2, we see that the DNS(srvawsad.rid.local) successfully returns the DC IP 172.31.32.9 as the DC in the AWS site which is as expected.
      3. In query 3, the EC2 instance will now contact the DC returned from the site specific query (172.31.32.9) to lookup for the DC in that domain which can authenticate against.
      4. In response 4, we see that the response is in this order(192.168.5.18, 172.31.32.9) and hence it contacts the AWS DC first because it is the first in the list.

From the traces, we can clearly see that the EC2 instance does contact the AWS DC correctly because it's the preferred DNS server and the site specific query also returns the AWS DC but the DC locator process is not adhering to the latency factor and returning a different order. I would suspect this has to do with the priority set for the DC SRV records. The DC locator process is a Microsoft script and the algorithm with which it determines the order in which the DC's are returned depends on the priority and weights that are given to the SRV records for that domain. These SRV records are registered in DNS by the Netlogon service which is again a Microsoft service and it is at the time of registration that these weights or priorities are set. Adjusting these settings may require registry changes and in such cases AWS can only provide best effort support. I would be more than welcome to replicate your scenario in my test lab and verify the behavior but I would highly recommend having your configuration validated with an AD expert or contact Microsoft Support to avoid any undesired changes.
DNSRecordAWSDC.JPG
DNSRecordHODC.JPG
0
MaheshArchitectCommented:
from screenshots, I don't know what is srvawsad?

Also I don't see in dcdiag output  which says that DC is global catalog server, you need to run dcdiag /v from elevated prompt on aws DC and see if it shows GC, this is major problem
Also if you can't see netlogon and sysvol share on aws dc, that is one more problem
since you are running FRS sysvol, do sysvol non-authoritative restore on aws dc and see if you can see sysvol and netlogon shares
https://support.microsoft.com/en-us/help/290762/using-the-burflags-registry-key-to-reinitialize-file-replication-servi

Make sure that all FSMO roles are residing on HO DC before attempting sysvol restore
0
Tom CieslikIT EngineerCommented:
Anwar Manha , edit.exe is one of text editors, you can find in internet, but also you can use notepad.
I've said not use notepad because for default notepad will not see your LMhosts file
You must do some manual tricks,,, open Notepad as administrator, then navigate to folder where LMHOSTS are exist then change file extenssions to open from default txt file to ALL FILES.
0
Blue Street TechLast KnightCommented:
Last call to Anwar before we delete this question. Please respond so we can understand what happened and help you!
0
Anwar ManhaAuthor Commented:
Yes Netlogon & Sysvol were not sharing, now the issue resolved
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking

From novice to tech pro — start learning today.