Re: DC communication problem

Gibo,

Ah! A newbie! We have all been there. It is a really good thing that you
are posting to this newsgroup. It is really a wonderful place. There are
lots of people in here with all levels of experience and knowledge.

I think that how you do things depends on what you want to accomplish. If
you do not want your clients authenticating against a Domain Controller that
is located across a WAN link that I would suggest that you set up - in the
AD Sites and Services MMC - a Site for each physical location. You would
also need to create a subnet for each subnet that exists and then associate
that subnet with the correct Site. This is supposed to assist the clients
( read: workstations ) in authenticating against a Domain Controller that is
in the same Site.

There are several Microsoft Knowledge Base Articles on how to do this.
There are several things that you need to know to ensure that this works
properly.

I would suggest that you search the MSKB. Here are some links to get you
started:

http://support.microsoft.com/?id=199174

http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/windows/2000/server/reskit/en-us/distrib/dsbh_rep_JFBG.asp

http://support.microsoft.com/?id=224815

http://support.microsoft.com/?id=271997

http://support.microsoft.com/?id=313994

http://support.microsoft.com/?id=306602 ( this one is more for the Big
Picture.... ).

Also, here are two MSKB Articles on how WIN2000 and WINXP clients locate
Domain Controllers:

http://support.microsoft.com/?id=247811
http://support.microsoft.com/?id=314861

Also, when you mention 'BDC' you mean that you have a WIN2000 Domain
Controller in each location, correct? And not a WINNT 4.0 Backup Domain
Controller.

You also do not mention what the WAN links are ( 56kbps or T1 or somewhere
in between ). And, I hope that you have a Firewall-to-Firewall VPN set up
( assuming that you do not have private links.... ).

If you have any questions please feel free to ask. I have no problems if
you e-mail directly but it is better that this stay in the news group. This
way everyone can contribute and learn!

--
Cary W. Shultz
Roanoke, VA 24012
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com



"Gibo" <martingibney@xxxxxxxxx> wrote in message
news:1115218485.540370.92360@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> Hi Cary,
> Thanks for your response. To answer the last first.. they are all
> ireland.mydomain.com !!
>
> Unfortunately i had not a huge knowledge of AD when upgrading this
> network from NT. It was working without a hitch until last week, which
> is about three months in all until i added the BDCs in the other
> countries. If thisis expected behaviour then this is fine i guess. It
> would be probably too much hassle to reassign the different countries
> e.g. usa.mydomain.com and belgium.mydomain.com etc...
>
> I have one GC set up, would it be adviseable to set up more as i dont
> really understand fully what GC does or if having more than one is
> beneficial to me.
>
>> Are you familiar with how to set up Sites and Subnets in the ADSS
> MMC?
>
> In a word .. NO.
> Again if this is something you would recommend i do, then i can make it
> happen, but if you think it may be best to leave them all in the same
> subnet??
>
> Thanks
> Martin
>
> Cary Shultz [A.D. MVP] wrote:
>> Gibo,
>>
>> I would suggest that as long as everything is one Site that you will
>> experience clients authenticating against a Domain Controller that is
>
>> located across the WAN. There is not really too much that you can do
> about
>> this as this is how things are supposed to happen. Clients
> authenticate
>> first against a DC in the same Site. If you have only one Site (
> well, as
>> set up in AD Sites and Services ) then all three Domain Controllers
> are
>> 'equal'. The next things is Weight and then Priority. Not much
> really that
>> you could do with these!
>>
>> If you were to set up the three Sites ( well, er, the other two since
> you
>> already have one ) and then create the Subnets and associate each
> Subnet
>> with the correct Site things *should* work themselves out.
>>
>> Are you familiar with how to set up Sites and Subnets in the ADSS
> MMC?
>>
>> Also, consider making at least one DC in each Site a Global Catalog
> Server.
>> You can also do this in the ADSS MMC....
>>
>> Now, are you saying that the DCs in the US have the suffix
> usa.mydomain.com
>> and the DCs in Germany have the suffix germany.yourdomain.com and the
> DCs in
>> Japan have the suffix japan.yourdomain.com -OR- are you saying that
> they all
>> have the suffix whatever.yourdomain.com?
>>
>> --
>> Cary W. Shultz
>> Roanoke, VA 24012
>> Microsoft Active Directory MVP
>>
>> http://www.activedirectory-win2000.com
>> http://www.grouppolicy-win2000.com
>>
>>
>>
>> "Gibo" <martingibney@xxxxxxxxx> wrote in message
>> news:1115194424.317308.316280@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>> > everything is running under the default first site. I have three
>> > physical locations, but when i started, all suffix are
>> > location.mydomain.com. This is true of all locations. e.g they are
> all
>> > saying location.mydomain.com but are in different locations!!
>> >
>> > I think there is a problem still as i am authenticating to a DC in
>> > another country at present from this machine when it should not be
> as
>> > this is over a slow link. Anything i should do to check for
> problems?
>> > Thanks so far...
>> > Martin
>> >
>


.

Relevant Pages

  • Re: event id 5807 warning
    ... > ID 5807 that indicated much large number of connections to a DC then ... > have undefined sites and may connect to any Domain Controller ... > including those that are in far distant locations from the clients. ... > client's site is determined by the mapping of its subnet to one of the ...
    (microsoft.public.windows.server.active_directory)
  • Re: Adding subnets to Sites and Services
    ... If I add a new subnet to sites and services, ... Domain Controller from client machines whose IP addresses don't map to ... including those that are in far distant locations from the clients. ... following log file '%SystemRoot%\debug\netlogon.log' and, potentially, ...
    (microsoft.public.windows.server.active_directory)
  • Re: help with authentication please (desperate)
    ... IP in another subnet, and change your entire subnet IP scheme to match the ... and set the default gateway for the clients ... use it becuase it will probably need maintainance, that is to create 2 DNS ... > the appropriate domain controller to that site will that solve the ...
    (microsoft.public.win2000.networking)
  • Re: NT 4.0 to Windows 2003 Active Directory Upgrade
    ... After numerous reboots of XP and 2000 clients they didn't automatically ... any additional AD Domain Controller added to the Domain for that matter) they ... automatically switch to authenticating against the PDC? ... > are upgrade ...
    (microsoft.public.windows.server.active_directory)
  • RE: Netlogon errors help!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
    ... The error message indicates clients that have IP addresses that do not map ... And we need to map the client IP addresses to an existing site. ... matching subnet in the subnet conatiner in AD sites and servers. ... >>added a new domain controller in a new site. ...
    (microsoft.public.windows.server.migration)
Loading