Re: Created users can't immediately login

---

• From: "Al Mulnick" <amulnick_No_SPAM@xxxxxxxxxxx>
• Date: Mon, 2 Jan 2006 14:21:22 -0500

---

That's good because that means you've solved your original problem, right?
You now know that you'll have to wait for replication to have completed
before it would work in a time you are expecting.

Now, about those DC's. In order for your clients to logon, they'll need to
contact a GC for every logon. If they are unable, then logon should fail
(else they're using cached creds for the local workstation but can't access
network resources.)
That's because in a 2003 forest running in 2003 FFL, each logon requires a
GC to be able to enumerate Universal Group (UG) memberships. UG caching
may be off-setting some of this, however it would be considered a best
practice to make all of your DC's, GC's.

I would suggest reviewing your site topology as well and figuring out what
site your desktop is located in. If you find that it's not covered (you can
check event log settings at startup, during normal ops, etc for some entries
related) you'll also see why the desktop is trying to use remote sites at
boot time.

Finally, I highly suggest you locate and review the branch office deployment
guide. I think you may find some useful information there for your
environment that you'd like to know about now vs. later.
http://www.microsoft.com/ad

Al



"msteinhoff" <msteinhoff@xxxxxxxxxxxxxxxxx> wrote in message
news:egXd548DGHA.1288@xxxxxxxxxxxxxxxxxxxxxxx
> Well, setting the subnet for the corporate network did not make either of
> the DC's in the corporate office my logon server. It is still set to a
> server that is in a remote location, with a different subnet.
>
> "msteinhoff" <msteinhoff@xxxxxxxxxxxxxxxxx> wrote in message
> news:%231BC008DGHA.3004@xxxxxxxxxxxxxxxxxxxxxxx
>> The other servers are for authentication in case the network fails. I
>> did not have a subnet assigned to the corporate location, so I'm sure
>> that was the problem.
>>
>> "Al Mulnick" <amulnick_No_SPAM@xxxxxxxxxxx> wrote in message
>> news:OLWpNx8DGHA.1384@xxxxxxxxxxxxxxxxxxxxxxx
>>> Your corporate users will try to use the site that they belong in. I.e.
>>> if they have a matching subnet defined to a site, they'll try to use
>>> those servers first (GC).
>>>
>>> Why do you only have one GC? What was the purpose of those other servers
>>> in the remote site? For authentication in case the network fails? Or
>>> something else?
>>>
>>> Al
>>>
>>>
>>> "msteinhoff" <msteinhoff@xxxxxxxxxxxxxxxxx> wrote in message
>>> news:eS1AiV8DGHA.1508@xxxxxxxxxxxxxxxxxxxxxxx
>>>> The corporate site is the only global catalog. I typed in set
>>>> for my logon, and its pointing to a remote site and not to the local
>>>> domain controller. How would I set the domain controllers in the
>>>> corporate office as logonservers for the corporate users?
>>>>
>>>> Thanks
>>>>
>>>> "Paul Bergson" <pbergson@xxxxxxxxxx> wrote in message
>>>> news:OoOJLL7DGHA.3528@xxxxxxxxxxxxxxxxxxxxxxx
>>>>> Do you have a Global Catalog available in the corporate site?
>>>>>
>>>>> The next time you try this, bring up a command prompt and type set
>>>>> and see what the variable logonserver is set to. This will tell you
>>>>> which server this user has authenticated to.
>>>>>
>>>>> --
>>>>>
>>>>>
>>>>> Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA
>>>>>
>>>>> This posting is provided "AS IS" with no warranties, and confers no
>>>>> rights.
>>>>>
>>>>>
>>>>> "msteinhoff" <msteinhoff@xxxxxxxxxxxxxxxxx> wrote in message
>>>>> news:ObABb16DGHA.984@xxxxxxxxxxxxxxxxxxxxxxx
>>>>>> Yes I do have sites setup. The two domain controllers at the
>>>>>> corporate office are in the default first site. I then created sites
>>>>>> for each of the remote servers, and included the subnets for each
>>>>>> server in subnets.
>>>>>>
>>>>>> "Paul Bergson" <pbergson@xxxxxxxxxx> wrote in message
>>>>>> news:O1CCuaMDGHA.208@xxxxxxxxxxxxxxxxxxxxxxx
>>>>>>> You are correct on the response time, but do you have sites set up
>>>>>>> so that only the two corporate dc's are defined for this user to be
>>>>>>> authenticated against?
>>>>>>>
>>>>>>> --
>>>>>>>
>>>>>>>
>>>>>>> Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA
>>>>>>>
>>>>>>> This posting is provided "AS IS" with no warranties, and confers no
>>>>>>> rights.
>>>>>>>
>>>>>>>
>>>>>>> "msteinhoff" <msteinhoff@xxxxxxxxxxxxxxxxx> wrote in message
>>>>>>> news:%23YinGGKDGHA.2820@xxxxxxxxxxxxxxxxxxxxxxx
>>>>>>>> Environment:
>>>>>>>> Server 2003
>>>>>>>> Domain Func Level: Windows Server 2003
>>>>>>>> Forest Func Level: Windows Server 2003
>>>>>>>> The environment consists of corporate office(2 domain controllers)
>>>>>>>> and 12 remote offices(1 domain controller/office).
>>>>>>>>
>>>>>>>> Problem:
>>>>>>>> If I create a user in the corporate office, and then try to log
>>>>>>>> that user on in the corporate office, I get an error message
>>>>>>>> stating that the user does not exist. Yet, if I look in my ADUaC
>>>>>>>> on the two domain controllers in the corporate office, the user is
>>>>>>>> there. Do I have to wait for the user to replicate throughout the
>>>>>>>> entire AD structure before they can login?
>>>>>>>>
>>>>>>>> Now, if I created a user on the corporate DC's and then tried to
>>>>>>>> login that user at a remote location I could see having to wait for
>>>>>>>> replication, but that is not the case.
>>>>>>>>
>>>>>>>> Thoughts...
>>>>>>>>
>>>>>>>>
>>>>>>>> Thanks
>>>>>>>>
>>>>>>>> Mike
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>


.

---

• Follow-Ups:
  • Re: Created users can't immediately login
    • From: msteinhoff

• References:
  • Re: Created users can't immediately login
    • From: msteinhoff
  • Re: Created users can't immediately login
    • From: Paul Bergson
  • Re: Created users can't immediately login
    • From: msteinhoff
  • Re: Created users can't immediately login
    • From: Al Mulnick
  • Re: Created users can't immediately login
    • From: msteinhoff
  • Re: Created users can't immediately login
    • From: msteinhoff

• Prev by Date: Re: compacting servers
• Next by Date: Re: Administrators Group in Local Users and Groups
• Previous by thread: Re: Created users can't immediately login
• Next by thread: Re: Created users can't immediately login
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Created users cant immediately login ... Every single ip subnet used in your AD should be ... Just select both dcdiag and netdiag make sure verbose is set. ... > The other servers are for authentication in case the network fails. ... (microsoft.public.windows.server.active_directory) Re: Cannot Connect Windows 2000 or XP to 2003 Server in subnet ... Jim ... >> servers and logon with no problem on all 3 subnets. ... >> logon if they are on the same subnet as the servers. ... (microsoft.public.windows.server.networking) Re: PPTP Site-to-Site VPN problem ... My understanding has always been that if you route between 2 or more different subnets then there has to be a gateway defined. ... If routing on a single subnet then no gateway needs to be defined. ... the RRAS service on the servers. ... (microsoft.public.windows.server.networking) Re: browsing nightmare .. please help ... all my clients including my servers all point to one ... move 8 servers from subnet A to subnet B. ... In my conclusion I think on subnetB the browser master is having problems ... domain master browser which resides in subnetA. ... (microsoft.public.windows.server.dns) Re: browsing nightmare .. please help ... all my clients including my servers all point to one ... move 8 servers from subnet A to subnet B. ... subnets except computers on the new subnetB.. ... That strongly implies that the Master Browser of SubnetB ... (microsoft.public.windows.server.dns)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Windows  > microsoft.public.windows.server.active_directory  > 2006-01