Re: Multi AD Sites users authenticate over WAN

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

Unfortunately the registry change (which you can impose via Group Policy)
won't help you as long as the HQ domain controller advertises itself as a
member of the remote site. I also don't see a connection between a secondary
zone and the problem you are experiencing. Have you verified that the HQ DC
is not configured to provide site coverage as per
http://support.microsoft.com/kb/306602 ?

hth
Marcin

"Newbie" <Newbie@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:80C10188-DF61-42E1-A5F9-732F7035AB1C@xxxxxxxxxxxxxxxx
Hi Marcin,
I just found something that may have an impact. I think i may have a
case of too many chefs in the kitchen. I notices that one of my Admins
created a secondary DNS zone in the remote site, because we are in the
process of integrating another company into the domain. The secondary DNS
zone is the DNS of the company we are try to integrated. Could that be the
problem (the secondary zone)?

No, i do not have multi home DC. Do i have to do the registry change to
all
client PC?

many thanks!!



"Marcin" wrote:

You don't happen to have the SiteCoverage for remote site configured for
the
domain controller residing in the HQ site - do you (for details on this
arrangement, refer to http://support .microsoft.com/kb/306602)? And your
HQ
domain controller is not multihomed - correct?
Note also that you can actually enforce the site membership on a client
by
adding the SiteName REG_SZ entry under
HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters...

hth
Marcin

"Newbie" <Newbie@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:A6B3D32F-0410-48EE-9448-C494387E6406@xxxxxxxxxxxxxxxx
Hi Marcin, Thank you for the quick response

The site was created after the domain controller was promoted. The
remote-site dc was orginally in the "Default-Site..." Yes the server
are
in
the apropriate site. I found one interesting thing is that, whe i
deleted
the
_ldap and _kerberos for HQ domain controller records in the remote-site
but
_ldap and _kerberos records recreated isself in the remote-site in a
few
hours. ARRRR

many thanks!!!

"Marcin" wrote:

Have you created the remote site prior to installing its domain
controllers?
Which site were these domain controllers originally installed in? Do
domain
controller objects actually appear under appropriate sites in Active
Directory Sites and Services? If not, make sure you move them as
needed
and
restart the NETLOGON service (alternatively, you can execute NetDiag
or
DCDiag with the /fix switch). Site-specific SRV records creation
should
be
automatic (and yes, they should reflect site membership of each domain
controller)...

hth
Marcin

"Newbie" <Newbie@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:DD14676E-1BE5-4337-8A07-A13C90A56747@xxxxxxxxxxxxxxxx
Marcin, THANK YOU for responding!!!!

When i ran NLTEST /DSGETSITE on the remove server the result show
the
remote
site name

when i ran NLTEST /DSGETSITE on the HQ serfver the result show
Default-First-Site-Name.

I think you are pointing me to the right direction. Whe i go to
_tcp.remote-site._sites.dc._msdcs.mydomain.com I found _ldap and
_kerberos
records of HQ domain controllers. Also, whe i go to
_tcp.remote-site._sites.mydomain.com I found _gc, _ldap, and
_kerberos
records from HQ too. Why is that there? should i remove it?

many thanks!!!!!!!!!!!


"Marcin" wrote:

Verify that relevant, site-specific SRV records (_tcp.SiteName.
_sites.DnsDomainName, _tcp.SiteName.
_sites.dc._msdcs.DnsDomainName,
_tcp.SiteName._sites.gc._msdcs.DnsForestName., etc.) exist in your
DNS
forward lookup zones. Note that the LOGONSERVER environment
variable
is
not
always reliable - although in your case, event logon entries seem
to
confirm
your concerns. Have you checked the output of NLTEST /DSGETSITE as
Jorge
recommended? If so, what's the output? Have you confirmed that the
subnets
defined for HQ site are not overlapping with those defined for the
remote
site?

hth
Marcin

"Newbie" <Newbie@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:D92DDB52-E060-41DE-812B-B74426DF8FA8@xxxxxxxxxxxxxxxx
Thank you for responding. I know it's going over the WAN because:

1. The workstation take longer to logon. Also, after I logon, i
go
to
command prompt on the workstation and type "echo %logonserver%"
the
output
show one of the domain contollers in HQ instead the local domain
controller.

2. When i look at the security logs on the HQ domain controllers
also
workstation from the remote site authenticating to it.

many thanks!!!!


"Jorge de Almeida Pinto [MVP - DS]" wrote:

how do you know it is going over the WAN?

what does the following say:
NLTEST /DSGETSITE

see:
http://blogs.dirteam.com/blogs/jorge/search.aspx?q=locator&p=1

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory
Services
#

BLOG (WEB-BASED)-->
http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)-->
http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and
confers
no
rights!
* Always test ANY suggestion in a test environment before
implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------

"Newbie" <Newbie@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:D95C784E-C787-493C-A6B7-54F1BC4D0D57@xxxxxxxxxxxxxxxx
Hello,
I have two AD sites with 4 domain controllers. All domain
controllers
are
Windows Server 2003, Single forest, single domain, Windows
2000
Native
domain
mode, and Windows 2000 forest mode. The HQ have 3 domain
controllers,
the
remote site have 1 domain controller. All servers have GC
enabled,
each
sites
are assigned with their subnet under "windows site and
services."
My
problem
is that users from remote site are authenticating over the WAN
to
HQ
domain
controllers. What did I miss? My understanding is that once a
site
is
created
and the appropriate subnet and DC are assigned the site users
should
authenticate to the local site Domain Controller. What did I
miss?

Many thanks!!!













.

Relevant Pages

  • Re: child domain
    ... If there's a domain controller, ... if in the same domain can access from the remote site to the sbs machine ...
    (microsoft.public.windows.server.sbs)
  • Re: User authenication from remote site ?
    ... A dns server at the RS, this will protect them in the event of a lost link ... There is a domain controller at the Head Quarter and there is another at remote site. ... Replication of data of AD between HQ and RS ...
    (microsoft.public.windows.server.active_directory)
  • Re: Authenticating to remote site
    ... >> domain controller in our remote site, ... I have just noticed, in the DNS console, the tree goes ... from the _sites tree of the DNS console? ...
    (microsoft.public.win2000.active_directory)
  • Cant join a domain
    ... I have a machine I want to be a DC at a remote site, ... An Active Directory domain controller for the domain DOM could not be ... DNS was successfully queried for the service location (SRV) resource record ...
    (microsoft.public.windows.server.active_directory)
  • Re: Authenticating to remote site
    ... > domain controller in our remote site, ... Seems they're querying for the GC in the remote site and not the local Site. ... Step-by-Step Guide to Active Directory Sites and Services: ...
    (microsoft.public.win2000.active_directory)