Windows Clients connecting to DC in wrong site?

active-directory domain domain-controller
6,067

Your problem is that the ping command is not Active Directory site aware. When you issue a ping command against your domain's FQDN, it issues a simple DNS query for the name which returns the IPs of all DCs. It then chooses one round robin from the results to actually use for the ping.

What are you trying to test/accomplish by pinging the domain? If it's just to check whether the server is using the right domain controller for auth, the quickest way I know is using the set command from a command prompt. Look for the LOGONSERVER environment variable. With a little more typing, you can get it directly by typing echo %LOGONSERVER%.

If you need to account for services or applications connecting to the domain that aren't site aware, you need to do a little more work. A super-cheap way we've done this in some of the companies I work for is to manually create site aliases in DNS. In your case, you'd create 4 additional A records in your DNS server:

  • sitea.production.contoso.local -> <IP of DC1-SiteA>
  • sitea.production.contoso.local -> <IP of DC2-SiteA>
  • siteb.production.contoso.local -> <IP of DC1-SiteB>
  • siteb.production.contoso.local -> <IP of DC2-SiteB>

We've done this in some of the companies I work for to account for things like web sites that have AD integration via LDAP. The LDAP protocol by itself is not site aware*. So if the server hosting the site is in Site A and you set the LDAP configuration to use the FQDN of the domain, it may choose to use one of the DCs in Site B. With the additional DNS records, you can set the LDAP configuration to use sitea.production.contoso.local instead. Then as long as you keep those records up to date as you add/remove DCs, you don't ever have to reconfigure the application.

Share:
6,067

Related videos on Youtube

Blurker
Author by

Blurker

Updated on September 18, 2022

Comments

  • Blurker
    Blurker over 1 year

    Ok so Sites are separated by WAN

     Domain            : production.contoso.local


 SITE A
       Site network:  192.168.0.0/16
       Site DCs    :  DC1-SiteA, DC2-SiteA
       Client      :  serverA
 SITE B
       Site network:  172.16.0.0/16
       Site DCS    :  DC1-SiteB, DC2-SiteB
       Client      :  serverB

    Randomly servers seem to resolve the domain name to DC in another site.

    I will logon to a serverA(192.*) and ping our domain "production" and it will resolve to the ip of a DC in a different site(DC1-SiteB, 172.16.0.0/16), while on the other hand if I ping the domain using the full fqdn "production.contoso.com" then I will resolve to the correct DC(DC1-SiteA, 192.168.0.0/16)

    If I flushdns, then the situation reverses it's self, "production" resolves to DC1-SiteA(192*) and "production.contoso.com" resolves to DC1-SiteB(172.*).

    All Clients and Servers are reporting as being in the correct site via http://www.powershellmagazine.com/2013/04/23/pstip-get-the-ad-site-name-of-a-computer/

    DCDiags checkout on all DCs

    All DNS records and _msdcs look correct.

    Is this..normal?..?

    If the domain resolves to a DC in another site, is it pullling policies and authenticating to those, thus slowing logon/reboot times?

    Any other avenue I need to check?

  • MDMarra
    MDMarra over 10 years
    While the information that you've written here is accurate, it doesn't answer the actual question or explain the behavior that the OP is seeing.
  • user3208219
    user3208219 over 10 years
    He specifically asked "If the domain resolves to a DC in another site, is it pullling policies and authenticating to those, thus slowing logon/reboot times?", hence my response.
  • charleswj81
    charleswj81 over 10 years
    Good answer, however be careful relying on the logonserver variable. It is the server that serviced the logged-on user's logon. The server may very well have used/be using a different server. The user session may have moved on to a different server, but the value will never update until you log off and log on again. Further, other portions of the logon process may or may not use the same server, including the Group Policy GPT's (Sysvol/DFS) and GPC's (AD/LDAP). The only way I've ever found to /truly/ determine the currently utilized DC is via network capture.
  • Ryan Bolger
    Ryan Bolger over 10 years
    Good point Charles.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Cannot connect Windows 7 machine to windows 2003 domain
Cannot rename a computer on a domain
All options greyed out when trying to configure Active Directory Domain Services Windows Server 2012 R2
Logon as a Service overwritten by Default Domain Policy
Same domain names internal and external issue
How to force a domain PC to use a specific DC?
GPO Printer Deployment Ordering greyed out
Why can't I replicate DNS zones to non-DC DNS servers?
Authenticate client against specific Domain Controller
Windows 10 Hello on domain-joined computer - Credentials could not be verified