2

Is there any specific way of getting machines to authenticate against the Global Catalog in their own site? I've got a site where the machines are often being authenticated by a GC in a remote site (connected via a 4MB private WAN link), rather than their local one.

I've tried setting the group policy option that forces machines into a specific site, instead of them determining the site via their subnet.

I guess that it shouldn't be such an issue, as the group policies will still be retrieved from their site's local \\domain\sysvol share.

Coops
  • 5,967
  • 1
  • 31
  • 52
Daniel.S
  • 225
  • 1
  • 2
  • 7
  • I've retagged your post for you. Generic tags such as "sysadmin" on server fault are a little pointless! – Coops Feb 03 '10 at 06:42
  • Why does it have to be a GC? Can it be a DC? Do you have link costs set up in sites and services and partition the GCs/DCs into sites? – ta.speot.is Feb 03 '10 at 07:02
  • Yes, they are partitioned. All link costs are at default, and are irrelevant to this problem as I'm dealing with client authentication within a single site/subnet, not the KCC and replication: "The cost of a site link determines the relative preference of the Active Directory Knowledge Consistency Checker (KCC) for using a site link in the replication topology. The higher the cost of the site link, the lower will be the KCC's preference for using the site link." GC does the authentication. There's a GC in each of my sites, bridgeheads are assigned wherever there are 2 DCs in a single site. – Daniel.S Feb 04 '10 at 11:34

2 Answers2

4

Do you have your sites and subnets setup correctly in the "Active Directory Sites and Services" Snap-in?

If you don't have sites setup the machines will just round robbin authenticate against any server in the domain since AD thinks all machines are in the same site.

Once you setup your sites and associate the subnets to them this behavior will stop.

Since sites and services are setup correctly - the only reason you would be authing against a DC outside of your site would be if the client couldn't connect to a local DC.

I would:

  • Verify no firewalls are blocking the AD ports
  • Run dcdiag on the DCs
  • Run netdiag on the DCs
  • Check the Directory services log for errors.
Zypher
  • 36,995
  • 5
  • 52
  • 95
  • Yes, sites and services have been correctly configured since setting up that site. The DC in that site is also configured as a GC – Daniel.S Feb 04 '10 at 11:16
1

Actually we have found that group policies may also be pulled from a remote domain controller, which is much slower than the authentication. Even over a wan link, the authentication during a logon should be relatively quick. Applying user group policies during a workstation logon would be noticeably slower, and machine group policies are re-applied every 90 minutes by default.

Some people have had success adjusting a registry setting called DNSAvoidRegisterRecords. Before investigating this however, you should first verify that all of your domain and site dns records and zones are correct and updating properly, workstations are using their local ad dns server, and that you don't have a configuration that could complicate this, such as a dc with multiple network cards. You should also setup a packet capture to confirm when and how often the remote dc's are being used, and to validate the result of any changes.

This behavior may be normal if the domain controller in the local site is unavailable or not responding, clients should attempt to use another dc. One thing you do not want is a configuration with only one dc available.

For a description of the DNS records that apply to domain controllers and global catalogs, see:

How to optimize the location of a domain controller or global catalog that reside in another site
http://support.microsoft.com/kb/306602

This can usually be accomplished by not registering some records, manually specifying other dc/gc-specific records, with the desired priority. The DNS priority directs clients to use the lowest priority SRV record for a dc/gc, unless the low priority servers are not responding.

The following article describes a typical use of adjusting DNS weight and priority of SRV records for domain controllers:

http://technet.microsoft.com/en-us/library/cc787370%28WS.10%29.aspx

Greg Askew
  • 34,339
  • 3
  • 52
  • 81