3

I'm still scratching my head over this situation...

You see, we have 3 RW DCs in the HQ, and 1 RODC on every branch sites (50+ locations).

During startup, a script will pull in some files from \\example.com\SYSVOL\example.com\Common\Data

But we have been experiencing bandwidth overload. A traffic analysis indicated that lots of clients in the Branch Sites were trying to access the SYSVOL located in the RW DCs.

E.g.: If the RW DCs are 10.1.0.15, 10.2.0.15, and 10.3.0.15, and site 'X' has a subnet of 10.27.0.0/16 (with its RODC at 10.27.0.15), clients at site 'X' seem to insist on accessing \\10.1.0.15\SYSVOL or \\10.2.0.15\SYSVOL or \\10.3.0.15\SYSVOL; they seem to be ignoring the RODC completely.

What is going on here? Where should I start investigating what went wrong?

BTW, I'm already using DFS-R, and replication have been going on successfully; I can put a small 'canary' file on one of the RW DCs, and within minutes all the RODCs will have successfully replicated the 'canary' file.

Additional Information: If I try doing nslookup example.com, I get only the addresses of the RW DCs. None of the RODCs' addresses appear.

Secondary Question: What if I add the addresses of the RODCs manually into the DNS? Will I be casing trouble?

pepoluan
  • 4,918
  • 3
  • 43
  • 71
  • Maybe this will help: http://support.microsoft.com/kb/977510 – joeqwerty Oct 17 '12 at 21:08
  • The behavior you're seeing in your "Additional Information" re: the RODCs not registering the "A" record for the domain is a stock behavior and is expected. – Evan Anderson Oct 18 '12 at 03:23
  • @EvanAnderson thanks... but doesn't that mean clients will then access the RW DCs to resolve UNCs like `\\example.com` ? – pepoluan Oct 21 '12 at 12:05
  • The name will resolve to a non-RoDC, but my understanding of the DFS namespace behavior is that then client will be sent a referral to the closest replica (based on site topology). The DNS resolution and the referral are distinct. – Evan Anderson Oct 21 '12 at 16:47
  • I'm sure you have already done this, but have you verified the IPs assigned to the sites match the clients IPs. Might just have the subnets unlisted or not have them assigned to the right site. – Nick W. Apr 27 '18 at 14:14

2 Answers2

3

You need to define these sites and subnets in Active Directory Sites and Services and the assign the Read Only Domain Controllers to the specific sites.

MDMarra
  • 100,183
  • 32
  • 195
  • 326
1

I wonder if you're seeing the behavior described in this article where clients issue DNS requests w/o the site when the DC locator code runs. It would be interesting to sniff the traffic coming out of a client when it boots to see what the DNS queries coming from the client look like. The wording in that article is less than helpful ("If this issue occurs in an environment in which only the hub DCs for the site-less SRV records are registered in DNS, and if the client computer's remote branch site is disconnected from the hub site, then the client computer cannot locate a DC.") but it's worth a shot.

I assume you haven't changed the default "PreferLogonDC" and "SiteCostedReferrals" settings (both of which are sane defaults in W2K8). If you have, look into changing them back to sane settings.

Evan Anderson
  • 141,071
  • 19
  • 191
  • 328