Having a problem which I've seen before but haven't yet found a solution to, I've got multiple AD sites in one domain physically separated and logically separated by different subnets and AD sites.
When a user account is enabled after being in a disabled state at one site and then attempts to log in on a workstation (at that site) they are receive a login message that their account is still disabled.
When checking against all DC's the local DC states the user is enabled but as replication has not yet taken place all others are still disabled. Testing with an enabled user entering wrong passwords shows the incorrect password event is hitting against the local DC and also the primary DC for the domain (but not at the users site) I haven't yet been able to find the right event id's in Win2k8 for wrong password attempts so I can't yet advise which DC the incorrect pw request originated from.
All Subnets are correct and there is no errors in %systemroot\debug\netlogon.log on the local DC, the server returns its in the correct site, the workstation return its in the correct site and its logon server is the local DC, all DFS paths return to the local DFS host and after logon I cannot see any traffic to another DC. Pinging the domain name resolves to the local DC also. We also set DNS to only point to the local DC.
Does anyone have an idea why this setup would require a DC other than the local DC to have the account unlocked? Users would like to use their accounts immediately so resolution of this be very helpful.
Win 7 clients, Win 2k8 r2 servers, 2003 functional domain in multi AD site configuration