Multi-Site, single-domain setup question about? Which DC authenticates login’s?

1285 pts.
Tags:
Active Directory
Active Directory Forest
Authentication
Domain Controller
Windows Server 2003
Windows Server 2003 Forest
I have a single domain/forest setup. I recently created a second site in active directory and added a domain controller to it. Both DC's are server 2003.
At the new site with the new DC, I run the command "echo %logonserver%" on a workstation, and it replies back with the old domain controller name. This leads me to believe that the workstations at the new site are authentication to the DC at the other site.
I want the workstations at the new site to authenticate to the new DC that is part of their site. How will I make this happen? I read some stuff saying that I would have to make the new DC a global catalog server, however, I also read some stuff saying that secondary global catalog servers are useless unless you have a multi-domain setup.
Does anybody have some experience in this area?


Software/Hardware used:
server 2003

Answer Wiki

Thanks. We'll let you know when a new response is added.

After following the steps in the following article, the problem was resolved.

<a href=”http://powerbiz.spaces.live.com/Blog/cns!4549FE505D68E9F1!146.entry?wa=wsignin1.0&sa=95986152″>http://powerbiz.spaces.live.com/Blog/cns!4549FE505D68E9F1!146.entry?wa=wsignin1.0&sa=95986152</a>

Now I just wish I knew what caused it?

———————————

When you setup the second site, did you assign specific subnets to each site? That’s how AD figures out which site the workstations belong in. After the computer is rebooted it should login via the local domain controller. You should have at least one Global Catalog in each site.

Discuss This Question: 15  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Ingram87
    Yes, there are subnets setup for both sites. They are still authenticating to the DC at the other site. Will they continue to do this until I make the new DC a global catalog server? or is there something else I'm missing?
    1,285 pointsBadges:
    report
  • saturno
    From what you are saying, you only need to make this second site DC a Global Catalog. After this, make sure you right-click it and choose replicate now in order to both servers acknowledge this change. After this your clients in the second site should be authenticated by the in-the-same-subnet GC. It is a good practice to have at least two CG even in a single little domain. If anything goes wrong with the DC that holds the FSMO roles you still can transfer those roles to the second DC (an be happy ;-)) HTH
    4,585 pointsBadges:
    report
  • Spadasoe
    Go into AD sites and services, select the site, verify the DC in that site shows up in the site container. Also check the subnet and make sure it is associated with the correct site.
    5,130 pointsBadges:
    report
  • Ingram87
    I made the new DC a global catalog server, and then in sites-and-services, I right clicked and chose replicate now. I got an error message, "the rpc server is unavailable" and it said it was possibly caused by dns lookup failure. I looked in services, and the rpc service was running, but the rpc locater service wasn't running and it was set to manual. I started it and the replication error went away. Should that be set to automatic, or is that normal behavior? I will check the status of the workstations at the new site in a few hours to see if that resolved the problem.
    1,285 pointsBadges:
    report
  • Ingram87
    Yes, the DC shows up in the appropriate container, and the subnets are associated accordingly.
    1,285 pointsBadges:
    report
  • saturno
    Ok, by now you should already have your problem solved. Is that right?
    4,585 pointsBadges:
    report
  • Ingram87
    No, not yet. There are is 1 DC at both sites. Both sites are setup correctly (subnets are associated to sites, and DC's are in sites folders). Both sites are Global Catalog servers. When I right click in Sites and Services and tell to replicate now (I do it on both sites), I get the message, "One or more of these Active Directory connections are between domain controllers in different sites. Active Dircetory will attempt to replicate across these connections". It also gives a link to find out how to verify replication. And it the server passes the verification. When I login to the workstation at the new site, after restarting it, I run "echo %logonserver%" and the old DC name is returned.
    1,285 pointsBadges:
    report
  • Ingram87
    Is there something I'm missing? Any ideas?
    1,285 pointsBadges:
    report
  • Ingram87
    Hmmm... Have event ID 2087 on the original DC at the first site: "Active Directory could not resolve the following DNS host name of the source domain controller to an IP address. This error prevents additions, deletions and changes in Active Directory from replicating between one or more domain controllers in the forest. Security groups, group policy, users and computers and their passwords will be inconsistent between domain controllers until this error is resolved, potentially affecting logon authentication and access to network resources. " After looking in to this error, I noticed that the new DC does not have SYSVOL or NETLOGON shares. Since those are necessary for replication, then something is jacked up! I used dcpromo to make the new server a DC, and everything went fine. I can access active directory users and computers and sites and services from the new DC, so what the heck is going on here?
    1,285 pointsBadges:
    report
  • Denny Cherry
    It sounds like something is screwed up with either your DNS config or your domain controller. I'd go through and make sure that DNS is working correctly as without DNS nothing is going to work. What IPs do you have listed as the DNS servers on your DCs? If that doesn't help I'd remove the new machine as a DC via dcpromo and then promote it again.
    66,010 pointsBadges:
    report
  • Ingram87
    From the dns manager - oldDC - 192.168.1.104 newDC - 192.168.4.104 I can ping and nslookup both servers from both locations. If i go to the newDC, and open up "c:windowssysvolsysvoldomain.local", it is empty. This stuff should be replicated from the other DC. Maybe something is messed up in DNS. I'll have to do some more research this weekend.
    1,285 pointsBadges:
    report
  • Ingram87
    I found somebody who has the same problem as me and they posted there solution here, http://powerbiz.spaces.live.com/Blog/cns!4549FE505D68E9F1!146.entry?wa=wsignin1.0&sa=95986152 I also talked to somebody who had the same problem and this resolved it. I'm going to try this on the weekend and i'll post the results. Thanks everybody
    1,285 pointsBadges:
    report
  • Ingram87
    [...] Lively discussion on multi-site, single-domain setup and which domain controller authenticates logins amongst Ingram87, Mrdenny, Saturno, and [...]
    0 pointsBadges:
    report
  • Bravelad
    Hi , The link you mentioned is not working - is there any other way I can get the solution. Thanks
    10 pointsBadges:
    report
  • Ingram87
    I used the burflags registry entry to rebuild the DC's copy of SYSVOL. Here is a good Microsoft KB on it, which is basically the same thing as the original link I posted: http://support.microsoft.com/kb/290762 I did an authoritative restore on the original DC that was working, and then I did a non-authoritative restore on the new DC that wasn't working. After that, it should replicate within a minute or two
    1,285 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following