Active Directory Sites Authentication Issues

[Kevin Kelly]

We are running a single domain with 10 different sites
configured in AD. I have been noticing that many users
are authenticating against domain controllers from a
different site. I know this can happen when the request
needs an Operations Master, but this is not the case for
all of these issues. Some users will authenticate to a
non-operations master for a different site while their DC
is up and operational. I have been looking for any
documentation on this issue on Microsoft's Support Site,
but have not found anything. Has anyone seen this before
and can point me to any documentation?

Thank you.

 

[Simon Geary]

This kb will give you some troubleshooting steps to run through. The main
things to look at will be your DNS configuration and to make sure your AD
sites and subnets all match up correctly
http://support.microsoft.com/?id=247811

There is no easy way to force a client to authenticate against a particular
DC but it is possible by modifying the domain wide DC records on each local
DNS server so that the only DC known to the local DNS server is the local
DC. This introduces problems with redundancy but can still be considered in
your overall design.

 

[Cary Shultz [A.D. MVP]]

Kevin,

Take a look at the following MSKB Article:

http://support.microsoft.com/?id=306602

Pay particular attention to the 'Generic Records' section near the top.

HTH,

Cary

 

[Santhosh Sivarajan]

If you are using W2k and Wixp clients and your subnet association is
correct, by default, all the clinet machine will use the local subnet DC for
authentication. If you are using Win9x you can modify registry to force the
authentication.

Santhosh

 

[Cary Shultz [A.D. MVP]]

Santhosh,

Typically that is correct. However, take a look at the MSKB link that I
submitted in my post.

Cary

 

[SWalters]

Kevin,

Take a look at the following MSKB Article:

http://support.microsoft.com/?id=306602

Pay particular attention to the 'Generic Records' section near the top.

What about just creating the appropriate subnets under the "Sites and
Services" utility. THen moving the domain controllers which reside on those
subnets to the newly created subnets?

This forces anyone from a certain subnet of IPs to only login to a domain
controller within their subnet.

I've used this a few times before but would really like to hear the ill
effects it may have sine neither of you recommended it for this situation.

Thanks,

 

[Cary Shultz [A.D. MVP]]

That is absolutely the correct thing to do. Setting up Sites is how one
controls both AD Replication and user logons. Creating the Sites ( where
appropriate ) in the ADSS MMC is the first step, creating Subnets is the
next step and associating the Subnet with the Site is the next step.
Putting the DC in the Site ( both physically and logically ) is the next
step. Then, all computers in that Site are *supposed* to authenticate
against that DC.

I believe that neither Simon nor I suggested to set up Sites because of his
first sentence: "We are running a single domain with 10 different sites
configured in AD". This would lead one to believe that Kevin did indeed set
up the 10 Sites in ADSS MMC.

Cary

 

[SWalters]

I believe that neither Simon nor I suggested to set up Sites because
of his first sentence: "We are running a single domain with 10
different sites configured in AD". This would lead one to believe
that Kevin did indeed set up the 10 Sites in ADSS MMC.

ahhh I see. Sometimes I don't take the word "sites" into AD terms. I think
of physical sites as in "remote sites." I think the word "different" had me
thinking the other way. Well hopefully that is exactly what he did as that
should have rectified all of his issues.

Oh, Cary, anyway you can take a look at my previous question regarding a
trust problem I'm having. The post had a subject of "Trust Relationship
stopped only one-way."

I am completely stumped on this and the only person to reply has not yet
re-replied.

Thanks,