Authenticating to remote site

[The Head Mushroom]

We have 3 domain controllers in our main site. We have 1
domain controller in our remote site, which is connected
to our main site by a 128k ISDN line.

A large portion of the workstations in our main site are
being authenticated by the 1 domain controller in the
remote site. We have had the high-priced boffins in to
look at it, their response has been "It shouldnt be
happening, so as far as we are concerned, it isn't".

The only problem is that it is happening (hope my boss
didn't pay their bill!!)

Can anyone give me some ideas about how to go about
troubleshooting this one?

 

[The Head Mushroom]

-----Original Message-----
In The Head Mushroom <[email protected]> posted their
thoughts, then I offered mine

Need more info to troubleshoot this one....

What OS is AD on?

Windows 2000

Seems they're querying for the GC in the remote site and not the local Site.
Are there GCs in the local site? Yes




Are your sites defined properly with their IP subnet objects and associated
Sites?

As far as I can tell, yes

If so, are there any errors happening in the Event Viewer
(post the

Event ID #s if so please)? When you created your Sites, did you move the
servers into their appropriate Site?

Sites (in fact the whole setup) was created by external
boffins. I have to assume they have done it correctly. It
looks OK to my untrained eye.

Did you delete the Default-First-Site-Name?

I have just noticed, in the DNS console, the tree goes
server\forward lookup zones\our domain name\_sites\default-
first-site-name

The default-first-site-name is pointing to the server at
the remote location. There is also a tree set up correctly
for the remote site in the _sites tree.

Is it safe to merely delete the default-first-site-name
from the _sites tree of the DNS console?

Are the SRV records present in DNS in accordance to the actual Site names
and the GC reference in your Sites?

Seem to be

Are/Is the local GC multihomed?

I don't think so (showing my lack of knowledge here!!)

Can you post:
1. ipconfig /all of 2 of your DCs in the local site
2. ipconfig /all of the DC in the remote Site
3. The AD domain name (as it shows in ADUC)

Have you run a dcdiag /v on your DCs? If not, can you do so and post that as
well?

How much did those guys charge you? (curiousity...)

We had to collect arms and legs among the staff....us poor
IT guys paid with ours ages ago!

Thanks

Gerry

Here are some articles concerning Sites and optimization:

Managing Sites:
http://www.microsoft.com/technet/prodtechnol/windows2000se rv/technologies/activedirectory/maintain/opsguide/part1/ado
gd06.mspx

Step-by-Step Guide to Active Directory Sites and Services:
http://www.microsoft.com/technet/prodtechnol/windows2000se rv/technologies/activedirectory/howto/adsites.mspx

306602 - How to Optimize the Location of a DC or GC That Resides Outside of
a Client's Site [Includes info LdapIpAddress and GcIpAddress]:
http://support.microsoft.com/?id=306602


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
--
=================================


.

 

[Ace Fekay [MVP]]

In

Windows 2000


As far as I can tell, yes

If so, are there any errors happening in the Event Viewer
(post the
Sites (in fact the whole setup) was created by external
boffins. I have to assume they have done it correctly. It
looks OK to my untrained eye.



I have just noticed, in the DNS console, the tree goes
server\forward lookup zones\our domain name\_sites\default-
first-site-name

The default-first-site-name is pointing to the server at
the remote location. There is also a tree set up correctly
for the remote site in the _sites tree.

Is it safe to merely delete the default-first-site-name
from the _sites tree of the DNS console?

Seem to be

I don't think so (showing my lack of knowledge here!!)



We had to collect arms and legs among the staff....us poor
IT guys paid with ours ages ago!

Actually would have liked to see that info I requested. There's not enough
info to go on, sorry. This is something that needs to be remoted in to take
a closer look-see. And NO, do not delete anything in the SRVs. They can be
re-created, but just leave them be. I'm talking about what's in Sites and
Services.

And it's strange the the Default-First-Site-Name is the remote site? Now
pray tell, why would that be, if your location is the first one created and
the central site. What's your corp office site called? Maybe that may be the
issue if the IP subnet objects associated with the Sites are reversed so
therefore, the clients would think that the remote site is THEIR site.

And I usually ask for your first born for my services, that's all!
-just kidding...


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[The Head Mushroom]

Hi Ace,

I am a little concerned about publishing the intimate
details of my servers in such a public forum. This is the
first time I have used the email address 'theheadmushroom@
etc', and already I have received about half-a-dozen
viruses to that email address. Obviously someone is
harvesting email addresses from this forum, god knows what
they would do if they got their hands on server names and
IP numbers.

Can I email the details to you?

regards

Gerry

 

[Ace Fekay [MVP]]

In

Hi Ace,

I am a little concerned about publishing the intimate
details of my servers in such a public forum. This is the
first time I have used the email address 'theheadmushroom@
etc', and already I have received about half-a-dozen
viruses to that email address. Obviously someone is
harvesting email addresses from this forum, god knows what
they would do if they got their hands on server names and
IP numbers.

Can I email the details to you?

regards

Gerry

Sure, email me to my email address. Just substitute my actual first and last
name in front of hotmail dot com.

Yes, many folks/companies/rats/knuckleheads/buttheads/etc, harvest email
addresses here. It's a goldmine, but that's why it's wise to munge your
email, such as I and many others do here as well, so the best they get is a
small portion of actual addresses from the ones that don't munge and they
have to weed thru them and eliminate them thru just trying to send and if
bounces back, they delete them.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory