Connecting to DC in wrong site

T

Tim Kalligonis

We've been having an issue where random client machines connect to Domain
Controllers outside of their site.
I've only see the issue in the site I am located in, there have not been
reports of this issue from other sites so I'm not sure if this occurs in
those other sites or not.

I've checked the obvious - make sure all subnets that are suppose to be
associated to this site are defined in the site. Checked the remote sites
were these clients are connecting to making sure that the subnet is not also
defined somewhere else.

Issue: Occasionally client will take a little longer than usual to log into
their machine. If the %logonserver% is check it will show they were
authenticated to a domain controller outside of their site. It is usually a
domain controller is one of three remote sites. We have a total of 26
sites. Then when ADUC is opened it will also connect to this remote DC.

Another interest piece of information is the fact that the site I am seeing
this occur in has the most DCs in it, it has four DCs for this particular
domain plus the FSMO roles reside on 2 of the 4 DCs in this site.

I haven't been able to find and KB articles describing this problem. Has
anyone experienced this problem or know of KB articles describing this
issue?

Thanks,
Tim
 
G

Guest

Tim

somewhere in the registry (under netlogon/parameters?) there is a key called
dynamicsitename. If this somehow picks up the wrong setting it may remain in
the registry and the value may need to be deleted).
If the client is attaching to a 'random' DC as it has failed to identify a
subnet, then a 5778 error will be logged in the system event log of the
authenticating DC (for W2K). This will allow you to determine if there is
some confusion of in sites and servers (in particular AD SS only checks for
uniqueness in the IP address portion of the subnet, it is possible to inout
overlapping subnets). For W2K3 the 5778 errors are rolled up in to another
error saying "there have been x occurences of error 5778", or similar, the
actual listing of affect clients in a local log file somewhere.
Hope this helps.

Gordon
 
T

Tim Kalligonis

I check everything both of you have mentioned.
SRV records look good.
I check a few machines that I have seen authenticate to remote DCs and the
registry key is set to this local site.
I check the remote DCs for event 5778, however I am running Win 2003. Event
ID change? Not likely.

Any other ideas?
 
P

ptwilliams

Are you using supernetted sites?

That is, are you using a single subnet definition to capture two or three
subnets, e.g. 192.168.0.0/22 whereas the actual subnets are 192.168.0.0/24
and 192.168.1.0/24


--

Paul Williams

http://www.msresource.net
http://forums.msresource.net
______________________________________
I check everything both of you have mentioned.
SRV records look good.
I check a few machines that I have seen authenticate to remote DCs and the
registry key is set to this local site.
I check the remote DCs for event 5778, however I am running Win 2003. Event
ID change? Not likely.

Any other ideas?
 
P

ptwilliams

You've also not mentioned whether or not you have a GC at this site. I
trust that you have at least one GC at this site?

You may also want to consider where these machines are looking for their DNS
resolution.

Finally, although you've checked it once, and are looking again for
supernetting, re-check the subnet associations. Perhaps you've declared a
24 bit net mask for a 23 bit mask?? We had these problems, and it was a
typo in one of the subnets...

I also assume that these are non-legacy clients? You often see legacy
clients going off after the PDCe <g>

--

Paul Williams

http://www.msresource.net
http://forums.msresource.net
______________________________________
As far as I know... No. But I'll have to look into it to verify.
 
T

Tim Kalligonis

Yes, this site contains 3 GCs.
The Machines and DCs are looking at the same DNS servers.... QIP, not
Microsoft. DNS servers are in the same physical location as the DCs and
clients(the ones I have seen the problem on)

No supernetting that I can find.

Subnet def in this site is correct for the sunbet where I have seen the
issue.

Clients are all XP. I haven't see a case on 2000, but we really don't have
anything older than XP.
 
J

Jeff

Tim,

I am seeing this in our environment on occasion as well. We are running 2
W2k3 DCs at our main site. 4 Remote sites have W2K DCs and 1 remote site
has a W2k3 DC. All the DCs are Global catalogs at the remote sites and our
main site.

Once in a while a Windows XP PC at our main site will authenticate against a
remote site DC. Typically we'll see issues with the computer account when
this happens.

Have you been able to find a resolution?

Thanks,

Jeff
 
T

Tim Kalligonis

No, I haven't figured anything out yet. Let me know if you do.

What types of issues do you find with the computer account?
 
J

Jeff

We get this kind of error on the DC system log:

Event Type: Error
Event Source: NETLOGON
Event Category: None
Event ID: 5723
Date: 11/18/2004
Time: 10:28:25 AM
User: N/A
Computer: AD
Description:
The session setup from computer 'CR02-EMBT30' failed because the security
database does not contain a trust account 'CR02-EMBT30$' referenced by the
specified computer.

USER ACTION
If this is the first occurrence of this event for the specified computer and
account, this may be a transient issue that doesn't require any action at
this time. Otherwise, the following steps may be taken to resolve this
problem:

If 'CR02-EMBT30$' is a legitimate machine account for the computer
'CR02-EMBT30', then 'CR02-EMBT30' should be rejoined to the domain.

If 'CR02-EMBT30$' is a legitimate interdomain trust account, then the trust
should be recreated.

Otherwise, assuming that 'CR02-EMBT30$' is not a legitimate account, the
following action should be taken on 'CR02-EMBT30':

If 'CR02-EMBT30' is a Domain Controller, then the trust associated with
'CR02-EMBT30$' should be deleted.

If 'CR02-EMBT30' is not a Domain Controller, it should be disjoined from the
domain.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 8b 01 00 c0 ‹..À
 
P

ptwilliams

That error, if persistent, means the netlogon secure channel is out-of-sync
(or non-existent).

Run nltest /sc_query:domainName on this machine, and see what the outcome
is. If it fails, or gives and error try resetting it: nltest
/sc_reset:domainName.com

--

Paul Williams

http://www.msresource.net
http://forums.msresource.net


We get this kind of error on the DC system log:

Event Type: Error
Event Source: NETLOGON
Event Category: None
Event ID: 5723
Date: 11/18/2004
Time: 10:28:25 AM
User: N/A
Computer: AD
Description:
The session setup from computer 'CR02-EMBT30' failed because the security
database does not contain a trust account 'CR02-EMBT30$' referenced by the
specified computer.

USER ACTION
If this is the first occurrence of this event for the specified computer and
account, this may be a transient issue that doesn't require any action at
this time. Otherwise, the following steps may be taken to resolve this
problem:

If 'CR02-EMBT30$' is a legitimate machine account for the computer
'CR02-EMBT30', then 'CR02-EMBT30' should be rejoined to the domain.

If 'CR02-EMBT30$' is a legitimate interdomain trust account, then the trust
should be recreated.

Otherwise, assuming that 'CR02-EMBT30$' is not a legitimate account, the
following action should be taken on 'CR02-EMBT30':

If 'CR02-EMBT30' is a Domain Controller, then the trust associated with
'CR02-EMBT30$' should be deleted.

If 'CR02-EMBT30' is not a Domain Controller, it should be disjoined from the
domain.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 8b 01 00 c0 <..À
 
P

ptwilliams

There's the usual things checked.

I guess it's time to get network monitor out and trace what's happening...


--

Paul Williams

http://www.msresource.net
http://forums.msresource.net


Yes, this site contains 3 GCs.
The Machines and DCs are looking at the same DNS servers.... QIP, not
Microsoft. DNS servers are in the same physical location as the DCs and
clients(the ones I have seen the problem on)

No supernetting that I can find.

Subnet def in this site is correct for the sunbet where I have seen the
issue.

Clients are all XP. I haven't see a case on 2000, but we really don't have
anything older than XP.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Site Replication - Enforced Star Topology 3
Remote site w/o VPN? 4
Unable to local DC ......... URGENT 1
DC at remote site slowing down OL / Exchange 3
Moving DC to remote site 1
AD Site Topology 8
Can't get secure channel to local DC 2
Innundated with 1864 and 1862 replication errors after introduction of "lag-site" (longish) 0

Top