AD Sites and Services 1

[MTVW]

I have an 2K3 Domain with one corp site and 40 branches. I am currently deploying new 2K3 servers to the branches running dcpromo and setting them up as GC's. I have performed this on one branch so far and it works great. I want only clients at that branch to use that server for logging on so I setup another site in sites and services configured a subnet and assigned the server to the site and the subnet to the site.
When I logon to my test pc at corp...it authenticates to the branch server and not my corp ones.

Did I miss a step?

 

[adcfaq]

re-logon to ur PC, check %logonserver%, it might authenticate to corp.

actually, it doesn't hurt to be authenticated where, it alway looks for the closer and fastest DC.

------------------------------------
Directory Services/Exchange Consultant

 

[MTVW]

I have already done that. Use the set command.....also puls logon script from branch server.

If you specify a subnet for a specific site...that should keep
authentication to only the pc's in that subnet right?

 

[adcfaq]

technically yes, real-world, it depends, i see lots of WS being authendicated by other site. u can't image nowadays, the WAN is so fast, I wonder why not make a big SITE. lol.

------------------------------------
Directory Services/Exchange Consultant

 

[MTVW]

Sure, if defining subnets for each site doesn't really do anything then why set it up?

 

[adcfaq]

so, i said technically, all boxes suppose to be authentidicated in local site.

------------------------------------
Directory Services/Exchange Consultant

 

[MTVW]

thanks for the info. There's always technically and real world huh?

 

[adcfaq]

u betcha, that's Microsoft.lol.

------------------------------------
Directory Services/Exchange Consultant

 

[asktheman]

Site and service and local DC logon is a common question..

By the MS book you could let the KCC take care of the links between sites for replication.. What I would do is say you have you main HQ/corp site. Say you have 2 dc's here. I would delete all of the KCC automaticaly created links and manually create a link to each site as well as to each dc in HQ. then on each remote site delete all of the auto created links and then create a manual link only to the 2 dc's back in corp/hq. now this works with a hub/bespoke network. the kcc auto link do not always create the best paths.. if you have remote site looking at another remote site configuration the connection to suit your topology.

If you look on each dc in c:\windows\debug\netlogon.log you will see a list of computers that have tried to login and the system has determined that it does not know what site this belongs to, it also supplies the IP address. if the subnet is not listed in Sites and Services add if to the correct site.

I have also seen this with WINS that has been configured correctly but has not been manually added to the nic config of the server. I know WINS in AD is not needed. but for legacy client and netbios app machines, this is a vital component.

 

[MTVW]

Actually I have already implemented the first plan....deleting auto generated connections and creating new ones. I have the 2 HQ dc's replicationg between each other and the Branch DC's replication from the HQ DC's only.

I am using the Default Site link though.

 

[asktheman]

Check your dns and make sure that the correct servers are list for each site under _msdcs.domain.name and under sites.

check how your clients are updating dns.

When the clients login in the pc it looks at sites and service and then from the subnet info it looks in dns for the login server info for that site.