Authentication and software deployment over WAN

[Loki1973]

Hello all,

I have this stupid thing going on. A lot of my clients connect outside of the site for both their authentication and sofware policy although I have sites defined.

I have five sites for which I have subnets defined. Those are correct. I moved the domain controllers for each site into their respective containers. I've run the KCC to rearrange the site connections.

All domain controllers for the other sites than the default are prestaged in a seperate staging site (for file replication and such) and then moved to their physical site. Just before shipping them I moved the server to the new site in Sites&Services and changed IP.

When the machines were put into place (one at a time) I configured the following:

* IPCONFIG /RegisterDNS
* Rebuilt the Site Connectors using KCC in siteds.msc

I am missing something? Why keep clients authenticating over the site links when a domain controller is local???

Any help would be appreciated.

 

[aftertaf]

how have you configured your site links?

Aftertaf
________
I reserve the right to be wrong, be confused, be suffering because it is monday, or because it is nearly the weekend.

 

[Jpoandl]

Every site must have a Global Catalog. This can be configured in AD Sites and Services.

http://www.microsoft.com/windows200.../en/advanced/help/DSSite_enable_GC_server.htm

Joseph L. Poandl
MCSE 2003

If your company is in need of experts to examine technical problems/solutions, please contact

http://www.NJCOMPUTERNETWORKS.com

(Sales@njcomputernetworks.com)

 

[aftertaf]

well put!

forgot about that!!!


Aftertaf
________
I reserve the right to be wrong, be confused, be suffering because it is monday, or because it is nearly the weekend.

 

[Loki1973]

Thanks for the replies so far. Too bad they haven't been he solution. ;-(

I've checked the GC settings. All domain controllers in the remote sites are GC's.

We had previously set-up sitecosting for DFS, but we've disabled it now. It doesn't help.

We checked the settings on a client in a remote site and did a dfsutil /pktflush and still it seems to select a random DFS target that's NOT in the site.

The "remote sites" have only one target per site and the DFS target are on the domain controller in that site.

Any more help would be greatly appreciated!

 

[Jpoandl]

Sooo..... you question isn't really concerning authentication over a WAN, it really has to do with DFS (choosing the closest replica).

I had a problem similar to the one you describe. The only solution I was able to find was to make a Root replica in every site. It seems that without the DFS root replica's, my clients would randomly connect to a DFS replica link (all but my clients that existed in the same site as my DFS root. These clients aways picked the local share...)

The only way I could solve the problem was by creating root replicas in my other sites. This immediately solved my problem. Of course, this was in Windows 2000...but maybe the solution will work for you in Windows 2003.

-later

Joseph L. Poandl
MCSE 2003

If your company is in need of experts to examine technical problems/solutions, please contact

http://www.NJCOMPUTERNETWORKS.com

(Sales@njcomputernetworks.com)

 

[Loki1973]

Jpoandl,

You're right. It had more to do with the software deployment. We've discovered that users are connecting all over the enterprise.

We even removed all replication connectors in Sites&Services and let the topology checker recreate them, but this doesn't fix the problem either.

We are using domain roots with replica links and also domain root replicas. There is no difference in behaviour.

I'm really puzzled.