Force Active Directory Users and Computers to use a specific DC?


Recommended Posts

Our Active Directory Management is outsourced to India. I handle the day to day duties for one of the offices here in the US. Everytime I open up Active Directory Users and Computers it always selects a different domain controller.

Is there a way to force it to select a specific domain controller instead of a random one each time? Is there a way to always make it open up the same OU as well?

What does it matter? ADUC should open a DC in your site.. which would/should be local or atleast the DC with the best bandwidth to you, etc.

Has sites not been configured?

http://www.microsoft.com/technet/prodtechn...step/adsrv.mspx

Step-by-Step Guide to Active Directory Sites and Services

But yeah if you have not correctly configured your sites, then yeah you could pick any random DC in your domain -- if you pick one across the wan could make things a bit sluggish.

  BudMan said:
What does it matter? ADUC should open a DC in your site.. which would/should be local or atleast the DC with the best bandwidth to you, etc.

Has sites not been configured?

http://www.microsoft.com/technet/prodtechn...step/adsrv.mspx

Step-by-Step Guide to Active Directory Sites and Services

But yeah if you have not correctly configured your sites, then yeah you could pick any random DC in your domain -- if you pick one across the wan could make things a bit sluggish.

That is exactly what happens, it will select a domain controller on the other side of the country and it is horribly slow.

I think we overpay for the Active Directory management services that we have. I will take a read and see what I can do to get it configured properly.

Thanks for the help!

  Frank said:
I think we overpay for the Active Directory management services that we have.
If not even sites have been configured correctly -- then yeah more than likely your being robbed ;)

Here is some other good info for you an AD sites.

http://technet.microsoft.com/en-us/library/bb727051.aspx

Active Directory Operations Guide

Managing Sites

Sites are used in Active Directory to:

* Enable clients to discover network resources (printers, published shares, domain controllers) that are close to the physical location of the client, reducing network traffic over Wide Area Network (WAN) links.

http://technet2.microsoft.com/windowsserve...3.mspx?mfr=true

Best practices for Active Directory Sites and Services

Create a new empty management console (start | run | mmc) and add the ADUC snap- in, point it at your specific server and save the console.

If you open up the ADUC using your saved file instead of the one located in administrative tools then it should save your settings and point to your desired server.

Afaik you can't edit the one from administrative tools and then make it save the settings.

That really is besides the point -- it should not matter what DC he hits, since ADUC should hit the closest DC to him - if sites were configured correctly.. It should not be picking a DC across the country -- it should be picking the one closest to him an with the best bandwidth, that is if sites has been configured.

Setting up something to go to a specific DC is not fixing the underlaying problem, its like putting a bandaid on gapping head wound.

  • 4 weeks later...

I have brought this up to management.

I also noticed that "Microsoft-DS" used over 20% of our network traffic yesterday (2.7217 Gbytes) according to SolarWinds NetFlow. I checked to see what domain controller my machine is logging into and it is logging into one in New York (I am in Colorado). Is this amount of traffic on the Microsoft-DS service unusually high because we are hitting any random domain controller to log into or is this normal?

Microsoft-DS is the name for port tcp 445, or SMB

Here is good breakdown off all the ports AD could/would use etc.

http://support.microsoft.com/default.aspx?...kb;en-us;832017

Scroll to near the bottom for a summary.

445 TCP SMB Fax Service

445 TCP SMB Print Spooler

445 TCP SMB Server

445 TCP SMB Remote Procedure Call Locator

445 TCP SMB Distributed File System

445 TCP SMB License Logging Service

445 TCP SMB Net Logon

Is that just your WAN traffic, or local network traffic? Most of your login traffic should all be to your LOCAL DC.. Sure if all your users are hitting one across your wan -- yup your wan traffic is going to go up ;)

Here is some more info on that port

http://support.microsoft.com/kb/q204279/

Direct hosting of SMB over TCP/IP

Since this port would be used for file copies as well.. Not sure on your layout -- but if your users access lots of files across your wan - it would be on this port as well.. So that could account for the large % of your traffic.

If you have AD structure that spans a large WAN network, you REALLY need to make sure sites are setup for the different locations IP space.. Or yes you can have lots of issues.. I find it hard to believe the closest DC to you is in NY if your Colo.

Edited by BudMan

There is almost no file sharing between sites. We have our own file server here so that shouldn't be the issue. We also have a local domain controller so it should be connecting to that one and not NY.

I hope they get this resolved soon.

Thats exactly what it sounds like to me as well. We're having the same issue (One of the reasons I was hired) at my new job. The users will authenticate to random DC's on the network and all of their dc's across 2 states are all in the same Default-First-Site. Luckily for me every location/site has already had their ip and subnetting done properly so I just have to put everything in its proper place and organize the site links and replication traffic. Thats exactly what it sounds like to me you need to get done.

You can open up a dos prompt on your machine and type "set" and hit enter. Look for the entry for "Logonserver" and see what it is. Then you'll know which dc you hit when authenticating. Its a pretty good sign of sites needing to be configured and getting your specific location or subnet linked with your specific dns server.

Edited by CreightonB
  • 3 months later...

I FINALLY got a hold of someone that didn't ignore me when I sent the request. They asked for more information and I sent them the following email with screenshots.

  me said:
Hello,

I have attached a screenshot of the ?Logon Server? of the machine I am currently using (logonserver.png). I have also attached a screenshot of another machine with ADUC open as well as the SET command ran so you can see another example (aducandset.png). If I run the ?SET? command from 20 machines running at the our Location I might find one out of the 20 that actually used the our DC to authenticate.

Let me know if you need any more info.

Thanks,

Frank

Then I get this response.

  them said:
Hi Frank,

This is actually not a problem as in a domain till the time we specifically mention, the client machines will randomly get authenticated from any domain controller. There is an option to stop this happening by specifying a site specific DC in the sites and services so that the clients get authenticated from only one DC, however this is not recommended as if that DC goes down for some reason, the clients of that particular site wont be able to logon to the domain.

Let us know if you have any other query.

Thanks and Regards,

Is this true? If they setup sites to point to our local DC by default and our local DC goes down we are basically dead in the water?

I find this hard to believe. If this was the case why would they send a DC to the local site? Why not house all of the DC's at the main datacenter?

Whoever wrote that is an IDIOT!

Setting your site subnet does not lock you to those DC(s)..

http://support.microsoft.com/kb/314861

How Domain Controllers Are Located in Windows XP

http://searchwinit.techtarget.com/tip/0,28...1283750,00.html

How the DC locator works in Active Directory

In a domain with multiple domain controllers and sites, it is important for clients to use a local DC in their site if possible. Client "site awareness" is a process that allows a client to identify a DC in the client's site for efficiency. This is accomplished by the DNS server returning a list of DCs in the client's domain, with those in the client's site at the top of the list. If there are no DCs available from that site, a DC in another site will be returned.

Client site awareness ultimately depends on the administrator mapping sites to subnets using the Sites and Services snap-in. If this is not done -- or not done correctly -- it can cause clients to go to remote sites for authentication or LDAP queries and so on.

Please have this MORON point out where MS states not to setup Sites and Services! :rolleyes:

http://technet.microsoft.com/en-us/library/bb727085.aspx

Best Practice Active Directory Design for Managing Windows Networks

Creating a Site Topology

The definition of a site is a set of well-connected (LAN speeds or greater) IP subnets. To create the site topology, identify areas of high connectivity as sites and the WAN connections between them as site links. Once you create sites and site links, Active Directory automatically generates a replication topology between domain controllers. By defining sites according to your LAN/WAN topology, you can ensure a replication topology that avoids WAN connections unless intersite communication is required.

The Role of Site Topology in Windows Network Designs

Active directory sites are a collection of IP subnets constituting a LAN and connected by site links. Active Directory uses sites to:

Optimizes replication between domain controllers.

Locate the closest domain controller for client logon and directory searches.

Client Affinity

Active Directory clients locate domain controllers according to their site affiliation. A client locates a domain controller within the same site whenever possible. By finding a domain controller in the same site, the client avoids communications over WAN links.

***

I really feel sorry for you having to deal with people that do not even seem to know the basics of AD design!! You need to correctly setup up your sites or your going to have a Nightmare of a time!!

***

Good Luck!!! Sure sounds like your going to need it!

Ok -- I took the time to dig up an exact example of what they are talking about.. Ie the DCs in your site all being down!

Here is what he stated about setting up sites with the correct IP ranges assigned.

"however this is not recommended as if that DC goes down for some reason, the clients of that particular site wont be able to logon to the domain."

Again this is just pure utter nonsense.. And just drives me crazy that people that have such a complete and utter lack of even the basics of how AD works are upper tech support???

This is taken from this book;

http://www.oreilly.com/catalog/actdir3/

Active Directory, Third Edition

Design and Deployment of Microsoft's Active Directory

The scans are not the best -- but clearly goes over an exact example he states is the reason its recommended not to setup sites if a DC is down :rolleyes:

post-14624-1209571714_thumb.jpg

post-14624-1209571724_thumb.jpg

post-14624-1209571736_thumb.jpg

Maybe you should suggest the people that manage your AD at least browse thru it, or a book like it ;)

Again good luck... Must suck to work at a place where people that control the AD are complete morons!!

What a horror story, You should have someone else manage your IT needs. Not Someone in INDIA. I know this is a vague statement and you know this already but I read all these posts and BudMans right on target with this one.

WOW your got some trash to go thru.

  • 3 weeks later...
  • 3 weeks later...

Well, we finally got the issue resolved, and of course I had to show them the exact problem before they got it fixed.

I got some of our upper management involved and then I got another response from the same person that told me that Sites and Services should not be setup or our users wouldn't be able to login. She now tells me that Sites and Services is setup correctly (which I found out later it partially was) and the issue was with our local domain controller or we needed to install a fix from Microsoft on our local PC's.

I started to dig into Sites & Services after I read up a little bit on Configuration and I saw our site configured and only ONE of our subnets configured. When they started the center here they only had 10.15.91.x but since we have grown to over 700 PC's we now use 10.15.88.x - 10.15.91.x. The network team (also contracted to the same company, but it is a different group) failed to notify the Windows Management team that we added these network subnets over time.

I guess what really bothers me is not the fact that this slipped through the cracks but rather the crap they put me through with the BS answers and the fact that I had to figure the issue out myself after they kept giving me different answers.

The good news is we are switching management companies for our network and AD/Exchange management to a US based company before the end of he year.

"the issue was with our local domain controller or we needed to install a fix from Microsoft on our local PC's."

You lost me on this -- this is what the person that told at first told sites and services should not be setup? Then changed their story that it was setup and you need to fix your DC -- like what? Or what patch would you you install on the PCs?

If your network range is 88-91 and S&S has only 91 -- then no its not setup correctly.. And yes that would/could cause you the exact problem you were seeing.

So I take is your S&S is now using the correct address space? And your machines are using local DCs now?

Glad to hear you got it worked out... Its been a drawn out process it seems.. Curious why you don't just manage your network and AD in house?? You seem to have IT in house -- what exactly do they do other then have to fight with the management company on how to setup network correctly? ;)

I would agree with Budman in bringing everything in-house, at least it sounds like you could manage it well enough Frank especially after all this you had to go through.

Definitely an interesting read though from Budman.

Nice one on getting this sorted. (Y)

  BudMan said:
"the issue was with our local domain controller or we needed to install a fix from Microsoft on our local PC's."

You lost me on this -- this is what the person that told at first told sites and services should not be setup? Then changed their story that it was setup and you need to fix your DC -- like what? Or what patch would you you install on the PCs?

Well, here was the exact message they sent me. Their English is not very good so I got confused the first time I read it. I thought they were blaming our domain controller (locally) but it appears they were claiming that it was an issue with the local machines caching the DC.

  AD Management Company said:
Hi Frank,

I would like to apologize for a late reply as for the past few weeks we were working on some critical issues. As per your query, I tried to research on the same and came up with the following resolution:

The active directory sites in our environment has no configuration problem, you can check the same in the screenshot. So as per that the clients should go to site specific DC however in some cases this does not happen as the DC locator in clients caches the information of a single domain controller and the client will keep on going to the same DC till the time the information is updated by the client?s DC locator which is the netlogon service.

Please go through the following Microsoft Knowledge base article which talks about the same.

www.support.micorosoft.com/kb/939252

We can either use the hotfix specified in the article or try restarting the problem box to see if it is able to locate the correct DC

Let me know your thoughts about the same and revert back in case of any further query.

Thanks and Regards,

  BudMan said:
If your network range is 88-91 and S&S has only 91 -- then no its not setup correctly.. And yes that would/could cause you the exact problem you were seeing.

So I take is your S&S is now using the correct address space? And your machines are using local DCs now?

Glad to hear you got it worked out... Its been a drawn out process it seems.. Curious why you don't just manage your network and AD in house?? You seem to have IT in house -- what exactly do they do other then have to fight with the management company on how to setup network correctly;);)

I am still waiting on the AD Management Team to make the change. I have however contacted the Network Management Team requesting a list of IP's in use for all of the other centers so we can get S&S configured properly across the board. Right now they only have about 20 subnets listed and from my calculations there should be close to 30 subnets for the company.

On Outsourcing out Network/Windows management I have thought the same thing since I started this job. It is one of the main hurdles I deal with everyday when I need to get either the Network or Windows managenent team involved to resolve an issue. I have spoken to many people about it and it seems like the company who invested the majority of the funds into my company basically said IT had to be outsourced, end of story. Not something that I agree with but I have learned to deal with it. I am however very happy that they will be switching to a US based support company to replace the current company (India Based) that we are using now.

  Frank said:
Well, here was the exact message they sent me. Their English is not very good so I got confused the first time I read it. I thought they were blaming our domain controller (locally) but it appears they were claiming that it was an issue with the local machines caching the DC.

I don't see why the problem in the KB would change anything. It specifically states that the cache is built when the client is restarted.

"The domain controller locator in Windows XP and in Windows Server 2003 caches the name of a single domain controller. This client cache is not updated until the targeted domain controller stops responding to locator requests or until the client is restarted. Therefore, the client continues to send domain controller requests to the cached domain controller. "

Any caching of an incorrect DC would therefore be cleared after a reboot. If the AD sites and services are ok, they are going to pickup the correct DC at this point.

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Posts

    • Redesigned Windows 11 Start menu: What users wanted and what Microsoft delivered by Taras Buria Windows 11 is getting a redesigned Start menu. This is a big deal for the soon-to-be-four-year-old operating system and its highly controversial design bits. After years of slow to no progress in the Start menu area, Microsoft is finally delivering a much better variant with many new features and plenty of feedback addressed. How much has been addressed? In 2023, we posted a list of the "Top 10 Start menu features and changes Windows 11 users want," so it is now time to compare that to the new Start menu. Note: The new Start menu is not yet publicly available. Microsoft is testing it in Windows 11 preview builds from the Dev and Beta Channels, and you can check out this article to learn how to enable it so that you can try it yourself. 1. Allow users to turn off the "Recommended" section - Delivered (17K+ upvotes) Round of applause for Microsoft, everyone, as the company actually delivered the most requested Start menu feature. The redesigned variant lets you turn off the Recommended section and hide it altogether so that it does not waste any space. Recommended section, begone!2. More customization options - Nope (5.4K+ upvotes) Although Microsoft now allows turning off the Recommended section and switching between three views for the All apps list, the menu remains quite restricted when it comes to personalization, so if you want true customization, Windhawk and the Start menu styler mod are here for you, allowing some seriously cool Start menu designs, as one on the screenshot below: 3. Allow resizing the Start menu - Sort of delivered (3.8K+ upvotes) You still cannot change the size of the Start menu manually like you could in Windows 10. However, the menu is now more adaptive, which means you will see more content if you have a bigger screen. Still, I would like to have the ability to make the menu bigger, so this one remains standing. 4. Go back to the Windows 10-style Start menu - Nope (3.4K+ upvotes) Microsoft is not going back to the Windows 10 Start menu, so if you are one of the 3,400+ people who upvoted this in Feedback Hub, your best course of action is to install a third-party Start menu or just stick to Windows 10. 5. Use Grid view for the All apps list - Delivered (1.5K+ upvotes) Another popular request was delivered fully. I would even say that Microsoft over delivered it. Instead of just killing the standard list view in favor of grid view, Microsoft let users decide what kind of view they want. You can stick to the classic list, switch over to grid view, or enjoy a categorized view. Again, well done! 6. Display jump lists when right-clicking pinned apps - Needs fixing (1K+ upvotes) Microsoft has already fixed this problem, and you can access jump lists and recent files by right-clicking pinned applications in the current Start menu version. However, turning off the Recommended section also turns off jump lists on the Start menu and taskbar for some reason. A very frustrating design for those who use jump lists and do not want the Recommended section. This needs fixing. Microsoft punishes you with no jump lists if you dare to turn off "Recommended." Why?7. Make the Start menu open on the All apps list by default - Delivered (1K+ upvotes) The new Start menu ticks this box as well. There is no need to click "All apps" when you open the Start menu. It now features a single-view user interface with the list of all apps right below your pins and recommendations. All you need to do is start scrolling. 8. Add a full-screen Start menu - Nope (1K+ upvotes) Even though Microsoft "has got this," nothing indicates that the company plans to reintroduce a full-screen Start menu from the days of Windows 10 and Windows 8. A shame, if you ask me. Interestingly, it appears that Microsoft considered a full-screen Start menu for Windows 11. The company recently showed some of the prototypes it considered implementing, including a scrollable full-screen menu. 9. Bring back live tiles - Nope (1K+ upvotes) Tiles are no longer alive. They are as dead as Windows Phone, and there is no return. 10. Make the Start menu button follow the system accent color - Nope (760+ upvotes) Microsoft "has got this," but the blue Start button is here to stay. Do you like what Microsoft did to Windows 11's Start menu? What features are still missing in your opinion? Share your thoughts in the comments.
    • Last chance to claim VideoProc Converter AI v7.5 ($78.90 Value) for free by Steven Parker Claim your free license (worth $78.90) today, before the offer expires today, June 18. Equipped with AI tools for video and image enhancement, smoothness, and stabilization. Remaster low-quality videos and photos, convert, edit, compress, download, and record with GPU acceleration! Key Features of VideoProc Converter AI V7.5: AI Video Upscaling: Upscale low-res, old, grainy videos/DVDs/recordings by 400% to HD/4K for stunning visuals on larger screens. AI Image Enhancement: Upscale images and AI art to 8K/10K for better cropping, editing, printing, and sharing. AI Stabilization: Intelligently stabilize shaky GoPro/drone/camera footage with controllable cropping ratios. AI Frame Interpolation: Boost FPS from 30/60 to silky-smooth 120/240/480, or create epic slow-motion effects. 5-in-1 Video Toolkit: Convert, edit, compress, download, and record with the highest possible quality. GPU Acceleration: Expedite video processing, even on older computers. How to get it Please ensure you read the terms and conditions to claim this offer. Complete and verifiable information is required in order to receive this free offer. If you have previously made use of these free offers, you will not need to re-register. While supplies last! Download VideoProc Converter AI V7.5 ($78.90 Value, now FREE) Offered by Digiarty, view other free resources The below offers are also available for free in exchange for your (work) email: Continuous Testing, Quality, Security, and Feedback ($27.99 Value) FREE – Expires 6/18 VideoProc Converter AI v7.5 for FREE (worth $78.90) – Expires 6/18 Macxvideo AI ($39.95 Value) Free for a Limited Time – Expires 6/22 Microsoft 365 Copilot At Work ($60 Value) FREE – Expires 6/25 Natural Language Processing with Python ($39.99 Value) FREE – Expires 6/25 Excel Quick and Easy ($12 Value) FREE – Expires 6/24 The Inclusion Equation: Leveraging Data & AI ($21 Value) FREE – Expires 6/24 The Ultimate Linux Newbie Guide – Featured Free content Python Notes for Professionals – Featured Free content Learn Linux in 5 Days – Featured Free content Quick Reference Guide for Cybersecurity – Featured Free content We post these because we earn commission on each lead so as not to rely solely on advertising, which many of our readers block. It all helps toward paying staff reporters, servers and hosting costs. Other ways to support Neowin The above deal not doing it for you, but still want to help? Check out the links below. Check out our partner software in the Neowin Store Buy a T-shirt at Neowin's Threadsquad Subscribe to Neowin - for $14 a year, or $28 a year for an ad-free experience Disclosure: An account at Neowin Deals is required to participate in any deals powered by our affiliate, StackCommerce. For a full description of StackCommerce's privacy guidelines, go here. Neowin benefits from shared revenue of each sale made through the branded deals site.
    • They pulled this same crap with Google Workspace. "hey you get AI now so we are raising your prices". I disabled it for my org but we still have to pay. F this stupid 1984 tiny hat spy crap.
    • Samsung could unveil its Galaxy XR headset ‘Project Moohan' in September by Sagar Naresh Bhavsar Next month, Samsung is expected to unveil the Galaxy Z Fold7, the Galaxy Z Flip7, and an affordable Galaxy Z Flip7 FE, along with the Galaxy Watch8 series. However, the launches don't end there. A fresh report out of South Korea hints that Samsung could launch its much-awaited Galaxy XR augmented reality headset in September. The company has codenamed its first XR headset as "Project Moohan," which translates to "Project Infinite." Samsung has already showcased the Galaxy XR headset a few times in the past. In fact, popular tech YouTuber Marques Brownlee - also known as MKBHD -, got his hands on the Galaxy XR and revealed interesting details about the upcoming device. The Galaxy XR is rumored to come with a sharper display compared to the Apple Vision Pro and run on Google's new operating system for AR and VR headsets, the Android XR. Fast forward to now, Korean publication Newspim reports that Samsung is ready to launch the Galaxy XR headset on September 29 in its home country. Notably, the headset will be unveiled at an Unpacked event and later will go on sale on October 13. Globally, the Galaxy XR headset is expected to launch soon afterwards, though any specific date isn't mentioned. Additionally, the report suggests that fans can expect more teaser videos and prototypes of the headset at the upcoming Unpacked event for the Galaxy Z Fold7 and Flip7. The report also spills some details about the specifications of the Galaxy XR headset. Under the hood, it could run on Qualcomm's new XR2+ Gen 2 chip, made using Samsung's 4nm process. Samsung is also expected to introduce tight integration with its Galaxy ecosystem to offer a connected experience. It will be interesting to see how Samsung holds up against the likes of Meta, which already dominates the XR market, while Apple struggles with high Vision Pro prices.
  • Recent Achievements

    • Week One Done
      vivetool earned a badge
      Week One Done
    • Reacting Well
      pnajbar earned a badge
      Reacting Well
    • Week One Done
      TBithoney earned a badge
      Week One Done
    • First Post
      xuxlix earned a badge
      First Post
    • First Post
      Tomek Święcicki earned a badge
      First Post
  • Popular Contributors

    1. 1
      +primortal
      673
    2. 2
      ATLien_0
      287
    3. 3
      Michael Scrip
      223
    4. 4
      +FloatingFatMan
      195
    5. 5
      Steven P.
      143
  • Tell a friend

    Love Neowin? Tell a friend!