Force Active Directory Users and Computers to use a specific DC?


Recommended Posts

Our Active Directory Management is outsourced to India. I handle the day to day duties for one of the offices here in the US. Everytime I open up Active Directory Users and Computers it always selects a different domain controller.

Is there a way to force it to select a specific domain controller instead of a random one each time? Is there a way to always make it open up the same OU as well?

What does it matter? ADUC should open a DC in your site.. which would/should be local or atleast the DC with the best bandwidth to you, etc.

Has sites not been configured?

http://www.microsoft.com/technet/prodtechn...step/adsrv.mspx

Step-by-Step Guide to Active Directory Sites and Services

But yeah if you have not correctly configured your sites, then yeah you could pick any random DC in your domain -- if you pick one across the wan could make things a bit sluggish.

  BudMan said:
What does it matter? ADUC should open a DC in your site.. which would/should be local or atleast the DC with the best bandwidth to you, etc.

Has sites not been configured?

http://www.microsoft.com/technet/prodtechn...step/adsrv.mspx

Step-by-Step Guide to Active Directory Sites and Services

But yeah if you have not correctly configured your sites, then yeah you could pick any random DC in your domain -- if you pick one across the wan could make things a bit sluggish.

That is exactly what happens, it will select a domain controller on the other side of the country and it is horribly slow.

I think we overpay for the Active Directory management services that we have. I will take a read and see what I can do to get it configured properly.

Thanks for the help!

  Frank said:
I think we overpay for the Active Directory management services that we have.
If not even sites have been configured correctly -- then yeah more than likely your being robbed ;)

Here is some other good info for you an AD sites.

http://technet.microsoft.com/en-us/library/bb727051.aspx

Active Directory Operations Guide

Managing Sites

Sites are used in Active Directory to:

* Enable clients to discover network resources (printers, published shares, domain controllers) that are close to the physical location of the client, reducing network traffic over Wide Area Network (WAN) links.

http://technet2.microsoft.com/windowsserve...3.mspx?mfr=true

Best practices for Active Directory Sites and Services

Create a new empty management console (start | run | mmc) and add the ADUC snap- in, point it at your specific server and save the console.

If you open up the ADUC using your saved file instead of the one located in administrative tools then it should save your settings and point to your desired server.

Afaik you can't edit the one from administrative tools and then make it save the settings.

That really is besides the point -- it should not matter what DC he hits, since ADUC should hit the closest DC to him - if sites were configured correctly.. It should not be picking a DC across the country -- it should be picking the one closest to him an with the best bandwidth, that is if sites has been configured.

Setting up something to go to a specific DC is not fixing the underlaying problem, its like putting a bandaid on gapping head wound.

  • 4 weeks later...

I have brought this up to management.

I also noticed that "Microsoft-DS" used over 20% of our network traffic yesterday (2.7217 Gbytes) according to SolarWinds NetFlow. I checked to see what domain controller my machine is logging into and it is logging into one in New York (I am in Colorado). Is this amount of traffic on the Microsoft-DS service unusually high because we are hitting any random domain controller to log into or is this normal?

Microsoft-DS is the name for port tcp 445, or SMB

Here is good breakdown off all the ports AD could/would use etc.

http://support.microsoft.com/default.aspx?...kb;en-us;832017

Scroll to near the bottom for a summary.

445 TCP SMB Fax Service

445 TCP SMB Print Spooler

445 TCP SMB Server

445 TCP SMB Remote Procedure Call Locator

445 TCP SMB Distributed File System

445 TCP SMB License Logging Service

445 TCP SMB Net Logon

Is that just your WAN traffic, or local network traffic? Most of your login traffic should all be to your LOCAL DC.. Sure if all your users are hitting one across your wan -- yup your wan traffic is going to go up ;)

Here is some more info on that port

http://support.microsoft.com/kb/q204279/

Direct hosting of SMB over TCP/IP

Since this port would be used for file copies as well.. Not sure on your layout -- but if your users access lots of files across your wan - it would be on this port as well.. So that could account for the large % of your traffic.

If you have AD structure that spans a large WAN network, you REALLY need to make sure sites are setup for the different locations IP space.. Or yes you can have lots of issues.. I find it hard to believe the closest DC to you is in NY if your Colo.

Edited by BudMan

There is almost no file sharing between sites. We have our own file server here so that shouldn't be the issue. We also have a local domain controller so it should be connecting to that one and not NY.

I hope they get this resolved soon.

Thats exactly what it sounds like to me as well. We're having the same issue (One of the reasons I was hired) at my new job. The users will authenticate to random DC's on the network and all of their dc's across 2 states are all in the same Default-First-Site. Luckily for me every location/site has already had their ip and subnetting done properly so I just have to put everything in its proper place and organize the site links and replication traffic. Thats exactly what it sounds like to me you need to get done.

You can open up a dos prompt on your machine and type "set" and hit enter. Look for the entry for "Logonserver" and see what it is. Then you'll know which dc you hit when authenticating. Its a pretty good sign of sites needing to be configured and getting your specific location or subnet linked with your specific dns server.

Edited by CreightonB
  • 3 months later...

I FINALLY got a hold of someone that didn't ignore me when I sent the request. They asked for more information and I sent them the following email with screenshots.

  me said:
Hello,

I have attached a screenshot of the ?Logon Server? of the machine I am currently using (logonserver.png). I have also attached a screenshot of another machine with ADUC open as well as the SET command ran so you can see another example (aducandset.png). If I run the ?SET? command from 20 machines running at the our Location I might find one out of the 20 that actually used the our DC to authenticate.

Let me know if you need any more info.

Thanks,

Frank

Then I get this response.

  them said:
Hi Frank,

This is actually not a problem as in a domain till the time we specifically mention, the client machines will randomly get authenticated from any domain controller. There is an option to stop this happening by specifying a site specific DC in the sites and services so that the clients get authenticated from only one DC, however this is not recommended as if that DC goes down for some reason, the clients of that particular site wont be able to logon to the domain.

Let us know if you have any other query.

Thanks and Regards,

Is this true? If they setup sites to point to our local DC by default and our local DC goes down we are basically dead in the water?

I find this hard to believe. If this was the case why would they send a DC to the local site? Why not house all of the DC's at the main datacenter?

Whoever wrote that is an IDIOT!

Setting your site subnet does not lock you to those DC(s)..

http://support.microsoft.com/kb/314861

How Domain Controllers Are Located in Windows XP

http://searchwinit.techtarget.com/tip/0,28...1283750,00.html

How the DC locator works in Active Directory

In a domain with multiple domain controllers and sites, it is important for clients to use a local DC in their site if possible. Client "site awareness" is a process that allows a client to identify a DC in the client's site for efficiency. This is accomplished by the DNS server returning a list of DCs in the client's domain, with those in the client's site at the top of the list. If there are no DCs available from that site, a DC in another site will be returned.

Client site awareness ultimately depends on the administrator mapping sites to subnets using the Sites and Services snap-in. If this is not done -- or not done correctly -- it can cause clients to go to remote sites for authentication or LDAP queries and so on.

Please have this MORON point out where MS states not to setup Sites and Services! :rolleyes:

http://technet.microsoft.com/en-us/library/bb727085.aspx

Best Practice Active Directory Design for Managing Windows Networks

Creating a Site Topology

The definition of a site is a set of well-connected (LAN speeds or greater) IP subnets. To create the site topology, identify areas of high connectivity as sites and the WAN connections between them as site links. Once you create sites and site links, Active Directory automatically generates a replication topology between domain controllers. By defining sites according to your LAN/WAN topology, you can ensure a replication topology that avoids WAN connections unless intersite communication is required.

The Role of Site Topology in Windows Network Designs

Active directory sites are a collection of IP subnets constituting a LAN and connected by site links. Active Directory uses sites to:

Optimizes replication between domain controllers.

Locate the closest domain controller for client logon and directory searches.

Client Affinity

Active Directory clients locate domain controllers according to their site affiliation. A client locates a domain controller within the same site whenever possible. By finding a domain controller in the same site, the client avoids communications over WAN links.

***

I really feel sorry for you having to deal with people that do not even seem to know the basics of AD design!! You need to correctly setup up your sites or your going to have a Nightmare of a time!!

***

Good Luck!!! Sure sounds like your going to need it!

Ok -- I took the time to dig up an exact example of what they are talking about.. Ie the DCs in your site all being down!

Here is what he stated about setting up sites with the correct IP ranges assigned.

"however this is not recommended as if that DC goes down for some reason, the clients of that particular site wont be able to logon to the domain."

Again this is just pure utter nonsense.. And just drives me crazy that people that have such a complete and utter lack of even the basics of how AD works are upper tech support???

This is taken from this book;

http://www.oreilly.com/catalog/actdir3/

Active Directory, Third Edition

Design and Deployment of Microsoft's Active Directory

The scans are not the best -- but clearly goes over an exact example he states is the reason its recommended not to setup sites if a DC is down :rolleyes:

post-14624-1209571714_thumb.jpg

post-14624-1209571724_thumb.jpg

post-14624-1209571736_thumb.jpg

Maybe you should suggest the people that manage your AD at least browse thru it, or a book like it ;)

Again good luck... Must suck to work at a place where people that control the AD are complete morons!!

What a horror story, You should have someone else manage your IT needs. Not Someone in INDIA. I know this is a vague statement and you know this already but I read all these posts and BudMans right on target with this one.

WOW your got some trash to go thru.

  • 3 weeks later...
  • 3 weeks later...

Well, we finally got the issue resolved, and of course I had to show them the exact problem before they got it fixed.

I got some of our upper management involved and then I got another response from the same person that told me that Sites and Services should not be setup or our users wouldn't be able to login. She now tells me that Sites and Services is setup correctly (which I found out later it partially was) and the issue was with our local domain controller or we needed to install a fix from Microsoft on our local PC's.

I started to dig into Sites & Services after I read up a little bit on Configuration and I saw our site configured and only ONE of our subnets configured. When they started the center here they only had 10.15.91.x but since we have grown to over 700 PC's we now use 10.15.88.x - 10.15.91.x. The network team (also contracted to the same company, but it is a different group) failed to notify the Windows Management team that we added these network subnets over time.

I guess what really bothers me is not the fact that this slipped through the cracks but rather the crap they put me through with the BS answers and the fact that I had to figure the issue out myself after they kept giving me different answers.

The good news is we are switching management companies for our network and AD/Exchange management to a US based company before the end of he year.

"the issue was with our local domain controller or we needed to install a fix from Microsoft on our local PC's."

You lost me on this -- this is what the person that told at first told sites and services should not be setup? Then changed their story that it was setup and you need to fix your DC -- like what? Or what patch would you you install on the PCs?

If your network range is 88-91 and S&S has only 91 -- then no its not setup correctly.. And yes that would/could cause you the exact problem you were seeing.

So I take is your S&S is now using the correct address space? And your machines are using local DCs now?

Glad to hear you got it worked out... Its been a drawn out process it seems.. Curious why you don't just manage your network and AD in house?? You seem to have IT in house -- what exactly do they do other then have to fight with the management company on how to setup network correctly? ;)

I would agree with Budman in bringing everything in-house, at least it sounds like you could manage it well enough Frank especially after all this you had to go through.

Definitely an interesting read though from Budman.

Nice one on getting this sorted. (Y)

  BudMan said:
"the issue was with our local domain controller or we needed to install a fix from Microsoft on our local PC's."

You lost me on this -- this is what the person that told at first told sites and services should not be setup? Then changed their story that it was setup and you need to fix your DC -- like what? Or what patch would you you install on the PCs?

Well, here was the exact message they sent me. Their English is not very good so I got confused the first time I read it. I thought they were blaming our domain controller (locally) but it appears they were claiming that it was an issue with the local machines caching the DC.

  AD Management Company said:
Hi Frank,

I would like to apologize for a late reply as for the past few weeks we were working on some critical issues. As per your query, I tried to research on the same and came up with the following resolution:

The active directory sites in our environment has no configuration problem, you can check the same in the screenshot. So as per that the clients should go to site specific DC however in some cases this does not happen as the DC locator in clients caches the information of a single domain controller and the client will keep on going to the same DC till the time the information is updated by the client?s DC locator which is the netlogon service.

Please go through the following Microsoft Knowledge base article which talks about the same.

www.support.micorosoft.com/kb/939252

We can either use the hotfix specified in the article or try restarting the problem box to see if it is able to locate the correct DC

Let me know your thoughts about the same and revert back in case of any further query.

Thanks and Regards,

  BudMan said:
If your network range is 88-91 and S&S has only 91 -- then no its not setup correctly.. And yes that would/could cause you the exact problem you were seeing.

So I take is your S&S is now using the correct address space? And your machines are using local DCs now?

Glad to hear you got it worked out... Its been a drawn out process it seems.. Curious why you don't just manage your network and AD in house?? You seem to have IT in house -- what exactly do they do other then have to fight with the management company on how to setup network correctly;);)

I am still waiting on the AD Management Team to make the change. I have however contacted the Network Management Team requesting a list of IP's in use for all of the other centers so we can get S&S configured properly across the board. Right now they only have about 20 subnets listed and from my calculations there should be close to 30 subnets for the company.

On Outsourcing out Network/Windows management I have thought the same thing since I started this job. It is one of the main hurdles I deal with everyday when I need to get either the Network or Windows managenent team involved to resolve an issue. I have spoken to many people about it and it seems like the company who invested the majority of the funds into my company basically said IT had to be outsourced, end of story. Not something that I agree with but I have learned to deal with it. I am however very happy that they will be switching to a US based support company to replace the current company (India Based) that we are using now.

  Frank said:
Well, here was the exact message they sent me. Their English is not very good so I got confused the first time I read it. I thought they were blaming our domain controller (locally) but it appears they were claiming that it was an issue with the local machines caching the DC.

I don't see why the problem in the KB would change anything. It specifically states that the cache is built when the client is restarted.

"The domain controller locator in Windows XP and in Windows Server 2003 caches the name of a single domain controller. This client cache is not updated until the targeted domain controller stops responding to locator requests or until the client is restarted. Therefore, the client continues to send domain controller requests to the cached domain controller. "

Any caching of an incorrect DC would therefore be cleared after a reboot. If the AD sites and services are ok, they are going to pickup the correct DC at this point.

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Posts

    • Intel vs AMD? Microsoft seemingly has a clear recommendation for Windows 11 Pro PC upgrade by Sayan Sen Microsoft and its partners are now quite actively and regularly promoting the upgrade to Windows 11. Asus, for example, recently published blog posts about the "mandatory Windows 11 upgrade" that is coming as the Windows 11 end of support date nears. Microsoft itself, from time to time, urges users to upgrade to its newest OS. Back in February 2024, Microsoft released an advert highlighting the best things about Windows 11 over Windows 10. Later, in June in the same year, the tech giant busted "myths and misconceptions" surrounding a Windows 11 upgrade. And towards the end of 2024, in December, Microsoft put up a blog post outlining the gaming features a user enjoys on 11 if they were to upgrade from Windows 10. While technically there is nothing wrong with a company promoting its own product, sometimes these campaigns make little sense and they fall flat. For example, in January earlier this year, Microsoft shared a blog post headlined "Free Upgrade to Windows 11 (For a Limited Time Only)" which did not make sense as it offered little information about it being a "free upgrade," and it was rightfully, later taken down. The company is back again with a new commercial about Windows 11. This time it is aimed mainly at IT professionals and enterprises as the advert talks about upgrading to Windows 11 Pro from Windows 10. This landed a few days after Microsoft released a new backup tool for organizations for such a purpose. What is interesting is that the company is promoting Intel's vPro processors and there is no mention of AMD's Ryzen PRO parts. The commercial is posted on the Windows official YouTube channel and has been titled "Right side of risk | Windows 11 Pro and Intel". The video description says, "Windows 10 support ends October 14. Stay on the right side of risk—upgrade now to the power of Windows 11 Pro PCs with Intel vPro®." AMD does have a support article about the subject headlined "Support Your Customers’ Move to Windows 11, With AMD Ryzen™ PRO Processors" and you can find it here. This is not the first time Microsoft has promoted Intel CPUs over AMD ones. Back in 2021, the company also put up a full page explaining how users should "look for the Intel EVO badge" on a new device before making a purchase decision because such PCs are "verified wonderful" which was a bit of an odd language. Like the limited upgrade time article, the page above was taken down after we reported on it (can be viewed via the archive) and replaced with something else. The new commercial was published about a couple of days ago, and it is possible that Microsoft may have a dedicated AMD advert too in the pipeline scheduled for a later release, and that would only be fair if both companies get a similar treatment.
    • Don’t blame web developers for the downfall of Firefox. 😂
    • Microsoft, Indian police bust AI-powered tech support scam ring targeting elderly in Japan by Paul Hill Pop-up scams pretending to be Microsoft Working with India’s Central Bureau of Investigation (CBI), Microsoft recently assisted in busting a scam network that was targeting the elderly in Japan. The CBI raided 19 locations on May 28, leading to the arrest of six key operatives and the taking down of two call centers. The scammers were impersonating Microsoft specifically and using tech support scams against Japanese seniors. The raid led to the seizure of both digital and physical infrastructure, including computers, storage devices, and phones. The scammers were targeting older adults, who are more vulnerable to fraud. To put this activity to an end, Microsoft’s Digital Crimes Unit (DCU), the Japan Cybercrime Control Center (JC3), Japan’s National Police Agency (NPA), and India’s CBI conducted significant cross-border collaboration to trace the criminals. Thanks to the internet, cross-border crimes like these have been around for a while and multinational tech firms like Microsoft are making significant efforts to help law enforcement agencies crack down on cybercrime. Artificial intelligence is also starting to be used to make more sophisticated scams. The evolving threat This case reveals an evolution in how Microsoft’s DCU addresses cybercrime involving tech support fraud. Thanks to AI, scammers have been able to scale their operations. In response, Microsoft has moved away from focusing on individual call centers to target the heads of criminal operations and disrupting their technical infrastructure. Notably, Microsoft’s collaboration with JC3 is the first time the DCU has partnered with a Japan-based organization to assist victims. Microsoft is continually getting tips from JC3 about malicious pop-ups urging recipients to call fake technical support lines that claim to be Microsoft. This data has allowed Microsoft to shut down 66,000 malicious domains and URLs globally since May 2024. Microsoft noted that artificial intelligence is now being used by criminals to scale their operations. Some ways in which these entities leverage AI are for victim identification, writing convincing scam emails and building fake web pages, as well as for convincing translations. Anyone can use AI for malicious purposes so it could increase the number of people or groups carrying out attacks. It also makes attacks much more sophisticated and harder to detect and necessitates better consumer protections and more sophisticated security tools such as passkeys to reduce hacks. Protecting vulnerable populations and what readers can do Tech support fraud attacks have been found by the FBI to disproportionately affect older people, resulting in $590 million in losses in 2023 for just older Americans alone. In this operation that targeted Japanese victims, around 90% of the 200 affected people were over 50. If you’ve ever received suspicious communications from a party claiming to be Microsoft, you should know that Microsoft never sends unsolicited emails or makes phone calls requesting personal or financial information, and it doesn’t offer unsolicited tech support. If you do get any suspicious communications, then you should report it to Microsoft so that it can take action.
  • Recent Achievements

    • Week One Done
      luxoxfurniture earned a badge
      Week One Done
    • First Post
      Uranus_enjoyer earned a badge
      First Post
    • Week One Done
      Uranus_enjoyer earned a badge
      Week One Done
    • Week One Done
      jfam earned a badge
      Week One Done
    • First Post
      survivor303 earned a badge
      First Post
  • Popular Contributors

    1. 1
      +primortal
      433
    2. 2
      +FloatingFatMan
      239
    3. 3
      snowy owl
      213
    4. 4
      ATLien_0
      211
    5. 5
      Xenon
      157
  • Tell a friend

    Love Neowin? Tell a friend!