Force Active Directory Users and Computers to use a specific DC?

[Frank]

Our Active Directory Management is outsourced to India. I handle the day to day duties for one of the offices here in the US. Everytime I open up Active Directory Users and Computers it always selects a different domain controller.

Is there a way to force it to select a specific domain controller instead of a random one each time? Is there a way to always make it open up the same OU as well?

[itsnotabigtruck]

IIRC if you right-click the root node there's an option to select a DC.

[Frank]

  memodude said:

IIRC if you right-click the root node there's an option to select a DC.

Correct but everytime I open up the snap in it chooses another random DC. It doesn't remember my setting.

[+BudMan MVC]

What does it matter? ADUC should open a DC in your site.. which would/should be local or atleast the DC with the best bandwidth to you, etc.

Has sites not been configured?

http://www.microsoft.com/technet/prodtechn...step/adsrv.mspx

Step-by-Step Guide to Active Directory Sites and Services

But yeah if you have not correctly configured your sites, then yeah you could pick any random DC in your domain -- if you pick one across the wan could make things a bit sluggish.

[Frank]

  BudMan said:

What does it matter? ADUC should open a DC in your site.. which would/should be local or atleast the DC with the best bandwidth to you, etc.

Has sites not been configured?

http://www.microsoft.com/technet/prodtechn...step/adsrv.mspx

Step-by-Step Guide to Active Directory Sites and Services

But yeah if you have not correctly configured your sites, then yeah you could pick any random DC in your domain -- if you pick one across the wan could make things a bit sluggish.

That is exactly what happens, it will select a domain controller on the other side of the country and it is horribly slow.

I think we overpay for the Active Directory management services that we have. I will take a read and see what I can do to get it configured properly.

Thanks for the help!

[+BudMan MVC]

  Frank said:

I think we overpay for the Active Directory management services that we have.

If not even sites have been configured correctly -- then yeah more than likely your being robbed ;)

Here is some other good info for you an AD sites.

http://technet.microsoft.com/en-us/library/bb727051.aspx

Active Directory Operations Guide

Managing Sites

Sites are used in Active Directory to:

* Enable clients to discover network resources (printers, published shares, domain controllers) that are close to the physical location of the client, reducing network traffic over Wide Area Network (WAN) links.

http://technet2.microsoft.com/windowsserve...3.mspx?mfr=true

Best practices for Active Directory Sites and Services

[swift_gti]

Create a new empty management console (start | run | mmc) and add the ADUC snap- in, point it at your specific server and save the console.

If you open up the ADUC using your saved file instead of the one located in administrative tools then it should save your settings and point to your desired server.

Afaik you can't edit the one from administrative tools and then make it save the settings.

[+BudMan MVC]

That really is besides the point -- it should not matter what DC he hits, since ADUC should hit the closest DC to him - if sites were configured correctly.. It should not be picking a DC across the country -- it should be picking the one closest to him an with the best bandwidth, that is if sites has been configured.

Setting up something to go to a specific DC is not fixing the underlaying problem, its like putting a bandaid on gapping head wound.

[Frank]

I have brought this up to management.

I also noticed that "Microsoft-DS" used over 20% of our network traffic yesterday (2.7217 Gbytes) according to SolarWinds NetFlow. I checked to see what domain controller my machine is logging into and it is logging into one in New York (I am in Colorado). Is this amount of traffic on the Microsoft-DS service unusually high because we are hitting any random domain controller to log into or is this normal?

[+BudMan MVC]

Microsoft-DS is the name for port tcp 445, or SMB

Here is good breakdown off all the ports AD could/would use etc.

http://support.microsoft.com/default.aspx?...kb;en-us;832017

Scroll to near the bottom for a summary.

445 TCP SMB Fax Service

445 TCP SMB Print Spooler

445 TCP SMB Server

445 TCP SMB Remote Procedure Call Locator

445 TCP SMB Distributed File System

445 TCP SMB License Logging Service

445 TCP SMB Net Logon

Is that just your WAN traffic, or local network traffic? Most of your login traffic should all be to your LOCAL DC.. Sure if all your users are hitting one across your wan -- yup your wan traffic is going to go up ;)

Here is some more info on that port

http://support.microsoft.com/kb/q204279/

Direct hosting of SMB over TCP/IP

Since this port would be used for file copies as well.. Not sure on your layout -- but if your users access lots of files across your wan - it would be on this port as well.. So that could account for the large % of your traffic.

If you have AD structure that spans a large WAN network, you REALLY need to make sure sites are setup for the different locations IP space.. Or yes you can have lots of issues.. I find it hard to believe the closest DC to you is in NY if your Colo.

Edited January 16, 2008 by BudMan

[Frank]

There is almost no file sharing between sites. We have our own file server here so that shouldn't be the issue. We also have a local domain controller so it should be connecting to that one and not NY.

I hope they get this resolved soon.

[bobbba]

it seriously sounds like your sites config is either way out or has never been changed from the default. sorting it out would most likely fix all this.

[Guest]

Is this remote site a GC server also?

[CreightonB]

Thats exactly what it sounds like to me as well. We're having the same issue (One of the reasons I was hired) at my new job. The users will authenticate to random DC's on the network and all of their dc's across 2 states are all in the same Default-First-Site. Luckily for me every location/site has already had their ip and subnetting done properly so I just have to put everything in its proper place and organize the site links and replication traffic. Thats exactly what it sounds like to me you need to get done.

You can open up a dos prompt on your machine and type "set" and hit enter. Look for the entry for "Logonserver" and see what it is. Then you'll know which dc you hit when authenticating. Its a pretty good sign of sites needing to be configured and getting your specific location or subnet linked with your specific dns server.

Edited January 18, 2008 by CreightonB

[Frank]

I FINALLY got a hold of someone that didn't ignore me when I sent the request. They asked for more information and I sent them the following email with screenshots.

  me said:

Hello,

I have attached a screenshot of the ?Logon Server? of the machine I am currently using (logonserver.png). I have also attached a screenshot of another machine with ADUC open as well as the SET command ran so you can see another example (aducandset.png). If I run the ?SET? command from 20 machines running at the our Location I might find one out of the 20 that actually used the our DC to authenticate.

Let me know if you need any more info.

Thanks,

Frank

Then I get this response.

  them said:

Hi Frank,

This is actually not a problem as in a domain till the time we specifically mention, the client machines will randomly get authenticated from any domain controller. There is an option to stop this happening by specifying a site specific DC in the sites and services so that the clients get authenticated from only one DC, however this is not recommended as if that DC goes down for some reason, the clients of that particular site wont be able to logon to the domain.

Let us know if you have any other query.

Thanks and Regards,

Is this true? If they setup sites to point to our local DC by default and our local DC goes down we are basically dead in the water?

I find this hard to believe. If this was the case why would they send a DC to the local site? Why not house all of the DC's at the main datacenter?

[+BudMan MVC]

Whoever wrote that is an IDIOT!

Setting your site subnet does not lock you to those DC(s)..

http://support.microsoft.com/kb/314861

How Domain Controllers Are Located in Windows XP

http://searchwinit.techtarget.com/tip/0,28...1283750,00.html

How the DC locator works in Active Directory

In a domain with multiple domain controllers and sites, it is important for clients to use a local DC in their site if possible. Client "site awareness" is a process that allows a client to identify a DC in the client's site for efficiency. This is accomplished by the DNS server returning a list of DCs in the client's domain, with those in the client's site at the top of the list. If there are no DCs available from that site, a DC in another site will be returned.

Client site awareness ultimately depends on the administrator mapping sites to subnets using the Sites and Services snap-in. If this is not done -- or not done correctly -- it can cause clients to go to remote sites for authentication or LDAP queries and so on.

Please have this MORON point out where MS states not to setup Sites and Services! :rolleyes:

http://technet.microsoft.com/en-us/library/bb727085.aspx

Best Practice Active Directory Design for Managing Windows Networks

Creating a Site Topology

The definition of a site is a set of well-connected (LAN speeds or greater) IP subnets. To create the site topology, identify areas of high connectivity as sites and the WAN connections between them as site links. Once you create sites and site links, Active Directory automatically generates a replication topology between domain controllers. By defining sites according to your LAN/WAN topology, you can ensure a replication topology that avoids WAN connections unless intersite communication is required.

The Role of Site Topology in Windows Network Designs

Active directory sites are a collection of IP subnets constituting a LAN and connected by site links. Active Directory uses sites to:

Optimizes replication between domain controllers.

Locate the closest domain controller for client logon and directory searches.

Client Affinity

Active Directory clients locate domain controllers according to their site affiliation. A client locates a domain controller within the same site whenever possible. By finding a domain controller in the same site, the client avoids communications over WAN links.

***

I really feel sorry for you having to deal with people that do not even seem to know the basics of AD design!! You need to correctly setup up your sites or your going to have a Nightmare of a time!!

***

Good Luck!!! Sure sounds like your going to need it!

[+BudMan MVC]

Ok -- I took the time to dig up an exact example of what they are talking about.. Ie the DCs in your site all being down!

Here is what he stated about setting up sites with the correct IP ranges assigned.

"however this is not recommended as if that DC goes down for some reason, the clients of that particular site wont be able to logon to the domain."

Again this is just pure utter nonsense.. And just drives me crazy that people that have such a complete and utter lack of even the basics of how AD works are upper tech support???

This is taken from this book;

http://www.oreilly.com/catalog/actdir3/

Active Directory, Third Edition

Design and Deployment of Microsoft's Active Directory

The scans are not the best -- but clearly goes over an exact example he states is the reason its recommended not to setup sites if a DC is down :rolleyes:

Maybe you should suggest the people that manage your AD at least browse thru it, or a book like it ;)

Again good luck... Must suck to work at a place where people that control the AD are complete morons!!

[Prophecy]

What a horror story, You should have someone else manage your IT needs. Not Someone in INDIA. I know this is a vague statement and you know this already but I read all these posts and BudMans right on target with this one.

WOW your got some trash to go thru.

[garethevans1986]

We should start, Neowin IT Services lol

GE

[Marshalus Veteran]

Just thinking about how stupid your network guys are makes my head hurt.

[Frank]

Well, we finally got the issue resolved, and of course I had to show them the exact problem before they got it fixed.

I got some of our upper management involved and then I got another response from the same person that told me that Sites and Services should not be setup or our users wouldn't be able to login. She now tells me that Sites and Services is setup correctly (which I found out later it partially was) and the issue was with our local domain controller or we needed to install a fix from Microsoft on our local PC's.

I started to dig into Sites & Services after I read up a little bit on Configuration and I saw our site configured and only ONE of our subnets configured. When they started the center here they only had 10.15.91.x but since we have grown to over 700 PC's we now use 10.15.88.x - 10.15.91.x. The network team (also contracted to the same company, but it is a different group) failed to notify the Windows Management team that we added these network subnets over time.

I guess what really bothers me is not the fact that this slipped through the cracks but rather the crap they put me through with the BS answers and the fact that I had to figure the issue out myself after they kept giving me different answers.

The good news is we are switching management companies for our network and AD/Exchange management to a US based company before the end of he year.

[+BudMan MVC]

"the issue was with our local domain controller or we needed to install a fix from Microsoft on our local PC's."

You lost me on this -- this is what the person that told at first told sites and services should not be setup? Then changed their story that it was setup and you need to fix your DC -- like what? Or what patch would you you install on the PCs?

If your network range is 88-91 and S&S has only 91 -- then no its not setup correctly.. And yes that would/could cause you the exact problem you were seeing.

So I take is your S&S is now using the correct address space? And your machines are using local DCs now?

Glad to hear you got it worked out... Its been a drawn out process it seems.. Curious why you don't just manage your network and AD in house?? You seem to have IT in house -- what exactly do they do other then have to fight with the management company on how to setup network correctly? ;)

[JMann Veteran]

I would agree with Budman in bringing everything in-house, at least it sounds like you could manage it well enough Frank especially after all this you had to go through.

Definitely an interesting read though from Budman.

Nice one on getting this sorted. (Y)

[Frank]

  BudMan said:

"the issue was with our local domain controller or we needed to install a fix from Microsoft on our local PC's."

You lost me on this -- this is what the person that told at first told sites and services should not be setup? Then changed their story that it was setup and you need to fix your DC -- like what? Or what patch would you you install on the PCs?

Well, here was the exact message they sent me. Their English is not very good so I got confused the first time I read it. I thought they were blaming our domain controller (locally) but it appears they were claiming that it was an issue with the local machines caching the DC.

  AD Management Company said:

Hi Frank,

I would like to apologize for a late reply as for the past few weeks we were working on some critical issues. As per your query, I tried to research on the same and came up with the following resolution:

The active directory sites in our environment has no configuration problem, you can check the same in the screenshot. So as per that the clients should go to site specific DC however in some cases this does not happen as the DC locator in clients caches the information of a single domain controller and the client will keep on going to the same DC till the time the information is updated by the client?s DC locator which is the netlogon service.

Please go through the following Microsoft Knowledge base article which talks about the same.

www.support.micorosoft.com/kb/939252

We can either use the hotfix specified in the article or try restarting the problem box to see if it is able to locate the correct DC

Let me know your thoughts about the same and revert back in case of any further query.

Thanks and Regards,

  BudMan said:

If your network range is 88-91 and S&S has only 91 -- then no its not setup correctly.. And yes that would/could cause you the exact problem you were seeing.

So I take is your S&S is now using the correct address space? And your machines are using local DCs now?

Glad to hear you got it worked out... Its been a drawn out process it seems.. Curious why you don't just manage your network and AD in house?? You seem to have IT in house -- what exactly do they do other then have to fight with the management company on how to setup network correctly;);)

I am still waiting on the AD Management Team to make the change. I have however contacted the Network Management Team requesting a list of IP's in use for all of the other centers so we can get S&S configured properly across the board. Right now they only have about 20 subnets listed and from my calculations there should be close to 30 subnets for the company.

On Outsourcing out Network/Windows management I have thought the same thing since I started this job. It is one of the main hurdles I deal with everyday when I need to get either the Network or Windows managenent team involved to resolve an issue. I have spoken to many people about it and it seems like the company who invested the majority of the funds into my company basically said IT had to be outsourced, end of story. Not something that I agree with but I have learned to deal with it. I am however very happy that they will be switching to a US based support company to replace the current company (India Based) that we are using now.

[bobbba]

  Frank said:

Well, here was the exact message they sent me. Their English is not very good so I got confused the first time I read it. I thought they were blaming our domain controller (locally) but it appears they were claiming that it was an issue with the local machines caching the DC.

I don't see why the problem in the KB would change anything. It specifically states that the cache is built when the client is restarted.

"The domain controller locator in Windows XP and in Windows Server 2003 caches the name of a single domain controller. This client cache is not updated until the targeted domain controller stops responding to locator requests or until the client is restarted. Therefore, the client continues to send domain controller requests to the cached domain controller. "

Any caching of an incorrect DC would therefore be cleared after a reboot. If the AD sites and services are ok, they are going to pickup the correct DC at this point.