Force Active Directory Users and Computers to use a specific DC?


Recommended Posts

Our Active Directory Management is outsourced to India. I handle the day to day duties for one of the offices here in the US. Everytime I open up Active Directory Users and Computers it always selects a different domain controller.

Is there a way to force it to select a specific domain controller instead of a random one each time? Is there a way to always make it open up the same OU as well?

What does it matter? ADUC should open a DC in your site.. which would/should be local or atleast the DC with the best bandwidth to you, etc.

Has sites not been configured?

http://www.microsoft.com/technet/prodtechn...step/adsrv.mspx

Step-by-Step Guide to Active Directory Sites and Services

But yeah if you have not correctly configured your sites, then yeah you could pick any random DC in your domain -- if you pick one across the wan could make things a bit sluggish.

  BudMan said:
What does it matter? ADUC should open a DC in your site.. which would/should be local or atleast the DC with the best bandwidth to you, etc.

Has sites not been configured?

http://www.microsoft.com/technet/prodtechn...step/adsrv.mspx

Step-by-Step Guide to Active Directory Sites and Services

But yeah if you have not correctly configured your sites, then yeah you could pick any random DC in your domain -- if you pick one across the wan could make things a bit sluggish.

That is exactly what happens, it will select a domain controller on the other side of the country and it is horribly slow.

I think we overpay for the Active Directory management services that we have. I will take a read and see what I can do to get it configured properly.

Thanks for the help!

  Frank said:
I think we overpay for the Active Directory management services that we have.
If not even sites have been configured correctly -- then yeah more than likely your being robbed ;)

Here is some other good info for you an AD sites.

http://technet.microsoft.com/en-us/library/bb727051.aspx

Active Directory Operations Guide

Managing Sites

Sites are used in Active Directory to:

* Enable clients to discover network resources (printers, published shares, domain controllers) that are close to the physical location of the client, reducing network traffic over Wide Area Network (WAN) links.

http://technet2.microsoft.com/windowsserve...3.mspx?mfr=true

Best practices for Active Directory Sites and Services

Create a new empty management console (start | run | mmc) and add the ADUC snap- in, point it at your specific server and save the console.

If you open up the ADUC using your saved file instead of the one located in administrative tools then it should save your settings and point to your desired server.

Afaik you can't edit the one from administrative tools and then make it save the settings.

That really is besides the point -- it should not matter what DC he hits, since ADUC should hit the closest DC to him - if sites were configured correctly.. It should not be picking a DC across the country -- it should be picking the one closest to him an with the best bandwidth, that is if sites has been configured.

Setting up something to go to a specific DC is not fixing the underlaying problem, its like putting a bandaid on gapping head wound.

  • 4 weeks later...

I have brought this up to management.

I also noticed that "Microsoft-DS" used over 20% of our network traffic yesterday (2.7217 Gbytes) according to SolarWinds NetFlow. I checked to see what domain controller my machine is logging into and it is logging into one in New York (I am in Colorado). Is this amount of traffic on the Microsoft-DS service unusually high because we are hitting any random domain controller to log into or is this normal?

Microsoft-DS is the name for port tcp 445, or SMB

Here is good breakdown off all the ports AD could/would use etc.

http://support.microsoft.com/default.aspx?...kb;en-us;832017

Scroll to near the bottom for a summary.

445 TCP SMB Fax Service

445 TCP SMB Print Spooler

445 TCP SMB Server

445 TCP SMB Remote Procedure Call Locator

445 TCP SMB Distributed File System

445 TCP SMB License Logging Service

445 TCP SMB Net Logon

Is that just your WAN traffic, or local network traffic? Most of your login traffic should all be to your LOCAL DC.. Sure if all your users are hitting one across your wan -- yup your wan traffic is going to go up ;)

Here is some more info on that port

http://support.microsoft.com/kb/q204279/

Direct hosting of SMB over TCP/IP

Since this port would be used for file copies as well.. Not sure on your layout -- but if your users access lots of files across your wan - it would be on this port as well.. So that could account for the large % of your traffic.

If you have AD structure that spans a large WAN network, you REALLY need to make sure sites are setup for the different locations IP space.. Or yes you can have lots of issues.. I find it hard to believe the closest DC to you is in NY if your Colo.

Edited by BudMan

There is almost no file sharing between sites. We have our own file server here so that shouldn't be the issue. We also have a local domain controller so it should be connecting to that one and not NY.

I hope they get this resolved soon.

Thats exactly what it sounds like to me as well. We're having the same issue (One of the reasons I was hired) at my new job. The users will authenticate to random DC's on the network and all of their dc's across 2 states are all in the same Default-First-Site. Luckily for me every location/site has already had their ip and subnetting done properly so I just have to put everything in its proper place and organize the site links and replication traffic. Thats exactly what it sounds like to me you need to get done.

You can open up a dos prompt on your machine and type "set" and hit enter. Look for the entry for "Logonserver" and see what it is. Then you'll know which dc you hit when authenticating. Its a pretty good sign of sites needing to be configured and getting your specific location or subnet linked with your specific dns server.

Edited by CreightonB
  • 3 months later...

I FINALLY got a hold of someone that didn't ignore me when I sent the request. They asked for more information and I sent them the following email with screenshots.

  me said:
Hello,

I have attached a screenshot of the ?Logon Server? of the machine I am currently using (logonserver.png). I have also attached a screenshot of another machine with ADUC open as well as the SET command ran so you can see another example (aducandset.png). If I run the ?SET? command from 20 machines running at the our Location I might find one out of the 20 that actually used the our DC to authenticate.

Let me know if you need any more info.

Thanks,

Frank

Then I get this response.

  them said:
Hi Frank,

This is actually not a problem as in a domain till the time we specifically mention, the client machines will randomly get authenticated from any domain controller. There is an option to stop this happening by specifying a site specific DC in the sites and services so that the clients get authenticated from only one DC, however this is not recommended as if that DC goes down for some reason, the clients of that particular site wont be able to logon to the domain.

Let us know if you have any other query.

Thanks and Regards,

Is this true? If they setup sites to point to our local DC by default and our local DC goes down we are basically dead in the water?

I find this hard to believe. If this was the case why would they send a DC to the local site? Why not house all of the DC's at the main datacenter?

Whoever wrote that is an IDIOT!

Setting your site subnet does not lock you to those DC(s)..

http://support.microsoft.com/kb/314861

How Domain Controllers Are Located in Windows XP

http://searchwinit.techtarget.com/tip/0,28...1283750,00.html

How the DC locator works in Active Directory

In a domain with multiple domain controllers and sites, it is important for clients to use a local DC in their site if possible. Client "site awareness" is a process that allows a client to identify a DC in the client's site for efficiency. This is accomplished by the DNS server returning a list of DCs in the client's domain, with those in the client's site at the top of the list. If there are no DCs available from that site, a DC in another site will be returned.

Client site awareness ultimately depends on the administrator mapping sites to subnets using the Sites and Services snap-in. If this is not done -- or not done correctly -- it can cause clients to go to remote sites for authentication or LDAP queries and so on.

Please have this MORON point out where MS states not to setup Sites and Services! :rolleyes:

http://technet.microsoft.com/en-us/library/bb727085.aspx

Best Practice Active Directory Design for Managing Windows Networks

Creating a Site Topology

The definition of a site is a set of well-connected (LAN speeds or greater) IP subnets. To create the site topology, identify areas of high connectivity as sites and the WAN connections between them as site links. Once you create sites and site links, Active Directory automatically generates a replication topology between domain controllers. By defining sites according to your LAN/WAN topology, you can ensure a replication topology that avoids WAN connections unless intersite communication is required.

The Role of Site Topology in Windows Network Designs

Active directory sites are a collection of IP subnets constituting a LAN and connected by site links. Active Directory uses sites to:

Optimizes replication between domain controllers.

Locate the closest domain controller for client logon and directory searches.

Client Affinity

Active Directory clients locate domain controllers according to their site affiliation. A client locates a domain controller within the same site whenever possible. By finding a domain controller in the same site, the client avoids communications over WAN links.

***

I really feel sorry for you having to deal with people that do not even seem to know the basics of AD design!! You need to correctly setup up your sites or your going to have a Nightmare of a time!!

***

Good Luck!!! Sure sounds like your going to need it!

Ok -- I took the time to dig up an exact example of what they are talking about.. Ie the DCs in your site all being down!

Here is what he stated about setting up sites with the correct IP ranges assigned.

"however this is not recommended as if that DC goes down for some reason, the clients of that particular site wont be able to logon to the domain."

Again this is just pure utter nonsense.. And just drives me crazy that people that have such a complete and utter lack of even the basics of how AD works are upper tech support???

This is taken from this book;

http://www.oreilly.com/catalog/actdir3/

Active Directory, Third Edition

Design and Deployment of Microsoft's Active Directory

The scans are not the best -- but clearly goes over an exact example he states is the reason its recommended not to setup sites if a DC is down :rolleyes:

post-14624-1209571714_thumb.jpg

post-14624-1209571724_thumb.jpg

post-14624-1209571736_thumb.jpg

Maybe you should suggest the people that manage your AD at least browse thru it, or a book like it ;)

Again good luck... Must suck to work at a place where people that control the AD are complete morons!!

What a horror story, You should have someone else manage your IT needs. Not Someone in INDIA. I know this is a vague statement and you know this already but I read all these posts and BudMans right on target with this one.

WOW your got some trash to go thru.

  • 3 weeks later...
  • 3 weeks later...

Well, we finally got the issue resolved, and of course I had to show them the exact problem before they got it fixed.

I got some of our upper management involved and then I got another response from the same person that told me that Sites and Services should not be setup or our users wouldn't be able to login. She now tells me that Sites and Services is setup correctly (which I found out later it partially was) and the issue was with our local domain controller or we needed to install a fix from Microsoft on our local PC's.

I started to dig into Sites & Services after I read up a little bit on Configuration and I saw our site configured and only ONE of our subnets configured. When they started the center here they only had 10.15.91.x but since we have grown to over 700 PC's we now use 10.15.88.x - 10.15.91.x. The network team (also contracted to the same company, but it is a different group) failed to notify the Windows Management team that we added these network subnets over time.

I guess what really bothers me is not the fact that this slipped through the cracks but rather the crap they put me through with the BS answers and the fact that I had to figure the issue out myself after they kept giving me different answers.

The good news is we are switching management companies for our network and AD/Exchange management to a US based company before the end of he year.

"the issue was with our local domain controller or we needed to install a fix from Microsoft on our local PC's."

You lost me on this -- this is what the person that told at first told sites and services should not be setup? Then changed their story that it was setup and you need to fix your DC -- like what? Or what patch would you you install on the PCs?

If your network range is 88-91 and S&S has only 91 -- then no its not setup correctly.. And yes that would/could cause you the exact problem you were seeing.

So I take is your S&S is now using the correct address space? And your machines are using local DCs now?

Glad to hear you got it worked out... Its been a drawn out process it seems.. Curious why you don't just manage your network and AD in house?? You seem to have IT in house -- what exactly do they do other then have to fight with the management company on how to setup network correctly? ;)

I would agree with Budman in bringing everything in-house, at least it sounds like you could manage it well enough Frank especially after all this you had to go through.

Definitely an interesting read though from Budman.

Nice one on getting this sorted. (Y)

  BudMan said:
"the issue was with our local domain controller or we needed to install a fix from Microsoft on our local PC's."

You lost me on this -- this is what the person that told at first told sites and services should not be setup? Then changed their story that it was setup and you need to fix your DC -- like what? Or what patch would you you install on the PCs?

Well, here was the exact message they sent me. Their English is not very good so I got confused the first time I read it. I thought they were blaming our domain controller (locally) but it appears they were claiming that it was an issue with the local machines caching the DC.

  AD Management Company said:
Hi Frank,

I would like to apologize for a late reply as for the past few weeks we were working on some critical issues. As per your query, I tried to research on the same and came up with the following resolution:

The active directory sites in our environment has no configuration problem, you can check the same in the screenshot. So as per that the clients should go to site specific DC however in some cases this does not happen as the DC locator in clients caches the information of a single domain controller and the client will keep on going to the same DC till the time the information is updated by the client?s DC locator which is the netlogon service.

Please go through the following Microsoft Knowledge base article which talks about the same.

www.support.micorosoft.com/kb/939252

We can either use the hotfix specified in the article or try restarting the problem box to see if it is able to locate the correct DC

Let me know your thoughts about the same and revert back in case of any further query.

Thanks and Regards,

  BudMan said:
If your network range is 88-91 and S&S has only 91 -- then no its not setup correctly.. And yes that would/could cause you the exact problem you were seeing.

So I take is your S&S is now using the correct address space? And your machines are using local DCs now?

Glad to hear you got it worked out... Its been a drawn out process it seems.. Curious why you don't just manage your network and AD in house?? You seem to have IT in house -- what exactly do they do other then have to fight with the management company on how to setup network correctly;);)

I am still waiting on the AD Management Team to make the change. I have however contacted the Network Management Team requesting a list of IP's in use for all of the other centers so we can get S&S configured properly across the board. Right now they only have about 20 subnets listed and from my calculations there should be close to 30 subnets for the company.

On Outsourcing out Network/Windows management I have thought the same thing since I started this job. It is one of the main hurdles I deal with everyday when I need to get either the Network or Windows managenent team involved to resolve an issue. I have spoken to many people about it and it seems like the company who invested the majority of the funds into my company basically said IT had to be outsourced, end of story. Not something that I agree with but I have learned to deal with it. I am however very happy that they will be switching to a US based support company to replace the current company (India Based) that we are using now.

  Frank said:
Well, here was the exact message they sent me. Their English is not very good so I got confused the first time I read it. I thought they were blaming our domain controller (locally) but it appears they were claiming that it was an issue with the local machines caching the DC.

I don't see why the problem in the KB would change anything. It specifically states that the cache is built when the client is restarted.

"The domain controller locator in Windows XP and in Windows Server 2003 caches the name of a single domain controller. This client cache is not updated until the targeted domain controller stops responding to locator requests or until the client is restarted. Therefore, the client continues to send domain controller requests to the cached domain controller. "

Any caching of an incorrect DC would therefore be cleared after a reboot. If the AD sites and services are ok, they are going to pickup the correct DC at this point.

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Posts

    • Amazon lays off more staff across Goodreads and Kindle divisions by Hamid Ganji Dozens of Amazon employees working on the retailer's book divisions have been laid off. As reported by Reuters, Amazon confirmed that it's cutting jobs across the Goodreads review site and Kindle units, which impacts fewer than 100 workers. Amazon says the recent layoffs across Goodreads and Kindle divisions are meant to improve efficiency and streamline operations. The giant retailer has constantly reduced staff across various divisions over the past few years. According to CEO Andy Jassy, reducing headcounts helps the company to eliminate bureaucracy. "As part of our ongoing work to make our teams and programs operate more efficiently and to better align with our business roadmap, we've made the difficult decision to eliminate a small number of roles within the Books organization," an Amazon spokesperson said. Layoffs recently impacted employees in Amazon's Wondery podcast division, devices and services units, communications, and in-store staff. However, Amazon's Q1 results show the retailer has added about 4,000 jobs compared to Q4 2024. After the Covid pandemic settled down, many companies began laying off thousands of staff they hired during the pandemic to respond to growing demands. The layoff trend among tech firms still exists today, and AI has amplified it. The latest data shows that in 2025, about 62,832 tech employees were laid off across 141 tech companies. Also, 152,922 tech employees across 551 companies were laid off in 2024. More layoffs are expected to occur due to declining economic growth, tariffs, and the expansion of AI across companies. Amazon is also gearing up to double down in AI investments and robotics. The company has recently announced the forming of a new agentic AI team to develop an agentic AI framework for use in robotics. Also, a new report by The Information indicates that Amazon has begun testing humanoid robots for package delivery.
    • Major Privacy 0.98.1.1 Beta by Razvan Serea MajorPrivacy is a cutting-edge privacy and security tool for Windows, offering unparalleled control over process behavior, file access, and network communication. It is a continuation of the PrivateWin10 project. By leveraging advanced kernel-level protections, MajorPrivacy creates a secure environment where user data and system integrity are fully safeguarded. Unlike traditional tools, MajorPrivacy introduces innovative protection methods that ensure mounted encrypted volumes are only accessible by authorized applications, making it the first and only encryption solution of its kind. MajorPrivacy – Ultimate Privacy & Security for Windows key features Process Protection – Isolate processes to block interference from unauthorized apps, even with admin privileges. Software Restriction – Block unwanted apps and DLLs to ensure only trusted software runs. Revolutionary Encrypted Volumes Secure Storage – Create encrypted disk images for sensitive data. Exclusive Access – Unlike traditional tools, only authorized apps can access mounted volumes—blocking all unauthorized processes. File & Folder Protection – Lock down sensitive files and prevent unauthorized access or modifications. Advanced Network Firewall – Control which apps can send or receive data online. DNS Monitoring & Filtering – Track domain access and block unwanted sites (Pi-hole compatible filtering coming soon). Tweak Engine – Disable telemetry, cloud integration, and invasive Windows features for better privacy. Why MajorPrivacy? Kernel-Level Security – Protects at the deepest system level. Unmatched Encryption Protection – Keeps mounted volumes safe from all unauthorized access. Full System Control – Block, isolate, or restrict processes as needed. Enhanced Privacy – Stops Windows & apps from collecting unnecessary data. Perfect for privacy-conscious users, IT pros, and anyone who wants total system control. Major Privacy 0.98.1.1 Beta changelog: The 0.98.1 release of MajorPrivacy introduces significant enhancements and a number of critical fixes aimed at improving usability, localization, and system integration. A major new feature is the introduction of full translation support, allowing the application interface and tweaks to be localized into multiple languages. Initial translations include AI-assisted German and Polish versions, a community-contributed Turkish translation, and Simplified Chinese. Users interested in contributing translations or adding new languages are encouraged to participate via the forum. This version also improves compatibility and deployment by bundling the Microsoft Visual C++ Redistributable with the installer, which is required for the ImDisk user interface. Several important bugs have been resolved. The installer now correctly removes the driver during uninstallation. Tweak definitions have been cleaned up for better consistency. A number of networking issues were addressed, including failures related to network shares and incorrect handling of mapped drive letters. It is now required to use full UNC paths for defining rules involving shared resources. Additionally, configuration persistence issues on system shutdown have been fixed, as well as problems affecting protected folder visibility and rule precedence involving enclave conditions. Finally, the underlying driver code has been refactored, laying the groundwork for better maintainability and future enhancements. MajorPrivacy-v0.98.1.1.exe (0.98.1a) hotfix for #71 Download: Major Privacy 0.98.1.1 Beta | 47.4 MB (Open Source) View: MajorPrivacy Home Page | Github Project page | Screenshot Get alerted to all of our Software updates on Twitter at @NeowinSoftware
    • OpenAI responds to The New York Times' ChatGPT data demands by Pradeep Viswanathan The New York Times has sued OpenAI for the unauthorized use of its news articles to train large language models. As part of the ongoing lawsuit, the NYT recently asked the court to require OpenAI to retain all ChatGPT user content indefinitely. The NYT's argument is that they may find something in the data that supports their case. Brad Lightcap, COO of OpenAI, wrote the following regarding the NYT's sweeping demand: OpenAI has already filed a motion asking the Magistrate Judge to reconsider the preservation order, since indefinite retention of user data breaches industry norms and its own policies. Additionally, OpenAI has also appealed this order with the District Court Judge. Until OpenAI wins its appeal, it will be complying with the court order. The content defined by the court order will be stored separately in a secure system and will be accessed or used only for meeting legal obligations. Only a small, audited OpenAI legal and security team will be able to access this data as necessary to comply with our legal obligations. As of early 2025, ChatGPT has over 400 million weekly active users, and this data retention order will affect a significant number of them. OpenAI confirmed that ChatGPT Free, Plus, Pro, and Teams subscription users, and developers who use the OpenAI API (without a Zero Data Retention agreement) will be affected by this order. ChatGPT Enterprise, ChatGPT Edu, and API customers who are using Zero Data Retention endpoints will not be affected by this court change.
  • Recent Achievements

    • First Post
      Uranus_enjoyer earned a badge
      First Post
    • Week One Done
      Uranus_enjoyer earned a badge
      Week One Done
    • Week One Done
      jfam earned a badge
      Week One Done
    • First Post
      survivor303 earned a badge
      First Post
    • Week One Done
      CHUNWEI earned a badge
      Week One Done
  • Popular Contributors

    1. 1
      +primortal
      428
    2. 2
      +FloatingFatMan
      238
    3. 3
      ATLien_0
      212
    4. 4
      snowy owl
      211
    5. 5
      Xenon
      159
  • Tell a friend

    Love Neowin? Tell a friend!