none
clients accessing sysvol share from different AD site

    Question

  • we have a Active directory Infrastructure with 2 sites, primary site and DR site.

    we have configured the subnets for each sites and replication is working fine.

    currently some users reported slowness in log in to the domain, as per our the troubleshooting , we have found that client machiens are accessing sysvol share from DR site.

    we have tested the user authentication domain  controller and site using NLTEST, it showing authentication is happening at the primary site, but when we tried to ping the domain name , its randomly going to the DR site because the DR domain controller is also registered in the domain name server.

    how we can restrict user to access the domain controllers  in that  AD sites to access the sysvol share?

    regards,

    sarma

    Monday, December 19, 2016 7:31 PM

All replies

  • Hi sarma,
    Generally, we cannot use ping or nslookup to ferret out DCs in an AD site. Please run echo %LOGONSERVER% command to find which DC the client is authenticating. And you could check whether sites, subnets, and DNS SRV records are configured properly
    If you want to force a client to validate its logon against a specific domain controller, you could follow: http://windowsitpro.com/windows-server/q-how-can-i-force-client-validate-its-logon-against-specific-domain-controller
    And we could also refer to more details regarding the process of client authenticating against DC from:
    The DC Locator Process, The Logon Process, Controlling Which DC Responds in an AD Site, and SRV Records
    http://blogs.msmvps.com/acefekay/2010/01/03/the-dc-locator-process-the-logon-process-controlling-which-dc-responds-in-an-ad-site-and-srv-records/
    Please Note: Since the web sites are not hosted by Microsoft, the links may change without notice. Microsoft does not guarantee the accuracy of this information.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Tuesday, December 20, 2016 3:17 AM
    Moderator
  • Dear wendy,

    thanks for the update.

    for eg ; if i have 2 AD sites, site A :10.0.0.0/24, Site B:172.16.0.0/24

    the primary site having 2 domain controllers (DC1-10.0.0.1,DC2-10.0.02)

    Secondary site having 1 domain controller (BRDC1-172.16.0.1)

    My domain name is:domain.local

    with above , my AD dns server will create domain.local dns name and will add 10.0.01,10.0.0.2 and 172.16.0.1 and name servers.

    if I nslookup or try to acess the domain.local , I will get both primary site and DR site domain controller ip address (   10.0.01,10.0.0.2 and 172.16.0.1 )

    if one of my client machine in site A logging to the domain and accessing the group policy, it will access the group policy like "\\domain.local\SYSVOL\domain.local\Policies\{XXXXXX}"

    because of all the servers in primary and secondary site registered in the DNS , client may access primary site or secondary site domain comtroller.

    How can i restrict clients from site A to access primary site domain controllers (10.0.0.1,10.0.0.2) for access the sysvol.

    Tuesday, December 20, 2016 8:18 PM
  • Hi,

    Have you tried the suggested website for reference in my last reply? Any result?

    How can I force a client to validate its logon against a specific domain controller?

    http://windowsitpro.com/windows-server/q-how-can-i-force-client-validate-its-logon-against-specific-domain-controller

    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    Best regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, December 23, 2016 1:34 AM
    Moderator