none
Users dns query on local network

    Question

  • Hello

    We have setup a Primary DC at our Head Office with all the roles and Secondary DC as well. We have 5 other sites which are connected to Head Office through WAN. We have installed a local DC/GC at each of these sites. We have configured subnets for each site and assigned it to its respective DC in Sites and Services.

    When i ping my domain (e.g. domain.com) from any users computer at 1 of the site offices, it should get reply from local DC. Instead it gives reply from DC at other sites.

    I want to know, how to ensure that all users at a site must connect to their local DC for any query and not to other DCs in the domain which are located at remote locations.

    I have not provided much details, since want to understand how to setup the infra. If you need any details, please let us know, will provide.

    Thanks in advance.

    K


    abc

    Wednesday, December 14, 2016 8:26 AM

Answers

  • DNS service is not aware of the ActiveDirectory or network topology. The order of the records returned by dns is affected by subnet mask ordering and round robin options only. So nslookup or ping results give no good indication of which domain controller the client will use. AD clients, use a bit more intelligent process when locating domain controller. In a nutshell, it comes down to domain controllers registering site-specific SRV records in DNS and clients trying to locate DC in the same site using the site records.

    Use "echo %logonserver%" instead of ping to check domain controller used by the client.

    For more information see: Finding a Domain Controller in the Closest Site


    Gleb.

    • Proposed as answer by Thameur BOURBITAMVP Wednesday, December 14, 2016 11:04 AM
    • Marked as answer by abckid Wednesday, December 14, 2016 12:31 PM
    Wednesday, December 14, 2016 9:04 AM
  • > When i ping my domain (e.g. domain.com) from any users computer at 1 of the site offices, it should get reply from local DC. Instead it gives reply from DC at other sites.
     
    As Gleb pointed out: Ping does not know about sites. It simply queries the IP adress for your domain, and DNS returns the IPs of all DCs in round robin order. Ping picks the first adress.
     
    • Proposed as answer by Thameur BOURBITAMVP Wednesday, December 14, 2016 11:04 AM
    • Marked as answer by abckid Wednesday, December 14, 2016 12:31 PM
    Wednesday, December 14, 2016 9:45 AM
  • Can you'll also guide me, one of my DC is generating auto KCC connections even though i delete them manually. How can i stop it to auto-generate KCC connections to all other DCs in the domain except to Primary DCs in Head Office ? It is Win2K8-R2 DC.

    Many thanks,

    Hi,

    It is recommended to keep KCC enabled. You should check site link configuration , because KCC created connection object based on Site link configuration.
    KCC let you update the connection object automatically , when you change a site or remove or add domain controller.

    To disable inter-site automatic generation :

    repadmin /siteoptions /site:siteNAME +IS_INTER_SITE_AUTO_TOPOLOGY_DISABLED

    To disable intra-site automatic generation :

    repadmin /siteoptions /site:SITENAME +IS_AUTO_TOPOLOGY_DISABLED

    • Marked as answer by abckid Wednesday, December 14, 2016 12:31 PM
    Wednesday, December 14, 2016 11:57 AM
  • Hi,

    You can keep inter-site auto generation ,just avoid to put all sites in same site link , you should set two sites on each site link, in this case KCC will generate connection object site between site which exist in same site link.

    • Marked as answer by abckid Wednesday, December 14, 2016 12:31 PM
    Wednesday, December 14, 2016 12:28 PM

All replies

  • DNS service is not aware of the ActiveDirectory or network topology. The order of the records returned by dns is affected by subnet mask ordering and round robin options only. So nslookup or ping results give no good indication of which domain controller the client will use. AD clients, use a bit more intelligent process when locating domain controller. In a nutshell, it comes down to domain controllers registering site-specific SRV records in DNS and clients trying to locate DC in the same site using the site records.

    Use "echo %logonserver%" instead of ping to check domain controller used by the client.

    For more information see: Finding a Domain Controller in the Closest Site


    Gleb.

    • Proposed as answer by Thameur BOURBITAMVP Wednesday, December 14, 2016 11:04 AM
    • Marked as answer by abckid Wednesday, December 14, 2016 12:31 PM
    Wednesday, December 14, 2016 9:04 AM
  • > When i ping my domain (e.g. domain.com) from any users computer at 1 of the site offices, it should get reply from local DC. Instead it gives reply from DC at other sites.
     
    As Gleb pointed out: Ping does not know about sites. It simply queries the IP adress for your domain, and DNS returns the IPs of all DCs in round robin order. Ping picks the first adress.
     
    • Proposed as answer by Thameur BOURBITAMVP Wednesday, December 14, 2016 11:04 AM
    • Marked as answer by abckid Wednesday, December 14, 2016 12:31 PM
    Wednesday, December 14, 2016 9:45 AM
  • Hi,

    Thanks for receptive replies.

    I will check as Gleb suggested to use "echo %logonserver%" instead of ping to check domain controller used by the client. I checked few and it is showing me the local DC, which means it sounds good !

    Can you'll also guide me, one of my DC is generating auto KCC connections even though i delete them manually. How can i stop it to auto-generate KCC connections to all other DCs in the domain except to Primary DCs in Head Office ? It is Win2K8-R2 DC.

    Many thanks,

    K


    abc

    Wednesday, December 14, 2016 11:37 AM
  • Can you'll also guide me, one of my DC is generating auto KCC connections even though i delete them manually. How can i stop it to auto-generate KCC connections to all other DCs in the domain except to Primary DCs in Head Office ? It is Win2K8-R2 DC.

    Many thanks,

    Hi,

    It is recommended to keep KCC enabled. You should check site link configuration , because KCC created connection object based on Site link configuration.
    KCC let you update the connection object automatically , when you change a site or remove or add domain controller.

    To disable inter-site automatic generation :

    repadmin /siteoptions /site:siteNAME +IS_INTER_SITE_AUTO_TOPOLOGY_DISABLED

    To disable intra-site automatic generation :

    repadmin /siteoptions /site:SITENAME +IS_AUTO_TOPOLOGY_DISABLED

    • Marked as answer by abckid Wednesday, December 14, 2016 12:31 PM
    Wednesday, December 14, 2016 11:57 AM
  • Hi Thameur,

    Thanks for reply.

    I have already configured some options in the DC for that site. The results are:

    Current Site Options: IS_TOPL_DETECT_STALE_DISABLED IS_REDUNDANT_SERVER_TOPOLOGY
    _ENABLED

    Still AD connections are generated under NTDS Settings and connections for this DC are also auto-generated under all other DCs in the domain.

    Do i need to disable the inter-site auto generation ?

    The site link is configured as Default. All the sites are added in the DEFAULTIPSITELINK site link. Do i need to configure different site link between Head Office DC and DC at Site each ? I just came across some article similar to what i said. Do you think this is recommended - https://blogs.technet.microsoft.com/canitpro/2015/03/03/step-by-step-setting-up-active-directory-sites-subnets-site-links/

    Please guide.

    Thanks,

    K


    abc

    Wednesday, December 14, 2016 12:18 PM
  • Hi,

    You can keep inter-site auto generation ,just avoid to put all sites in same site link , you should set two sites on each site link, in this case KCC will generate connection object site between site which exist in same site link.

    • Marked as answer by abckid Wednesday, December 14, 2016 12:31 PM
    Wednesday, December 14, 2016 12:28 PM
  • Thanks to all for guidance and help.

    abc

    Wednesday, December 14, 2016 12:31 PM
  • Hi Thameur,

    I would like to know one last thing :)

    After setup of the site link for every sites, i also want to Change Schedule for replication between them at the site link level. Now I have also changed the same (i.e. replication schedule) at the Server level at present. In this case, which setting for replication will work or take priority ? Do i need to make sure that they are same at Site Link and Server settings ?

    Please guide.

    Thanks,

    K


    abc

    Wednesday, December 14, 2016 12:48 PM
  • Hi Thameur,

    I would like to know one last thing :)

    After setup of the site link for every sites, i also want to Change Schedule for replication between them at the site link level. Now I have also changed the same (i.e. replication schedule) at the Server level at present. In this case, which setting for replication will work or take priority ? Do i need to make sure that they are same at Site Link and Server settings ?

    Please guide.

    Thanks,

    K


    abc

    Take note that Schedule configured on site link will be applied only on connection object with replication partner from another site. the connection object with replication partners  in same site don't follow the schedule in site link.
    Wednesday, December 14, 2016 1:07 PM
  • Hi,

    Noted.

    And what about replication schedule configured on the site link as well as the replication KCC individually are different ? Will the schedule configured on site link will take priority or the one configured at KCC connection will take priority ?

    Thanks,

    K


    abc


    • Edited by abckid Wednesday, December 14, 2016 1:17 PM
    Wednesday, December 14, 2016 1:11 PM
  • Hi,

    Maybe, we could take a look at the details about connection object schedule from the following article:

    How Active Directory Replication Topology Works

    https://technet.microsoft.com/en-us/library/cc755994(v=ws.10).aspx

    Best regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, December 19, 2016 1:35 AM
    Moderator