locked
Site Connectivity - no routing through network to all DCs RRS feed

  • Question

  • Hi @all,

    I'm currently facing the issue that I have 3 Sites - 2 of them have domain controllers.

    Being in Site 3 with an registered client I'm getting all possible Domain Controllers as answer to my authentication request against domain.tld.

    Unfortunately direct routing from Site 3 to site 1 is not possible - so requests against this Domain Controller will be not successful.

    Network Overview

    How can I set AD to give Domain Controller to the clients of Site 3, which are accessible to them?

    Thanks in advance!

    Matthias

    Friday, June 24, 2016 9:23 PM

Answers

  • What you are describing is the default behavior of an AD structure without any IP subnets defined - when a client does not reside in a pre-defined AD Sites and Services IP subnet, it may attempt to authenticate against any DC which it is aware of and not respect site boundaries.  Sounds like you need to define IP subnets within each of your AD sites, so that clients will authenticate against their nearest DC, rather than to a DC which may be in a site it cannot reach, as your scenario indicated.

    AD Sites overview:

    https://technet.microsoft.com/en-us/library/cc782048%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396


    Best Regards, Todd Heron | Active Directory Consultant

    • Proposed as answer by Wendy Jiang Friday, July 1, 2016 7:24 AM
    • Marked as answer by Wendy Jiang Monday, July 4, 2016 9:12 AM
    Saturday, June 25, 2016 1:46 PM
  • Not sure if i understood your question, but will try to answer based on what i have read. Site 1 client can locate nearest DC either in client 2 or 3, but that depends on connectivity of client from Site 1 to either sites. You need to specify DNS of the site & also define site/subnet info for the site 3 client info in ADSS.

    https://blogs.technet.microsoft.com/arnaud_jumelet/2010/07/05/domain-controller-locator-an-overview/


    Awinish Vishwakarma
    MY BLOG
    Disclaimer:This posting is provided AS-IS with no warranties/guarantees and confers no right.

    • Proposed as answer by Wendy Jiang Friday, July 1, 2016 7:24 AM
    • Marked as answer by Wendy Jiang Monday, July 4, 2016 9:12 AM
    Saturday, June 25, 2016 4:15 PM
  • > I've already defined the subnets and assigned the network definitions to
    > the sites.
     
    Manually create site links that match your network - AD assumes that
    each site can reach each other site...
     
    And do some research for "DC site coverage" :-)
     
    • Proposed as answer by Wendy Jiang Friday, July 1, 2016 7:24 AM
    • Marked as answer by Wendy Jiang Monday, July 4, 2016 9:12 AM
    Monday, June 27, 2016 10:59 AM

All replies

  • What you are describing is the default behavior of an AD structure without any IP subnets defined - when a client does not reside in a pre-defined AD Sites and Services IP subnet, it may attempt to authenticate against any DC which it is aware of and not respect site boundaries.  Sounds like you need to define IP subnets within each of your AD sites, so that clients will authenticate against their nearest DC, rather than to a DC which may be in a site it cannot reach, as your scenario indicated.

    AD Sites overview:

    https://technet.microsoft.com/en-us/library/cc782048%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396


    Best Regards, Todd Heron | Active Directory Consultant

    • Proposed as answer by Wendy Jiang Friday, July 1, 2016 7:24 AM
    • Marked as answer by Wendy Jiang Monday, July 4, 2016 9:12 AM
    Saturday, June 25, 2016 1:46 PM
  • Not sure if i understood your question, but will try to answer based on what i have read. Site 1 client can locate nearest DC either in client 2 or 3, but that depends on connectivity of client from Site 1 to either sites. You need to specify DNS of the site & also define site/subnet info for the site 3 client info in ADSS.

    https://blogs.technet.microsoft.com/arnaud_jumelet/2010/07/05/domain-controller-locator-an-overview/


    Awinish Vishwakarma
    MY BLOG
    Disclaimer:This posting is provided AS-IS with no warranties/guarantees and confers no right.

    • Proposed as answer by Wendy Jiang Friday, July 1, 2016 7:24 AM
    • Marked as answer by Wendy Jiang Monday, July 4, 2016 9:12 AM
    Saturday, June 25, 2016 4:15 PM
  • Hi @all,

    thanks to both of you helping me in this point.

    I've already defined the subnets and assigned the network definitions to the sites.

    What I'm missing is that mysterious DNS Server specification in ADSS.

    On each domain controller ADDS with DNS are installed.

    The problematic site is EUDEFUE (subnet 172.30.0.0/24), which has no DC, but should use the DC of EUDENES (subnet 172.31.0.0/24) - they are connected trough VPN. The clients in EUDEFUE have the domain controller of EUDENES configured.

    Thanks in advance!

    Matthias

    Sunday, June 26, 2016 12:41 PM
  • > I've already defined the subnets and assigned the network definitions to
    > the sites.
     
    Manually create site links that match your network - AD assumes that
    each site can reach each other site...
     
    And do some research for "DC site coverage" :-)
     
    • Proposed as answer by Wendy Jiang Friday, July 1, 2016 7:24 AM
    • Marked as answer by Wendy Jiang Monday, July 4, 2016 9:12 AM
    Monday, June 27, 2016 10:59 AM