PC receive services from a different site other than the site they are directly connected to.


  • Hi,

    I have the following setup.

    2 sites, SiteA 192.168.189.* and SiteB 192.168.192.*

    each site have two physical servers, running 6 vms each, these vm are setup to run different services.

    each servers have pri and sec Domain controller's configured, DNS , DHCP insllated. replication is configured properly.

    site A pcs receives services from siteB instead of from the DC the pc are directly connected. e.g when an account is locked out, it will show locked on siteB not in site A, 2ndly when I run gp install they don't go through to pcs, I suspect it can be caused by this.

    Pls assist.

    Psalms 56: “11 In God I have put my trust; I will not be afraid. What can man do to me?”

    Friday, March 24, 2017 8:56 AM

All replies

  • when an account is locked out, it will show locked on siteB not in site A, 2ndly when I run gp install they don't go through to pcs, I suspect it can be caused by this.>>>>

    Check dc and replication health first...

    Run "dcdiag" on both DC and "repadmin /replsum" on both site also..

    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Friday, March 24, 2017 1:31 PM
  • I should note that when an account is locked, only the DC with the PDC Emulator FSMO role is authoritative. There can be only one DC in the domain with this role. If the DC with this role is not available, results can be inconsistent or wrong. All bad password attempts are forwarded to this DC.

    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Friday, March 24, 2017 2:55 PM
  • Hi,

    I am checking how the issue is going, if you still have any questions, please feel free to contact us.

    And if the replies as above are helpful, we would appreciate you to mark them as answers, and if you resolve it using your own solution, please share your experience and solution here. It will be greatly helpful to others who have the same question.

    Appreciate for your feedback.

    Best regards,


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact

    Friday, March 31, 2017 9:23 AM
  • Instead of going with the general scenario you need to check the basics first.

    1. Do you see the computer getting authenticated with the correct DC and the proper site is updated in registry?

    2. Run nltest /dsgetdc:domainame /force (Replace with the exact domain name) : Which domain controller do you see in the list?

    3. As per my understanding GPO can be applied from any DC and it is not necessary to pull from the authenticated DC

    4. Is all your DCs running with DNS role?

    5. Make sure the site and subnets are mapped correctly and no overlap in them.

    If you see all these configured correctly, option will be to collect a network trace and netlogon log while running the above nltest command to force the dclocator process. Make sure you clear the DNS and Kerberos cache before capturing the trace. Go through the network trace captured to understand the queries it is sending and to which DC.

    Hope this helps! Please don't for get to mark it as answer if it resolves your issue.

    Friday, March 31, 2017 10:04 AM