none
Clients accessing the wrong domain controller RRS feed

  • Question

  • We are running multiple sites over an IPSEC VPN. Generally all works well, but we are having some issues with the sites unable to access some internal web pages randomly. The issue does deeper than that as when we run tests they appear to be accessing the wrong domain controller.

    Background: We have 2 DC's in the same site, however one is in another buiding over a wireless network (DC2). DC1 is the primary and should server for the main office and all IPSEC, however when we ping domain.local from the client either cannot find a record or it trys to access DC2.

    All sites primary DNS point to DC1. nltest results show the correct DC as the primary

    C:\WINDOWS\system32>nltest /dclist:domain.local
    Get list of DCs in domain domain.local' from '\\DC1.domain.Local'.
         TS-DC3.TS14.Local       [DS] Site: MAIN
        TS-DC01.TS14.Local [PDC] [DS] Site: MAIN

    NB: Default-Site-Name was renames to MAIN

    We have recently tried to change the Weight to 50 and Priority to 10 of DC2
    Also, used the filewall to simply deny access to DC2 to essentailly make it unavailable. Event the client cant reach it it still tries.

    Hoping someone can assist.
    Thursday, August 11, 2016 12:49 PM

Answers

  • Not sure I'm understanding your issue, but...

    Clients get their DC by what is configured in Sites & Services. If nothing is configured, it's chosen at random. If DC1 and DC2 are in different subnets, I would make separate sites for them (even though they are in the same geographic location). For example, you could configure the MAIN site with the subnet of DC1 and the other subnets of your main office and other sites. You would define the sites & subnets for the other sites and do a site link to the MAIN site with the lowest cost. This should create the SRV records in DNS for that site of where to get ldap, global catalog, etc. (all pointing to DC1). Another site is created for DC2 and the wireless subnets and the site links for that are a higher cost.

    Clients get their DNS server by what is given to them by DHCP. If you only want them to resolve against DC1, put that in DHCP and you can confirm via ipconfig /all on the client. Resolution of your domain will always return all DCs, no way to change that, but they should always be resolving your internal sites from DC1.


    Monday, August 15, 2016 3:49 PM

All replies

  • Hi,

    >>We have 2 DC's in the same site, however one is in another buiding over a wireless network (DC2). DC1 is the primary and should server for the main office and all IPSEC, however when we ping domain.local from the client either cannot find a record or it trys to access DC2.

    According your description,it seems like a network issue about route.Client always route to Site2(DC2).Please make sure you have a proper route for client. I have found a similar case,it may give you some hint to find out the root reason:

    Computers point to DC in wrong site

    ________________________________________
    Best Regards,
    Cartman
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact
    tnmff@microsoft.com.

    Friday, August 12, 2016 5:25 AM
  • Not sure I'm understanding your issue, but...

    Clients get their DC by what is configured in Sites & Services. If nothing is configured, it's chosen at random. If DC1 and DC2 are in different subnets, I would make separate sites for them (even though they are in the same geographic location). For example, you could configure the MAIN site with the subnet of DC1 and the other subnets of your main office and other sites. You would define the sites & subnets for the other sites and do a site link to the MAIN site with the lowest cost. This should create the SRV records in DNS for that site of where to get ldap, global catalog, etc. (all pointing to DC1). Another site is created for DC2 and the wireless subnets and the site links for that are a higher cost.

    Clients get their DNS server by what is given to them by DHCP. If you only want them to resolve against DC1, put that in DHCP and you can confirm via ipconfig /all on the client. Resolution of your domain will always return all DCs, no way to change that, but they should always be resolving your internal sites from DC1.


    Monday, August 15, 2016 3:49 PM
  • Hi,

    I am checking to see if the problem has been resolved. If there's anything you'd like to know, don't hesitate to ask.

    ________________________________________
    Best Regards,
    Cartman
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact
    tnmff@microsoft.com.

    Tuesday, August 23, 2016 7:45 AM