Authenticating DC is wrong

[chris]

Apparently when we joined the AD domain on several
machines, the closest DC was the wrong one. We need to
make the machines authenticate to a different DC but
can't get the setting to stick.

We've tried unjoining the domain and joining again,
changing the registry LOGONSERVER setting and a few other
things. Always, the original DC is the one we see when
we run SET at the command prompt.

How in the world do we make a machine auth to the DC we
want after it has auth'ed to the wrong one?

 

[Danny Sanders]

Not sure why authenticating to the closest DC is a problem since the
information is replicated to all DCs.
Ideally you want the client to log onto the closest DC to speed the logon
time.

Never heard of this as being a problem. Curious as to why you see this as a
problem?


hth
DDS W 2k MVP MCSE

 

[Guest]

The DC the machines are authing to is on a Slow WAN
connection accross the country. They need to be authing
to the local DC.

 

[Steven L Umbach]

I don't really understand why this is an issue and is contrary to the design
of an AD domain, but you can modify the weight and priority _srv records on
a domian controller to alter it's likelyhood of authenticatine clients in
general - but not specific clients [maybe that is what you did already].
Otherwise sites/subnets can control where computers will first try to
authenticate based on their physical location. I have not tried this, but I
suppose you could try to set ipsec filtering policies on those computers to
block then from communicating with certain domain controllers but then you
will lose the benefit of redundancy in case the other domain controller is
not available. --- Steve

http://www.jsiinc.com/SUBJ/tip4500/rh4527.htm --- dns weight and
priority.

 

[Danny Sanders]

Now I'm really confused

From your first post:

"Apparently when we joined the AD domain on several
machines, the closest DC was the wrong one."


From this post:

The DC the machines are authing to is on a Slow WAN
connection accross the country. They need to be authing
to the local DC.

DDS

 

[Guest]

I see. Sorry. At the time we joined the domain the
closest DC was the right one. Now that the machines have
been moved across country that DC is now the wrong one.
We are trying to get the machines to auth to the 'new'
closest DC.

 

[Danny Sanders]

Ok that makes sense now.
Set up Sites
See:
How to create and configure an Active Directory Site in Windows 2000

http://support.microsoft.com/default.aspx?scid=kb;en-us;318480





hth

DDS W 2k MVP MCSE

 

[Guest]

Thanks Danny. It looks like in Sites and Services we
have the Preferred Auth Server set wrong on the specific
subnet. Man, that was too easy.