Logon Question

[Bill]

We have 4 sites with 2 DC in each site, all with a copy of the GC on
them. I have noticed that alot of the times, folks in sites will
authenticate to servers in other sites..I am not sure why this is happening
as I have the subnets assigned to sites and the servers that they *should*
be logging onto in the correct sites..Is there any ryme or reason to this
behavior and how can I prevent this from happening?

TIA,
Bill

 

[Simon Geary]

As you point out, so long as the subnets and sites are configured correctly
a client in the same subnet should authenticate against a local DC. If a
client thinks, for whatever reason, that it cannot access a local server it
will pick one at random from the domain-wide DC list in the SRV records in
DNS. One way to stop this occurring would be to manually delete all the
entries from the domain-wide list in DNS. In this case, clients at each site
would only ever be able to authenticate against DC's in the site-wide DC
list. You can weigh up yourself the risks and benefits associated with this.
First thing to do would be to have a dig around your DNS site-wide records
to ensure that each server is correctly registered in its proper site. You
can also run an nltest /dsgetsite on problem clients or DC's to verify what
site they think they are in.