OK, so I can't believe it but I forget exactly how this works.  I have about
13 sites (only a couple people at most, some have only 1 person, and others
have maybe 3 -6, then one has about 16 users).

The 16 user site is also my DR site and I have Windows 2008 w Hyper-V
hosting a DC (2003), and other DR servers.

How does the login process work in terms of where will users login, to which
DC?  I thought it was dependent on network traffic, which one was available
for the request, etc.  However it seems like when a someone bounced the dc at
the main office the other day no one could login.

There are 2 DCs total, one has all the roles and this is at the main office,
the network is a frame relay and all works fine (one app is slow), and aside
from that I am trying to determine which users login to which dc.  Is there
anyway to see that and should the roles be split up?  Single domain, single
forest, etc.  Only about 200 users total and I can't put servers at any other
locations.

Hello;

The client uses the DNS resource locators to find the domain controller in
your site, the are defined in Sites & Services with the correct placement of
DC in site and corresponding subnet given to the site.

To verify a secure channel or find the logon server, use the nltest
/sc_query command, for example:

nltest /sc_query:net.dom
Flags: 30 HAS_IP HAS_TIMESERV
Trusted DC Name \\netdc1.net.dom
Trusted DC Connection Status Status = 0 0x0 NERR_Success
The command completed successfully

Also check timesync issues and i would synchronize the virtual DC time to a
physical source, example a router or to the physical host.

Hope this helps

Michael Sourbron
Ordina.be



Show quoteHide quote

Howdie!

VirtuallyNotHere wrote:
The logon process is bound to DNS and the sites you configured using the
"Sites and Services" MMC snap-in. Make sure you have DNS set up
correctly (all clients have both DCs as their DNS sources!) and that the
  network subnets match the subnets you have created in "Sites and
Services".

The locator process is explained here:
http://blogs.dirteam.com/blogs/jorge/archive/2007/07/02/dc-locator-process-in-w2k-w2k3-r2-and-w2k8-part-1.aspx

To test the currently "nearest" PC of a machine, check the nltest
command line utility.

Cheers,
Florian

Hello VirtuallyNotHere,

The process works based on Service Locations Resource records, (SRV
records). Clients uses SRV records based on priority to determine a domain
controller to authenticate with. The priority normally given to the DC with
lowest  and if that fails, then the DC next in priority should be then be
used. Check your DNS server entries and make sure that both DCs have their
SRV records properly registered. Since you have many siteswith no domain
controller, you may want to enable Auto Site Coverage as this will enable
your DCs to register site specific records that help clients find closest
domain controller. You can verify if you already have autosite coverage by
looking at the registry key
HKEY_ LOCAL_MACHINE\SYSTEM CurrentControlSet\Services
Netlogon\Parameters\AutoSiteCoverage should have a a value of 1

Since you have only 2 DCs, one in main office and another in remote
location, my suggestion is that leave all the fsmo roles as it is, that  is
on the dc in the main office.


Isaac

Show quoteHide quote

Hello VirtuallyNotHere,

See here about the DCLocator process:
http://blogs.dirteam.com/blogs/jorge/search.aspx?q=locator&p=1

Also make sure that AD sites and services is configured to reflect your physical
topology with the subnets belonging to the site and that the DC's are moved
to the correct site.

Also it will be a good idea to have a DNS/GC in each site, so that your clients
are able to logon if the WAN connection is down for whatever reason.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


Show quoteHide quote

VirtuallyNotHere <VirtuallyNotH***@discussions.microsoft.com>, posted the
following:
Show quoteHide quoteIn addition to the other fine responses, just as another reminder, Sites
control logon, authentication and replication traffic.If there is only one
DC in a Site, that DC will be the responding DC for users in a Site, and it
gets bounced, clients will be looking for it. Exchange and other directory
enabled apps will also suffer. BES servers will need to be rebooted after
the DC is back up. I'm not sure why the DC was rebooted, but we normally
save any DC reboots, changes, etc, after some sort of change management
request, then implementing it after hours.

That said, from what I cans see so far regarding the DC being bounced may
indicate your AD Site definitions may not be setup right, or both of your
DCs are not GCs, which I didn't see provided in your original post.

Are both DCs GC
Are all 13 site IP subnets associated with the main site?  Can you elaborate
how they are configured?

You may want to consider adding DCs in some of your larger sites. I usually
go by the 10 or more user at a site rule should have a DC. This alleviates
WAN authentication and logon traffic. They do not have to be large fast
servers. A used and inexpensive ($400 - $500) Dell 1850, or similar "pizza
box" (what I call 1U rack servers), can do wonders.

But more imporantaly is Site config and GC placement plays a big role as
well.

Error 6702
Error while trying to upgrade a Windows 2000 Server domain
Certificate Services 2008
Cannot run .EXE after joining domain
search by owner
Issues Possibly From Joining a Domain
Network drive mapping
DNS Integrations
Event ID 22 on Domain Controllers (w32time)
Tapi3Directory