AD Sites and Authentication

I just set up 3 remote sites all in one domain. I assumed that by setting up
sites, links, and subnets my authentication would be contained to the local
site, but I have computers authenicating to the remote sites. Should this be
happening?

Howdie!

On 06.04.2010 16:22, tkutil wrote:
> I just set up 3 remote sites all in one domain. I assumed that by setting up
> sites, links, and subnets my authentication would be contained to the local
> site, but I have computers authenicating to the remote sites. Should this be
> happening?

It shouldn't happen if you have setup AD Sites and Services correctly.
Check whether you have associated the correct subnets with the correct
IP subnets and make sure DCs and clients are in the correct site.

Cheers,
Florian

Could it be because I have a DEFAULTIPSITELINK that has all the DCs in it? I
had already created site links for each site, but left the default in there
too.

"Florian Frommherz [MVP]" wrote:

> Howdie!
>
> On 06.04.2010 16:22, tkutil wrote:
> > I just set up 3 remote sites all in one domain. I assumed that by setting up
> > sites, links, and subnets my authentication would be contained to the local
> > site, but I have computers authenicating to the remote sites. Should this be
> > happening?
>
> It shouldn't happen if you have setup AD Sites and Services correctly.
> Check whether you have associated the correct subnets with the correct
> IP subnets and make sure DCs and clients are in the correct site.
>
> Cheers,
> Florian
> .
>

Howdie!

Am 06.04.2010 18:53, schrieb tkutil:
> Could it be because I have a DEFAULTIPSITELINK that has all the DCs in it? I
> had already created site links for each site, but left the default in there
> too.

You can use the DEFAULTIPSITELIKE alright. How many sites are those? Are
all DCs in the same site (hub site) or did you move them into the
correct sites?

Cheers,
Florian

The dc's should go into the site of which they are to be providing
authentication. Also as Florian pointed out, the subnets that the clients
are associated with should be defined in sites and services container of the
respective site.

Sites and Services Best Practices
http://technet.microsoft.com/en-us/l...68(WS.10).aspx

--
Paul Bergson
MVP - Directory Services
MCITP - Enterprise Administrator
MCTS, MCT, MCSE, MCSA, MCP, Security +, BS CSci
2008, Vista, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewGroups. This
posting is provided "AS IS" with no warranties and confers no rights.
"tkutil" <> wrote in message
news:2CF93E77-8AF4-4D5A-8439-...
> Could it be because I have a DEFAULTIPSITELINK that has all the DCs in it?
> I
> had already created site links for each site, but left the default in
> there
> too.
>
> "Florian Frommherz [MVP]" wrote:
>
>> Howdie!
>>
>> On 06.04.2010 16:22, tkutil wrote:
>> > I just set up 3 remote sites all in one domain. I assumed that by
>> > setting up
>> > sites, links, and subnets my authentication would be contained to the
>> > local
>> > site, but I have computers authenicating to the remote sites. Should
>> > this be
>> > happening?
>>
>> It shouldn't happen if you have setup AD Sites and Services correctly.
>> Check whether you have associated the correct subnets with the correct
>> IP subnets and make sure DCs and clients are in the correct site.
>>
>> Cheers,
>> Florian
>> .
>>

I have 4 sites with the repective controllers in each site. I have 4 subnets,
one for each site. I have a site link for site1 to site2, site1, site3, and
site 1 to site4.

I created the controllers on the network at my location and I believe added
them to the sites at that time. I shipped them to the remote sites and
changed the IP address for that site. Did I do anything wrong in this
process.

The other thing that troubles me is the subnet. I used 10.100.x.x/21 to
cover the ip ranges 0 - 7 at each location. example 10.100.0.0/255255248.0
Is it OK to do that or do I need to specify subnets 10.100.0.x/24,
10.100.1.x/24,...


"Paul Bergson [MVP-DS]" wrote:

> The dc's should go into the site of which they are to be providing
> authentication. Also as Florian pointed out, the subnets that the clients
> are associated with should be defined in sites and services container of the
> respective site.
>
> Sites and Services Best Practices
> http://technet.microsoft.com/en-us/l...68(WS.10).aspx
>
> --
> Paul Bergson
> MVP - Directory Services
> MCITP - Enterprise Administrator
> MCTS, MCT, MCSE, MCSA, MCP, Security +, BS CSci
> 2008, Vista, 2003, 2000 (Early Achiever), NT4
> Microsoft's Thrive IT Pro of the Month - June 2009
>
> http://www.pbbergs.com
>
> Please no e-mails, any questions should be posted in the NewGroups. This
> posting is provided "AS IS" with no warranties and confers no rights.
> "tkutil" <> wrote in message
> news:2CF93E77-8AF4-4D5A-8439-...
> > Could it be because I have a DEFAULTIPSITELINK that has all the DCs in it?
> > I
> > had already created site links for each site, but left the default in
> > there
> > too.
> >
> > "Florian Frommherz [MVP]" wrote:
> >
> >> Howdie!
> >>
> >> On 06.04.2010 16:22, tkutil wrote:
> >> > I just set up 3 remote sites all in one domain. I assumed that by
> >> > setting up
> >> > sites, links, and subnets my authentication would be contained to the
> >> > local
> >> > site, but I have computers authenicating to the remote sites. Should
> >> > this be
> >> > happening?
> >>
> >> It shouldn't happen if you have setup AD Sites and Services correctly.
> >> Check whether you have associated the correct subnets with the correct
> >> IP subnets and make sure DCs and clients are in the correct site.
> >>
> >> Cheers,
> >> Florian
> >> .
> >>
>
>
> .
>

Have you opened up each site and verified that there is the proper dc in
that site? If not you should be able to move them simple enough.

You can use large ranges as you have defined, just make sure they don't over
lap.

Once you get the dc's in the proper sites you can verify that the subnets
are working as expected by inspecting the log on each dc.
start notepad.exe %systemroot%\Debug\Netlogon.log

This log will detail all clients that don't have a location by subnet
defined

--
Paul Bergson
MVP - Directory Services
MCITP - Enterprise Administrator
MCTS, MCT, MCSE, MCSA, MCP, Security +, BS CSci
2008, Vista, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewGroups. This
posting is provided "AS IS" with no warranties and confers no rights.
"tkutil" <> wrote in message
news:F992F4C3-779F-44BE-83F3-...
>I have 4 sites with the repective controllers in each site. I have 4
>subnets,
> one for each site. I have a site link for site1 to site2, site1, site3,
> and
> site 1 to site4.
>
> I created the controllers on the network at my location and I believe
> added
> them to the sites at that time. I shipped them to the remote sites and
> changed the IP address for that site. Did I do anything wrong in this
> process.
>
> The other thing that troubles me is the subnet. I used 10.100.x.x/21 to
> cover the ip ranges 0 - 7 at each location. example 10.100.0.0/255255248.0
> Is it OK to do that or do I need to specify subnets 10.100.0.x/24,
> 10.100.1.x/24,...
>
>
> "Paul Bergson [MVP-DS]" wrote:
>
>> The dc's should go into the site of which they are to be providing
>> authentication. Also as Florian pointed out, the subnets that the
>> clients
>> are associated with should be defined in sites and services container of
>> the
>> respective site.
>>
>> Sites and Services Best Practices
>> http://technet.microsoft.com/en-us/l...68(WS.10).aspx
>>
>> --
>> Paul Bergson
>> MVP - Directory Services
>> MCITP - Enterprise Administrator
>> MCTS, MCT, MCSE, MCSA, MCP, Security +, BS CSci
>> 2008, Vista, 2003, 2000 (Early Achiever), NT4
>> Microsoft's Thrive IT Pro of the Month - June 2009
>>
>> http://www.pbbergs.com
>>
>> Please no e-mails, any questions should be posted in the NewGroups. This
>> posting is provided "AS IS" with no warranties and confers no rights.
>> "tkutil" <> wrote in message
>> news:2CF93E77-8AF4-4D5A-8439-...
>> > Could it be because I have a DEFAULTIPSITELINK that has all the DCs in
>> > it?
>> > I
>> > had already created site links for each site, but left the default in
>> > there
>> > too.
>> >
>> > "Florian Frommherz [MVP]" wrote:
>> >
>> >> Howdie!
>> >>
>> >> On 06.04.2010 16:22, tkutil wrote:
>> >> > I just set up 3 remote sites all in one domain. I assumed that by
>> >> > setting up
>> >> > sites, links, and subnets my authentication would be contained to
>> >> > the
>> >> > local
>> >> > site, but I have computers authenicating to the remote sites. Should
>> >> > this be
>> >> > happening?
>> >>
>> >> It shouldn't happen if you have setup AD Sites and Services correctly.
>> >> Check whether you have associated the correct subnets with the correct
>> >> IP subnets and make sure DCs and clients are in the correct site.
>> >>
>> >> Cheers,
>> >> Florian
>> >> .
>> >>
>>
>>
>> .
>>

I have this error in the logs and can see all my clients connecting at remote
sites. I deleted and recreated by subnets to see if that fixes it. Just
guessing now
NO_CLIENT_SITE

All of the correct DCs are in the correct SITES

Thanks for the tip on the log file.

"Paul Bergson [MVP-DS]" wrote:

> Have you opened up each site and verified that there is the proper dc in
> that site? If not you should be able to move them simple enough.
>
> You can use large ranges as you have defined, just make sure they don't over
> lap.
>
> Once you get the dc's in the proper sites you can verify that the subnets
> are working as expected by inspecting the log on each dc.
> start notepad.exe %systemroot%\Debug\Netlogon.log
>
> This log will detail all clients that don't have a location by subnet
> defined
>
> --
> Paul Bergson
> MVP - Directory Services
> MCITP - Enterprise Administrator
> MCTS, MCT, MCSE, MCSA, MCP, Security +, BS CSci
> 2008, Vista, 2003, 2000 (Early Achiever), NT4
> Microsoft's Thrive IT Pro of the Month - June 2009
>
> http://www.pbbergs.com
>
> Please no e-mails, any questions should be posted in the NewGroups. This
> posting is provided "AS IS" with no warranties and confers no rights.
> "tkutil" <> wrote in message
> news:F992F4C3-779F-44BE-83F3-...
> >I have 4 sites with the repective controllers in each site. I have 4
> >subnets,
> > one for each site. I have a site link for site1 to site2, site1, site3,
> > and
> > site 1 to site4.
> >
> > I created the controllers on the network at my location and I believe
> > added
> > them to the sites at that time. I shipped them to the remote sites and
> > changed the IP address for that site. Did I do anything wrong in this
> > process.
> >
> > The other thing that troubles me is the subnet. I used 10.100.x.x/21 to
> > cover the ip ranges 0 - 7 at each location. example 10.100.0.0/255255248.0
> > Is it OK to do that or do I need to specify subnets 10.100.0.x/24,
> > 10.100.1.x/24,...
> >
> >
> > "Paul Bergson [MVP-DS]" wrote:
> >
> >> The dc's should go into the site of which they are to be providing
> >> authentication. Also as Florian pointed out, the subnets that the
> >> clients
> >> are associated with should be defined in sites and services container of
> >> the
> >> respective site.
> >>
> >> Sites and Services Best Practices
> >> http://technet.microsoft.com/en-us/l...68(WS.10).aspx
> >>
> >> --
> >> Paul Bergson
> >> MVP - Directory Services
> >> MCITP - Enterprise Administrator
> >> MCTS, MCT, MCSE, MCSA, MCP, Security +, BS CSci
> >> 2008, Vista, 2003, 2000 (Early Achiever), NT4
> >> Microsoft's Thrive IT Pro of the Month - June 2009
> >>
> >> http://www.pbbergs.com
> >>
> >> Please no e-mails, any questions should be posted in the NewGroups. This
> >> posting is provided "AS IS" with no warranties and confers no rights.
> >> "tkutil" <> wrote in message
> >> news:2CF93E77-8AF4-4D5A-8439-...
> >> > Could it be because I have a DEFAULTIPSITELINK that has all the DCs in
> >> > it?
> >> > I
> >> > had already created site links for each site, but left the default in
> >> > there
> >> > too.
> >> >
> >> > "Florian Frommherz [MVP]" wrote:
> >> >
> >> >> Howdie!
> >> >>
> >> >> On 06.04.2010 16:22, tkutil wrote:
> >> >> > I just set up 3 remote sites all in one domain. I assumed that by
> >> >> > setting up
> >> >> > sites, links, and subnets my authentication would be contained to
> >> >> > the
> >> >> > local
> >> >> > site, but I have computers authenicating to the remote sites. Should
> >> >> > this be
> >> >> > happening?
> >> >>
> >> >> It shouldn't happen if you have setup AD Sites and Services correctly.
> >> >> Check whether you have associated the correct subnets with the correct
> >> >> IP subnets and make sure DCs and clients are in the correct site.
> >> >>
> >> >> Cheers,
> >> >> Florian
> >> >> .
> >> >>
> >>
> >>
> >> .
> >>
>
>
> .
>

I'm confused, do you still have problems are you ok for now?

--
Paul Bergson
MVP - Directory Services
MCITP - Enterprise Administrator
MCTS, MCT, MCSE, MCSA, MCP, Security +, BS CSci
2008, Vista, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewGroups. This
posting is provided "AS IS" with no warranties and confers no rights.
"tkutil" <> wrote in message
news:547010C9-E722-43EF-BEF1-...
>I have this error in the logs and can see all my clients connecting at
>remote
> sites. I deleted and recreated by subnets to see if that fixes it. Just
> guessing now
> NO_CLIENT_SITE
>
> All of the correct DCs are in the correct SITES
>
> Thanks for the tip on the log file.
>
> "Paul Bergson [MVP-DS]" wrote:
>
>> Have you opened up each site and verified that there is the proper dc in
>> that site? If not you should be able to move them simple enough.
>>
>> You can use large ranges as you have defined, just make sure they don't
>> over
>> lap.
>>
>> Once you get the dc's in the proper sites you can verify that the subnets
>> are working as expected by inspecting the log on each dc.
>> start notepad.exe %systemroot%\Debug\Netlogon.log
>>
>> This log will detail all clients that don't have a location by subnet
>> defined
>>
>> --
>> Paul Bergson
>> MVP - Directory Services
>> MCITP - Enterprise Administrator
>> MCTS, MCT, MCSE, MCSA, MCP, Security +, BS CSci
>> 2008, Vista, 2003, 2000 (Early Achiever), NT4
>> Microsoft's Thrive IT Pro of the Month - June 2009
>>
>> http://www.pbbergs.com
>>
>> Please no e-mails, any questions should be posted in the NewGroups. This
>> posting is provided "AS IS" with no warranties and confers no rights.
>> "tkutil" <> wrote in message
>> news:F992F4C3-779F-44BE-83F3-...
>> >I have 4 sites with the repective controllers in each site. I have 4
>> >subnets,
>> > one for each site. I have a site link for site1 to site2, site1, site3,
>> > and
>> > site 1 to site4.
>> >
>> > I created the controllers on the network at my location and I believe
>> > added
>> > them to the sites at that time. I shipped them to the remote sites and
>> > changed the IP address for that site. Did I do anything wrong in this
>> > process.
>> >
>> > The other thing that troubles me is the subnet. I used 10.100.x.x/21 to
>> > cover the ip ranges 0 - 7 at each location. example
>> > 10.100.0.0/255255248.0
>> > Is it OK to do that or do I need to specify subnets 10.100.0.x/24,
>> > 10.100.1.x/24,...
>> >
>> >
>> > "Paul Bergson [MVP-DS]" wrote:
>> >
>> >> The dc's should go into the site of which they are to be providing
>> >> authentication. Also as Florian pointed out, the subnets that the
>> >> clients
>> >> are associated with should be defined in sites and services container
>> >> of
>> >> the
>> >> respective site.
>> >>
>> >> Sites and Services Best Practices
>> >> http://technet.microsoft.com/en-us/l...68(WS.10).aspx
>> >>
>> >> --
>> >> Paul Bergson
>> >> MVP - Directory Services
>> >> MCITP - Enterprise Administrator
>> >> MCTS, MCT, MCSE, MCSA, MCP, Security +, BS CSci
>> >> 2008, Vista, 2003, 2000 (Early Achiever), NT4
>> >> Microsoft's Thrive IT Pro of the Month - June 2009
>> >>
>> >> http://www.pbbergs.com
>> >>
>> >> Please no e-mails, any questions should be posted in the NewGroups.
>> >> This
>> >> posting is provided "AS IS" with no warranties and confers no rights.
>> >> "tkutil" <> wrote in message
>> >> news:2CF93E77-8AF4-4D5A-8439-...
>> >> > Could it be because I have a DEFAULTIPSITELINK that has all the DCs
>> >> > in
>> >> > it?
>> >> > I
>> >> > had already created site links for each site, but left the default
>> >> > in
>> >> > there
>> >> > too.
>> >> >
>> >> > "Florian Frommherz [MVP]" wrote:
>> >> >
>> >> >> Howdie!
>> >> >>
>> >> >> On 06.04.2010 16:22, tkutil wrote:
>> >> >> > I just set up 3 remote sites all in one domain. I assumed that by
>> >> >> > setting up
>> >> >> > sites, links, and subnets my authentication would be contained to
>> >> >> > the
>> >> >> > local
>> >> >> > site, but I have computers authenicating to the remote sites.
>> >> >> > Should
>> >> >> > this be
>> >> >> > happening?
>> >> >>
>> >> >> It shouldn't happen if you have setup AD Sites and Services
>> >> >> correctly.
>> >> >> Check whether you have associated the correct subnets with the
>> >> >> correct
>> >> >> IP subnets and make sure DCs and clients are in the correct site.
>> >> >>
>> >> >> Cheers,
>> >> >> Florian
>> >> >> .
>> >> >>
>> >>
>> >>
>> >> .
>> >>
>>
>>
>> .
>>

"tkutil" <> wrote in message
news:F992F4C3-779F-44BE-83F3-...
>I have 4 sites with the repective controllers in each site. I have 4
>subnets,
> one for each site. I have a site link for site1 to site2, site1, site3,
> and
> site 1 to site4.
>
> I created the controllers on the network at my location and I believe
> added
> them to the sites at that time. I shipped them to the remote sites and
> changed the IP address for that site. Did I do anything wrong in this
> process.
>
> The other thing that troubles me is the subnet. I used 10.100.x.x/21 to
> cover the ip ranges 0 - 7 at each location. example 10.100.0.0/255255248.0
> Is it OK to do that or do I need to specify subnets 10.100.0.x/24,
> 10.100.1.x/24,...
>
>

The IP subnet block of an IP subnet ID of 10.100.0.0/21 (255.255.248.0), is
10.100.0.1 to 10.100.7.254. Does that descibe each location?

What I am surmizing is that you are trying to say you want the following IP
ranges using a /21 (255.255.248.0). However, it won't work. This is because
the /21 mask includes all of these networks in one subnet. You would need a
/24 (255.255.255.0) for each.

10.100.0.0 to 10.100.0.255
10.100.1.0 to 10.100.1.255
10.100.2.0 to 10.100.2.255
10.100.3.0 to 10.100.3.255
10.100.4.0 to 10.100.4.255
10.100.5.0 to 10.100.5.255
10.100.6.0 to 10.100.6.255
10.100.7.0 to 10.100.7.255

I think if this is how it is currently configured, it may explain why the
client has no site associated to it, because there is no random pick feature
with AD Site assignment.

And yes, I saw earlier that you have all the servers in the
Default-Site-Name. That is because when they were first promoted, they get
assigned to their appopriate site. However, if a DC is moved to a different
location with a different IP and in a different AD Site, or an IP is
changed, they must be dragged and dropped into their new AD Site.

I would also suggest to make sure none of the DCs are multihomed including
if RRAS and/or multiple IPs have been assigned. This also includes if the DC
has multi NICs with one connected to a SAN for backup purposes. This is
problematic, and among the 50 other problems that crop up because of such a
configuration on a DC, a DC cannot be part of more than one AD Site, because
each IP configured will need to be part of one site or another. And if the
private or "other" IP is regsitered into DNS, and a client picks it up as a
genuine authenticating DC, it may not have a route to that subnet.

I hope that helps.


--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE &
MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services

If you feel this is an urgent issue and require immediate assistance, please
contact Microsoft PSS directly. Please check http://support.microsoft.com
for regional support phone numbers.