Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Logging into Active Directory sends traffic to the 'wrong' AD server

Status
Not open for further replies.
fabwhack

fabwhack

IS-IT--Management
Jan 20, 2008
21
GB
Hi guys & girls,

Our company has two main sites connected by a private WAN link. There are servers at both sites, including a couple of dozen Citrix servers.

Site A was originally the only site in the business, with site B coming online later. Site A has a dedicated Active Directory server. When site B was built, we added another 2003 server as a AD replica at the site and configured everything using AD Sites & Services.

The problem is that logging into Citrix servers at site B is noticeably slower than it is at site A, especially when the WAN link is busy. Running WireShark on the AD server at site A, I can see it receiving and responding to requests when anyone logs into a server at site B, despite site B having it's own AD server. If I look on the server I'm logging in to at site B, the environment variable LOGONSERVER is set to the name of the replica server at site B.

I've been through all the AD design docs I can find: the replica server is set as a global catalog server, Sites & Services looks fine with the correct subnets etc. I just can't figure out why logging into a Citrix server at site B needs to talk over the WAN to the AD server at site A. Can anyone help figure out what's going on?
 
Sort by date Sort by votes
You haven't mentioned how your Citrix zones (subnets) are set up. Do you have two Citrix zones set up, one for each of your subnets or just one (for site A only)?
 
Upvote 0 Downvote
Yes, we have two zones set up. However, I don't think this is a Citrix problem - we see the traffic on Site A's AD server even if we log in through RDP, or even at the server console.
 
Upvote 0 Downvote
...and your subnets are associated with the correct site in Active Directory Sites and Services?

have you ran "dcdiag" on your domain controller in site B?
 
Upvote 0 Downvote
Yeah, AD Sites and Services all looks fine. I've ran DCDIAG on both DC's, everything checks out fine. I've also ran NLTEST /dsgetdc:company.com from a server in site B, and it returns with the Site B's DC.
 
Upvote 0 Downvote
They're all pointed at a single DNS server running on a NetWare server. The server is AD-compatible and all AD DNS-related diags check out OK - i.e. if I do the nslookup check for _ldap._tcp.dc._msdcs.Domain_Name, there are records for both DCs.

 
Upvote 0 Downvote
I'm really not sure then. The next thing I'd look at is powering off your DC in site A to see if the site B DC will authenticate your users
 
Upvote 0 Downvote
@Dublin73: Yeah, I think I'll try that this weekend. I've had a look at packets coming in and out of site B's DC, and it's definitely being hit by the 'client' - just some part of the login process is going over the WAN to site A.

@58sniper: Yes, site B's DC is set as a global catalog server.

 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

rzammit82
  • Locked
  • Question
Windows Server 2016 - DNS/AD problem
Replies
1
Views
345
suncit
suncit
MaioMaio
  • Locked
  • Question
Server Remote Desktop License
Replies
0
Views
234
MaioMaio
MaioMaio
julis2103
  • Locked
  • Question
Active Directory
Replies
0
Views
94
julis2103
julis2103
Aquiles Vidal
  • Locked
  • Question
Web Browsers in Windows Server or Terminal Server
Replies
0
Views
290
Aquiles Vidal
Aquiles Vidal
goombawaho
  • Locked
  • Question
Microsoft Azure Active Directory - Backup Admin Account 1
Replies
2
Views
375
goombawaho
goombawaho

Part and Inventory Search

Sponsor

Back
Top