Strange remote DC authentication problem.

In my office we have 3 DC's.

2 in house and 1 thats connected by VPN in a remote office.

The remote office is on another subnet.

The 3 DC's replicate AD information to eachother, but I want to prevent users on the local subnet here from authenticating to the DC thats located on the other side of the VPN.

When they do manage to authenticate to our VPN'd DC, the login process can take up to 10 min.

Does anyone have a suggestion or a fix I could look into?

Thanks

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

theseman

Is the VPN connected DC in another site?

sprkymrk

Like theseman mentioned, create a seperate site in AD Sites and Services based on the subnets. That should keep clients authenticating with the nearest DC.

mzgavc

thanks, i'll take a look into that

theseman

Heres a quick list of steps you need to perform to make a new site:

ADS&S
1)Create new Site
2)Drag & drop remote DC into new site
3)Create the 2 subnets and link them to the appropriate sites
4)Modify the default site-link and set the desired replication interval (inter-site)
5)Choose Bridgehead servers (one for each site) that will handle the replication between sites
6)Make sure the servers are in the correct subnet

*I think the shortest inter-site replication interval is 15 minutes, which could pose a problem if you want info to replicate after every change. However, you can force a replication.
**I can't really remember the best order to perform the above steps, a quick read on the procedure will clear that up for you.

Edit: You also need to choose the protocol used for inter-site replication... (2 choices, IP being the best)