Link to the blog which I have posted weeks before.
Re-cap of the issue I encountered
Using domain account A and login to the client machine for 5 times, the logon server randomly hop between 3 different domain controller which include the local domain controller which is the ideal one.
The impact are as follow:
1. Client machine boot up slow. Took about 3mins before the logon screen appears..
2. Slow login.
3. Random Logon server that affect logon script if you are using %logonserver% variable.
(How you know your machine is logging to other logon server? Go to command prompt and type “Set” and look for logonserver, it will indicate which server the client is going to)
What troubleshooting steps I have done but still cannot find the root cause
I went ahead to search for solution from the Internet and tested out the tools which they suggested like dcdiag.exe and replmon.exe where everything pass and indicates that the local DC is fine.
On client machine, the registry key that determine the site is also present
Oh.. not to mention that I have demo and promo the local DC but the issue still persist!..
So.. What can be the issue?
I have read on the boot up sequence of Windows XP and how the machine locate the DC from the following website which helps me to understand my issue and allow me to track the root cause.
Do read them up! Get to know the fundamental… Which I always stressed on when sharing knowledge with my folks.
Finding Root Cause of Client going to different DC for authentication
After reading up so many website, I started to realised that I have to go back to check the most important part of AD… the DNS.
If you were to read the links I recommended, you will notice that when client is looking for DC but where? The link is saying something similar as follow:
You know <DOMAIN>.<Top-Level-Domain>, but how about <SITE>?
For those who has only a single site – it will be “default-first-site-name”. I will use screen shot to show how to decipher the string _ldap._tcp.<SITE>._sites.dc._msdcs.<DOMAIN>.<Top-Level-Domain>
Can you under and link what is the string is trying to pull now from the DNS?
It will return the _ldap records which is there in “_tcp”.
So, for my case, there should only be one pair of records in my site – one _kerberos and one _ldap as I have one local DC in every of my site.
My root cause of why my client go to different DC randomly for authentication is due additional _kerberos and _ldap records under my particular site under my DNS as shown below:
I have 3 pair instead of 1 pair!
The solution is simple… But do take note that you have to remove those additional records at 3 different location of the DNS in order to resolve the issue. The 3 locations are stated in the diagram below:
1. <Domain>.<TLD> => _msdcs => _dc => _sites => <SITE> => _tcp
2. <Domain>.<TLD> => _sites => <SITE> => _tcp
3. <Domain>.<TLD> => DomainDnsZones => _sites => <SITE> => _tcp
After the additional records are removed from the 3 locations, the problem is resolved! Client machine will obtain the authentication from the local DC rather than going to random DC. 🙂
Hope this blog helps you to resolve your issue!!
Note: This problem is usually common to AD infrastructure that has more than 1 physical site and after the DC has under go box replacement.
Once again, please read the links I recommended to get the fundamental as I really find it very useful when come to troubleshooting systems issue (Even GPO issue!).