1

Let me describe my situation.

I have five DCs in our network; mix of 2008 R2 and 2012. Among them one is unavailable at the moment and it might take some time to resolve this issue. Other four DCs are online and is reachable from all workstations.

On certain workstations, when I try to ping my domain name it times out. When I check the IP address it has resolved to, it will be the DC that is unavailable. To make it easy to picture, let me name the DCs and give them IP address.

DC1.xyz.com - 192.168.0.1
DC2.xyz.com - 192.168.1.1
DC3.xyz.com - 192.168.2.1
DC4.xyz.com - 192.168.3.1
DC5.xyz.com - 10.72.0.1

On most of the workstation, when I ping xyz.com; it resolves to 192.168.xx.xx and gets reply. But in few case, it resolves to 10.72.0.1 and times out.

DC1, DC2, DC3 and DC4 are in one AD site and DC5 is in different site as it is in cloud. My understanding is since the cost to reach DC1, DC2, DC3 and DC4 is less; all workstation should resolve to their IP address unless they are unavailable.

My question is why workstation is resolving to a DC that is in different site and has higher cost to reach it? What effect will this issue have to workstation?

Thank you in advance. I will be very grateful if you guys can help me understand this.

HBruijn
  • 77,029
  • 24
  • 135
  • 201
Diwa
  • 21
  • 1
  • How much time do you estimate it's going to take to resolve this issue? I might suggest cleaning the failed DC out of AD and DNS altogether. Then build a new DC to replace the failed DC. – joeqwerty Dec 09 '15 at 15:48

2 Answers2

1

Each of those IP's you have given are on different subnets. Assuming each of the PC's your pinging from uses its local router as the default gateway, this means that the router will likely have the DNS record for xyz.com set to a static IP address of whichever DC is on it's subnet.

2 solutions, one long term and one a quick hash:

Long term - Move all the DC's behind a load balancer and have it with a xyz.com address that resolves from each subnet. This way when one DC goes down, the load balancer should be able to deal with this and use the other 3 DC's

Short Term - Find out which subnet is routing to the broken DC. Access the default gateway for that subnet (likely the router the PC's are plugged in to). Change the address that xyz.com points at to one of the working DC's. This will increase the load though.

This seems like a good starting point. Determine if it's all the PC's on one Subnet or one router that are going to the wrong DC. If that's the case, the problem is likely the routing table on the gateway.

Bizmark
  • 598
  • 4
  • 5
1

That is the expected behavior. A straight DNS lookup will return ALL of the domain controllers that have their A record registered in DNS. Any client application that uses the Active Directory domain name needs to accommodate that scenario and compensate for domain controllers that are unavailable.

The site cost applies to the DC Locator process, not DNS lookups.

Greg Askew
  • 35,880
  • 5
  • 54
  • 82
  • Thanks. Does this issue will have any impact on workstations that resolves to unavailable DC? We use DFS namespace heavily. Is there any workaround to avoid resolving to this DC for time being until the issue with the server is resolved? – Diwa Dec 09 '15 at 14:48
  • DFS should not be affected by the unavailability of a single server. That's the whole point of the "distributed" part. – Greg Askew Dec 09 '15 at 15:00