Are you certain that you got the subnets correct? No duplicates or anything like that? You made sure to not miss any?
I am in the same boat, where we have always had just one site. But we most likely will be putting a couple of DCs at AWS, so a few months ago I tested out breaking things into 2 sites and it went well. Looking at my notes: - Had to deal with firewalls at both ends and disable the Windows FW, which had been enabled on the DCs at AWS. Sounds like it’s not a factor for you. - Made sure all DCs were global catalogs and DNS servers. (Not required for every single DC, but consider these services at each site.) - Set replication interval appropriately. I think the default is still a large time increment. Doesn’t seem like much help, but maybe it will turn on a lightbulb in your head. *From:* [email protected] [mailto: [email protected]] *On Behalf Of *Kennedy, Jim *Sent:* Friday, March 18, 2016 11:04 AM *To:* [email protected] *Subject:* [NTSysADM] RE: Help a AD Sites Noob out. No, no firewalls between the buildings and lans/subnets. One big giant happy family. During this I could ping the DC’s, I could RDP to them….. *From:* [email protected] [ mailto:[email protected] <[email protected]>] *On Behalf Of *Christopher Bodnar *Sent:* Friday, March 18, 2016 11:02 AM *To:* [email protected] *Subject:* [NTSysADM] RE: Help a AD Sites Noob out. I can believe that your replication broke, but for authentication to have totally broken seems odd. If a client can’t find a DC to authenticate to in it’s local site, it should keep going outside of it’s site until it can contact a DC. As long as all the SRV records are in DNS and it has connectivity to all those DCs, authentication should not have broken. Are there firewall rules in place that limit a client to its local site? *From:* [email protected] [ mailto:[email protected] <[email protected]>] *On Behalf Of *Kennedy, Jim *Sent:* Friday, March 18, 2016 9:11 AM *To:* [email protected] *Subject:* [NTSysADM] Help a AD Sites Noob out. Never paid much attention to sites, but now I am going to. I have 12 buildings with dedicated gig fiber back to one of them were the data center is housed. Not a lot of traffic, 10 to 15 percent tops. So never worked with sites to control replication or logon traffic. But now I have a piece of software that is doing a fair number of GC lookups and it would seem that my desktops have decided over the years to all talk to one DC. There are DC’s in each of the five buildings, the 7 smaller ones do not have one. There are currently two all-encompassing subnets, in one site with all the DC’s in that site. So yesterday I decided to make sites. Put in all the subnets for all the buildings, and created 5 sites each with at least one DC, and put the appropriate subnet’s in those sites. It went ugly really fast. Authentication broke enterprise wide, Exchange couldn’t auth and stopped working. For the most part if it involved auth it broke. Nuke the sites and subnets and moved it all back to two /16’s in one site and in about 30 minutes all was well. What did I do wrong? ------------------------------ ----------------------------------------- This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you.
