How to force machines in an AD site to authenticate against a GC in their own site
Solution 1:
Actually we have found that group policies may also be pulled from a remote domain controller, which is much slower than the authentication. Even over a wan link, the authentication during a logon should be relatively quick. Applying user group policies during a workstation logon would be noticeably slower, and machine group policies are re-applied every 90 minutes by default.
Some people have had success adjusting a registry setting called DNSAvoidRegisterRecords. Before investigating this however, you should first verify that all of your domain and site dns records and zones are correct and updating properly, workstations are using their local ad dns server, and that you don't have a configuration that could complicate this, such as a dc with multiple network cards. You should also setup a packet capture to confirm when and how often the remote dc's are being used, and to validate the result of any changes.
This behavior may be normal if the domain controller in the local site is unavailable or not responding, clients should attempt to use another dc. One thing you do not want is a configuration with only one dc available.
For a description of the DNS records that apply to domain controllers and global catalogs, see:
How to optimize the location of a domain controller or global catalog that reside in another site
http://support.microsoft.com/kb/306602
This can usually be accomplished by not registering some records, manually specifying other dc/gc-specific records, with the desired priority. The DNS priority directs clients to use the lowest priority SRV record for a dc/gc, unless the low priority servers are not responding.
The following article describes a typical use of adjusting DNS weight and priority of SRV records for domain controllers:
http://technet.microsoft.com/en-us/library/cc787370%28WS.10%29.aspx
Solution 2:
Do you have your sites and subnets setup correctly in the "Active Directory Sites and Services" Snap-in?
If you don't have sites setup the machines will just round robbin authenticate against any server in the domain since AD thinks all machines are in the same site.
Once you setup your sites and associate the subnets to them this behavior will stop.
Since sites and services are setup correctly - the only reason you would be authing against a DC outside of your site would be if the client couldn't connect to a local DC.
I would:
- Verify no firewalls are blocking the AD ports
- Run dcdiag on the DCs
- Run netdiag on the DCs
- Check the Directory services log for errors.