Slow Network Logon

Hello. I hope someone can help with the issues I have.
Im having problems with machines taking up to 20 minutes to logon to the
network, this does not affect all machines just random ones.(most machines)
We have used a network sniffer to look at the traffic from the client
machines and for some reason the client authenticates fine with the local
domain controller, and know which site it is in, but then goes off talking
to
other domain controllers around the world in other sites. Im not sure if
this
is when it is trying to pull down the group policy, does anyone know why
this
would happen?
Also if I ping my domain name the reply changes every so often, and its
always from a DC in another country site, if we add a host entry for the
local DC to the domain name it fixes the issues on some machines.
Also on almost all machine I get the error in the event log "The Security
System could not establish a secured connection with the server
DNS/blah.blah.blah.com. No authentication protocol was available."
What does this mean?

I know that's all a bit random so any help would be appreciated.

Thanks

"Anthony" <(E-Mail Removed)> wrote in message
news:uD%(E-Mail Removed)...
> Hello. I hope someone can help with the issues I have.
> Im having problems with machines taking up to 20 minutes to logon to the
> network, this does not affect all machines just random ones.(most
> machines)

Usually such problems are DNS related but taking "20 minutes" they would
usually just fail to authenticate (and logon) completely.

> We have used a network sniffer to look at the traffic from the client
> machines and for some reason the client authenticates fine with the local
> domain controller, and know which site it is in, but then goes off talking
> to
> other domain controllers around the world in other sites. Im not sure if
> this
> is when it is trying to pull down the group policy, does anyone know why
> this
> would happen?

Are you Sites specifically defined in AD Sites and Services? Are all DCs
located in the correct Site (in Sites and Services)?

Does every DC pass a full "dcdiag" with NO "FAIL" or "WARN" messages?

Do both the clients and servers (esp. DCs) use ONLY the INTERNAL
DNS which can resolve the DCs etc?

> Also if I ping my domain name the reply changes every so often, and its
> always from a DC in another country site, if we add a host entry for the
> local DC to the domain name it fixes the issues on some machines.

It sounds likely that you have not correctly defined your Sites, Subnets,
and/or located the DCs in the correct Sites.

> Also on almost all machine I get the error in the event log "The Security
> System could not establish a secured connection with the server
> DNS/blah.blah.blah.com. No authentication protocol was available."
> What does this mean?
>
> I know that's all a bit random so any help would be appreciated.
>
> Thanks

Hi, thanks for the quick response.
In response to your comments:

1)Usually such problems are DNS related but taking "20 minutes" they would
usually just fail to authenticate (and logon) completely.

The machines always authenticate with the correct DC.

2)Are you Sites specifically defined in AD Sites and Services? Are all DCs
located in the correct Site (in Sites and Services)?

Yes, all UK DCs are listed in the UK sites and services

3)Does every DC pass a full "dcdiag" with NO "FAIL" or "WARN" messages?

BTINET Fails, im not sure what this is? that is the only test that does not
pass.

4)Do both the clients and servers (esp. DCs) use ONLY the INTERNAL
DNS which can resolve the DCs etc?

Yes confirmed, the clients pick up the DNS from DHCP.

5)It sounds likely that you have not correctly defined your Sites, Subnets,
and/or located the DCs in the correct Sites.
Point noted, the problem I have is a lot of this is managed in india, and
the staff dont really have a clue, im looking to give them some pointers to
check. I also suspect there is an issue with sites&subnets. But the local
client seems to pick all the correct info. Maybe something else is going on
in the backround? Could it be down to the group policy not coming from the
local site DC perhaps?


thanks again for your reply





"Herb Martin" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>
> "Anthony" <(E-Mail Removed)> wrote in message
> news:uD%(E-Mail Removed)...
>> Hello. I hope someone can help with the issues I have.
>> Im having problems with machines taking up to 20 minutes to logon to the
>> network, this does not affect all machines just random ones.(most
>> machines)
>
> Usually such problems are DNS related but taking "20 minutes" they would
> usually just fail to authenticate (and logon) completely.
>
>> We have used a network sniffer to look at the traffic from the client
>> machines and for some reason the client authenticates fine with the local
>> domain controller, and know which site it is in, but then goes off
>> talking to
>> other domain controllers around the world in other sites. Im not sure if
>> this
>> is when it is trying to pull down the group policy, does anyone know why
>> this
>> would happen?
>
> Are you Sites specifically defined in AD Sites and Services? Are all DCs
> located in the correct Site (in Sites and Services)?
>
> Does every DC pass a full "dcdiag" with NO "FAIL" or "WARN" messages?
>
> Do both the clients and servers (esp. DCs) use ONLY the INTERNAL
> DNS which can resolve the DCs etc?
>
>> Also if I ping my domain name the reply changes every so often, and its
>> always from a DC in another country site, if we add a host entry for the
>> local DC to the domain name it fixes the issues on some machines.
>
> It sounds likely that you have not correctly defined your Sites, Subnets,
> and/or located the DCs in the correct Sites.
>
>> Also on almost all machine I get the error in the event log "The Security
>> System could not establish a secured connection with the server
>> DNS/blah.blah.blah.com. No authentication protocol was available."
>> What does this mean?
>>
>> I know that's all a bit random so any help would be appreciated.
>>
>> Thanks
>
>

The last time we saw this the poster had added the country extension to the
domain controller name as in:

myserver.com.au

instead of myserver.local or myserver.lan

Made quite a mess, and only one of our AU MVP's could figure it out.

Please post the results of the following command:

ipconfig /all > c:\iptest.txt

from both the server and a workstation. Please tell us which is which, and
there is no need to change anything if you really want assistance with this,
but you could add some random characters to the server/domain name if you
are worried about bots or zombies picking it up.

as in M*I*C*R*0*S*TdotC*O*M

--
Larry

Please post the resolution to
your issue so that all can benefit.


"Anthony" <(E-Mail Removed)> wrote in message
news:uD%(E-Mail Removed)...
> Hello. I hope someone can help with the issues I have.
> Im having problems with machines taking up to 20 minutes to logon to the
> network, this does not affect all machines just random ones.(most
> machines)
> We have used a network sniffer to look at the traffic from the client
> machines and for some reason the client authenticates fine with the local
> domain controller, and know which site it is in, but then goes off talking
> to
> other domain controllers around the world in other sites. Im not sure if
> this
> is when it is trying to pull down the group policy, does anyone know why
> this
> would happen?
> Also if I ping my domain name the reply changes every so often, and its
> always from a DC in another country site, if we add a host entry for the
> local DC to the domain name it fixes the issues on some machines.
> Also on almost all machine I get the error in the event log "The Security
> System could not establish a secured connection with the server
> DNS/blah.blah.blah.com. No authentication protocol was available."
> What does this mean?
>
> I know that's all a bit random so any help would be appreciated.
>
> Thanks

I will check that tomorrow

One other thing I should point out is once I enter the login details the
machine usually sits at "applying computer settings" or "Applying network
settings" for ages (thats where the delay is)

thanks



"Larry Struckmeyer" <lstruckmeyer(at)mis-wizards(dot)com> wrote in message
news:u$(E-Mail Removed)...
> The last time we saw this the poster had added the country extension to
> the domain controller name as in:
>
> myserver.com.au
>
> instead of myserver.local or myserver.lan
>
> Made quite a mess, and only one of our AU MVP's could figure it out.
>
> Please post the results of the following command:
>
> ipconfig /all > c:\iptest.txt
>
> from both the server and a workstation. Please tell us which is which,
> and there is no need to change anything if you really want assistance with
> this, but you could add some random characters to the server/domain name
> if you are worried about bots or zombies picking it up.
>
> as in M*I*C*R*0*S*TdotC*O*M
>
> --
> Larry
>
> Please post the resolution to
> your issue so that all can benefit.
>
>
> "Anthony" <(E-Mail Removed)> wrote in message
> news:uD%(E-Mail Removed)...
>> Hello. I hope someone can help with the issues I have.
>> Im having problems with machines taking up to 20 minutes to logon to the
>> network, this does not affect all machines just random ones.(most
>> machines)
>> We have used a network sniffer to look at the traffic from the client
>> machines and for some reason the client authenticates fine with the local
>> domain controller, and know which site it is in, but then goes off
>> talking to
>> other domain controllers around the world in other sites. Im not sure if
>> this
>> is when it is trying to pull down the group policy, does anyone know why
>> this
>> would happen?
>> Also if I ping my domain name the reply changes every so often, and its
>> always from a DC in another country site, if we add a host entry for the
>> local DC to the domain name it fixes the issues on some machines.
>> Also on almost all machine I get the error in the event log "The Security
>> System could not establish a secured connection with the server
>> DNS/blah.blah.blah.com. No authentication protocol was available."
>> What does this mean?
>>
>> I know that's all a bit random so any help would be appreciated.
>>
>> Thanks
>
>

Was I 'the AU MVP' that picked up on that error?

The basic premise is that the OP did a silly thing, named his AD in relation
to his public DNS name space. There is no reason, and some good reasons not,
to do so. If the installation is new and not yet fully committed to I'd
start with 'format C:' and rectify the error by putting the server into its
own namespace. If the install has been committed to I would discuss the pros
and cons with the owner and _most probably_ 'format C:' but maybe 'work
around' the problem.

BTW: This is not an 'SBS' thing, it is 'pure AD + DNS'. There is _no reason_
for your AD DNS name to reflect public records and anyone who wants to argue
this point should 1st consider that I have had this argument with the
highest levels of MS AD design. The argument was not 'conclusive' in that
'we agreed to disagree' on a couple of things which can be done under either
model, naturally working in one and easily worked around in the other.

The problem occurs because people approach it a$$backwards. They ask
themselves 'Why should I create a new DNS domain when I have one which
already exists publicly', the question they should be asking is 'I am
implementing a DNS zone for my own personal use, is there any reason why
this should in any way relate to public records'. The answer is almost
always 'NO'.

The problem won't exist in Cougar. SBS Dev have recognised the need to
address this and without special effort it will be impossible to name your
AD in relation to public DNS. People wishing to do so will _have to_ edit a
file in order to allow it. SBS Dev are smarter than MS Dev.

"Larry Struckmeyer" <lstruckmeyer(at)mis-wizards(dot)com> wrote in message
news:u$(E-Mail Removed)...
> The last time we saw this the poster had added the country extension to
> the domain controller name as in:
>
> myserver.com.au
>
> instead of myserver.local or myserver.lan
>
> Made quite a mess, and only one of our AU MVP's could figure it out.
>
> Please post the results of the following command:
>
> ipconfig /all > c:\iptest.txt
>
> from both the server and a workstation. Please tell us which is which,
> and there is no need to change anything if you really want assistance with
> this, but you could add some random characters to the server/domain name
> if you are worried about bots or zombies picking it up.
>
> as in M*I*C*R*0*S*TdotC*O*M
>
> --
> Larry
>
> Please post the resolution to
> your issue so that all can benefit.
>
>
> "Anthony" <(E-Mail Removed)> wrote in message
> news:uD%(E-Mail Removed)...
>> Hello. I hope someone can help with the issues I have.
>> Im having problems with machines taking up to 20 minutes to logon to the
>> network, this does not affect all machines just random ones.(most
>> machines)
>> We have used a network sniffer to look at the traffic from the client
>> machines and for some reason the client authenticates fine with the local
>> domain controller, and know which site it is in, but then goes off
>> talking to
>> other domain controllers around the world in other sites. Im not sure if
>> this
>> is when it is trying to pull down the group policy, does anyone know why
>> this
>> would happen?
>> Also if I ping my domain name the reply changes every so often, and its
>> always from a DC in another country site, if we add a host entry for the
>> local DC to the domain name it fixes the issues on some machines.
>> Also on almost all machine I get the error in the event log "The Security
>> System could not establish a secured connection with the server
>> DNS/blah.blah.blah.com. No authentication protocol was available."
>> What does this mean?
>>
>> I know that's all a bit random so any help would be appreciated.
>>
>> Thanks
>
>

That be you.

I remember because I was floundering not knowing what the strange looking
domain name meant

Don't think I remember the resolution though. FandR (Flatten and Reinstall)
comes to mind.

--
Larry

Please post the resolution to
your issue so that all can benefit.


"SuperGumby [SBS MVP]" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> Was I 'the AU MVP' that picked up on that error?
>
> The basic premise is that the OP did a silly thing, named his AD in
> relation to his public DNS name space. There is no reason, and some good
> reasons not, to do so. If the installation is new and not yet fully
> committed to I'd start with 'format C:' and rectify the error by putting
> the server into its own namespace. If the install has been committed to I
> would discuss the pros and cons with the owner and _most probably_ 'format
> C:' but maybe 'work around' the problem.
>
> BTW: This is not an 'SBS' thing, it is 'pure AD + DNS'. There is _no
> reason_ for your AD DNS name to reflect public records and anyone who
> wants to argue this point should 1st consider that I have had this
> argument with the highest levels of MS AD design. The argument was not
> 'conclusive' in that 'we agreed to disagree' on a couple of things which
> can be done under either model, naturally working in one and easily worked
> around in the other.
>
> The problem occurs because people approach it a$$backwards. They ask
> themselves 'Why should I create a new DNS domain when I have one which
> already exists publicly', the question they should be asking is 'I am
> implementing a DNS zone for my own personal use, is there any reason why
> this should in any way relate to public records'. The answer is almost
> always 'NO'.
>
> The problem won't exist in Cougar. SBS Dev have recognised the need to
> address this and without special effort it will be impossible to name your
> AD in relation to public DNS. People wishing to do so will _have to_ edit
> a file in order to allow it. SBS Dev are smarter than MS Dev.
>
> "Larry Struckmeyer" <lstruckmeyer(at)mis-wizards(dot)com> wrote in message
> news:u$(E-Mail Removed)...
>> The last time we saw this the poster had added the country extension to
>> the domain controller name as in:
>>
>> myserver.com.au
>>
>> instead of myserver.local or myserver.lan
>>
>> Made quite a mess, and only one of our AU MVP's could figure it out.
>>
>> Please post the results of the following command:
>>
>> ipconfig /all > c:\iptest.txt
>>
>> from both the server and a workstation. Please tell us which is which,
>> and there is no need to change anything if you really want assistance
>> with this, but you could add some random characters to the server/domain
>> name if you are worried about bots or zombies picking it up.
>>
>> as in M*I*C*R*0*S*TdotC*O*M
>>
>> --
>> Larry
>>
>> Please post the resolution to
>> your issue so that all can benefit.
>>
>>
>> "Anthony" <(E-Mail Removed)> wrote in message
>> news:uD%(E-Mail Removed)...
>>> Hello. I hope someone can help with the issues I have.
>>> Im having problems with machines taking up to 20 minutes to logon to the
>>> network, this does not affect all machines just random ones.(most
>>> machines)
>>> We have used a network sniffer to look at the traffic from the client
>>> machines and for some reason the client authenticates fine with the
>>> local
>>> domain controller, and know which site it is in, but then goes off
>>> talking to
>>> other domain controllers around the world in other sites. Im not sure if
>>> this
>>> is when it is trying to pull down the group policy, does anyone know why
>>> this
>>> would happen?
>>> Also if I ping my domain name the reply changes every so often, and its
>>> always from a DC in another country site, if we add a host entry for the
>>> local DC to the domain name it fixes the issues on some machines.
>>> Also on almost all machine I get the error in the event log "The
>>> Security
>>> System could not establish a secured connection with the server
>>> DNS/blah.blah.blah.com. No authentication protocol was available."
>>> What does this mean?
>>>
>>> I know that's all a bit random so any help would be appreciated.
>>>
>>> Thanks
>>
>>
>
>

FandR should only happen if it's convenient to fix this _basic error_.
Workarounds work (umm, around the issue).

"Larry Struckmeyer" <lstruckmeyer(at)mis-wizards(dot)com> wrote in message
news:umn5A%(E-Mail Removed)...
> That be you.
>
> I remember because I was floundering not knowing what the strange looking
> domain name meant
>
> Don't think I remember the resolution though. FandR (Flatten and
> Reinstall) comes to mind.
>
> --
> Larry
>
> Please post the resolution to
> your issue so that all can benefit.
>
>
> "SuperGumby [SBS MVP]" <(E-Mail Removed)> wrote in message
> news:%(E-Mail Removed)...
>> Was I 'the AU MVP' that picked up on that error?
>>
>> The basic premise is that the OP did a silly thing, named his AD in
>> relation to his public DNS name space. There is no reason, and some good
>> reasons not, to do so. If the installation is new and not yet fully
>> committed to I'd start with 'format C:' and rectify the error by putting
>> the server into its own namespace. If the install has been committed to I
>> would discuss the pros and cons with the owner and _most probably_
>> 'format C:' but maybe 'work around' the problem.
>>
>> BTW: This is not an 'SBS' thing, it is 'pure AD + DNS'. There is _no
>> reason_ for your AD DNS name to reflect public records and anyone who
>> wants to argue this point should 1st consider that I have had this
>> argument with the highest levels of MS AD design. The argument was not
>> 'conclusive' in that 'we agreed to disagree' on a couple of things which
>> can be done under either model, naturally working in one and easily
>> worked around in the other.
>>
>> The problem occurs because people approach it a$$backwards. They ask
>> themselves 'Why should I create a new DNS domain when I have one which
>> already exists publicly', the question they should be asking is 'I am
>> implementing a DNS zone for my own personal use, is there any reason why
>> this should in any way relate to public records'. The answer is almost
>> always 'NO'.
>>
>> The problem won't exist in Cougar. SBS Dev have recognised the need to
>> address this and without special effort it will be impossible to name
>> your AD in relation to public DNS. People wishing to do so will _have to_
>> edit a file in order to allow it. SBS Dev are smarter than MS Dev.
>>
>> "Larry Struckmeyer" <lstruckmeyer(at)mis-wizards(dot)com> wrote in
>> message news:u$(E-Mail Removed)...
>>> The last time we saw this the poster had added the country extension to
>>> the domain controller name as in:
>>>
>>> myserver.com.au
>>>
>>> instead of myserver.local or myserver.lan
>>>
>>> Made quite a mess, and only one of our AU MVP's could figure it out.
>>>
>>> Please post the results of the following command:
>>>
>>> ipconfig /all > c:\iptest.txt
>>>
>>> from both the server and a workstation. Please tell us which is which,
>>> and there is no need to change anything if you really want assistance
>>> with this, but you could add some random characters to the server/domain
>>> name if you are worried about bots or zombies picking it up.
>>>
>>> as in M*I*C*R*0*S*TdotC*O*M
>>>
>>> --
>>> Larry
>>>
>>> Please post the resolution to
>>> your issue so that all can benefit.
>>>
>>>
>>> "Anthony" <(E-Mail Removed)> wrote in message
>>> news:uD%(E-Mail Removed)...
>>>> Hello. I hope someone can help with the issues I have.
>>>> Im having problems with machines taking up to 20 minutes to logon to
>>>> the
>>>> network, this does not affect all machines just random ones.(most
>>>> machines)
>>>> We have used a network sniffer to look at the traffic from the client
>>>> machines and for some reason the client authenticates fine with the
>>>> local
>>>> domain controller, and know which site it is in, but then goes off
>>>> talking to
>>>> other domain controllers around the world in other sites. Im not sure
>>>> if this
>>>> is when it is trying to pull down the group policy, does anyone know
>>>> why this
>>>> would happen?
>>>> Also if I ping my domain name the reply changes every so often, and its
>>>> always from a DC in another country site, if we add a host entry for
>>>> the
>>>> local DC to the domain name it fixes the issues on some machines.
>>>> Also on almost all machine I get the error in the event log "The
>>>> Security
>>>> System could not establish a secured connection with the server
>>>> DNS/blah.blah.blah.com. No authentication protocol was available."
>>>> What does this mean?
>>>>
>>>> I know that's all a bit random so any help would be appreciated.
>>>>
>>>> Thanks
>>>
>>>
>>
>>
>
>

Read inline please.

In news:uD%(E-Mail Removed),
Anthony <(E-Mail Removed)> typed:
> Hello. I hope someone can help with the issues I have.
> Im having problems with machines taking up to 20 minutes to logon to
> the network, this does not affect all machines just random ones.(most
> machines) We have used a network sniffer to look at the traffic from
> the client machines and for some reason the client authenticates fine
> with the local domain controller, and know which site it is in, but
> then goes off talking to
> other domain controllers around the world in other sites. Im not sure
> if this
> is when it is trying to pull down the group policy, does anyone know
> why this
> would happen?
> Also if I ping my domain name the reply changes every so often, and
> its always from a DC in another country site, if we add a host entry
> for the local DC to the domain name it fixes the issues on some
> machines.
> Also on almost all machine I get the error in the event log "The
> Security System could not establish a secured connection with the
> server DNS/blah.blah.blah.com. No authentication protocol was
> available."
> What does this mean?

Is blah.blah.blah.com your internal domain name?
If not, it probably means you are using some external DNS in TCP/IP
properties and the machine is trying to register its addresses in it.
It could also mean that the time is out of sync with the server.





--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps

===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
http://message.wftx.us/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================

I didn't notice before but you have FAR too many unrelated newsgroups
copied for this post -- we ENCOURAGE reasoanble Crossposting like
this for RELEVANT groups but don't get carried away. Even the ones
I left copied are probably too many.

"Anthony" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> 5)It sounds likely that you have not correctly defined your Sites,
> Subnets,
> and/or located the DCs in the correct Sites.
> Point noted, the problem I have is a lot of this is managed in india, and
> the staff dont really have a clue, im looking to give them some pointers
> to check.

The simplest was the DCDiag stuff -- and you should get that from EACH
DC not just one or two (if there are more.)

> I also suspect there is an issue with sites&subnets. But the local client
> seems to pick all the correct info. Maybe something else is going on in
> the backround? Could it be down to the group policy not coming from the
> local site DC perhaps?

No. The DC which does the authentication will provide the GPOs too.

You need to logon to the AD Sites and Service YOURSELF -- it is difficult
enough for us to help you from a description but when you say that you are
also working through a description provided by other admins who skills you
don't seem to trust then we have very little chance of helping you quickly.

Get us a complete (UNEDITED) "IPConfig /all" from a broken client, and
DC and from a working client if possible.

Tools like NLTest may help but you must be reasonably skilled to use them
and that would be difficult for us to describe for you to describe to
someone
else.

You stand a 99% chance of finding out that it is one of these:

DCs aren't in correct sites
Sites aren't correctly defined (with subnets)
DCs are not register in DNS properly
DNS Clients (includes DCs) are not using STRICTLY the internal DNS

Also possible are firewall issues and MAYBE "time" synchronization.

Given that you are dealing with "India" maybe I should elevate that to a
higher probability.

A common problem for naive admins with (international) time problems is
to change the TIME instead of the TIME ZONE.

Make sure all machines have the correct UNIVERSAL TIME and that
they arrange to DISPLAY the time correctly by adjusting the time ZONE
and not by changing the time.

Many admins messed this up last year by changing the TIME on 'unpatched'
computers that didn't have the latest timezone/daylight savings updates.

Time must be within 5 minutes for a client to authenticate with a DC (by
default.)

> thanks again for your reply
>
>
>
>
>
> "Herb Martin" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>>
>> "Anthony" <(E-Mail Removed)> wrote in message
>> news:uD%(E-Mail Removed)...
>>> Hello. I hope someone can help with the issues I have.
>>> Im having problems with machines taking up to 20 minutes to logon to the
>>> network, this does not affect all machines just random ones.(most
>>> machines)
>>
>> Usually such problems are DNS related but taking "20 minutes" they would
>> usually just fail to authenticate (and logon) completely.
>>
>>> We have used a network sniffer to look at the traffic from the client
>>> machines and for some reason the client authenticates fine with the
>>> local
>>> domain controller, and know which site it is in, but then goes off
>>> talking to
>>> other domain controllers around the world in other sites. Im not sure if
>>> this
>>> is when it is trying to pull down the group policy, does anyone know why
>>> this
>>> would happen?
>>
>> Are you Sites specifically defined in AD Sites and Services? Are all DCs
>> located in the correct Site (in Sites and Services)?
>>
>> Does every DC pass a full "dcdiag" with NO "FAIL" or "WARN" messages?
>>
>> Do both the clients and servers (esp. DCs) use ONLY the INTERNAL
>> DNS which can resolve the DCs etc?
>>
>>> Also if I ping my domain name the reply changes every so often, and its
>>> always from a DC in another country site, if we add a host entry for the
>>> local DC to the domain name it fixes the issues on some machines.
>>
>> It sounds likely that you have not correctly defined your Sites, Subnets,
>> and/or located the DCs in the correct Sites.
>>
>>> Also on almost all machine I get the error in the event log "The
>>> Security
>>> System could not establish a secured connection with the server
>>> DNS/blah.blah.blah.com. No authentication protocol was available."
>>> What does this mean?
>>>
>>> I know that's all a bit random so any help would be appreciated.
>>>
>>> Thanks
>>
>>