Hi Guys I am going to try and explain this situation as best as I can. Ideally what I am after is a way to force the VCSA to connect and associate all Active directory traffic to a small subset of Domain Controllers.
To explain the situation
I work for a company with multiple domains in an Active directory forest. This forest makes up a large number of subnets.
I have a VCSA 5.5 and am having trouble with AD authentication and from what I can tell there is a number of problems with the way SSO is implemented.
The VCSA performs a dns query on the domain, such as domain.local this is completely expected but.
From a windows PC connected to the domain run nslookup domain.local
In our domain this lists all of the domain controllers of which there are many.
so running the command looks like this,
nslookup domain.local
server: DNS.domain.local
address: 192.168.1.1
name: domain.local
address: 192.168.1.1
192.168.2.1
192.168.3.1
...
Now from the VCSA command line pinging domain.local, what you will see is that DNS will return a round robin of the IP addresses.
First time running ping 192.168.1.1
Second time running ping 192.168.2.1
Third time running ping 192.168.3.1
....
In our case of the IP addresses returned only 2 DC's in the list could actually be contacted by the vlan the VCSA is on.
However SSO does not allow me to only specify all traffic be sent to a single Domain controller it just uses the list provided by an Nslookup on the domain.
Do you guys have any advice, I’m sure I am not the only one experiencing this problem.