We have an Enterprise Root CA running on a 2008 R2 Enterprise machine. I noticed an oddity that raises a question. We have two DCs on the local network. They hold all the FSMO roles between them. They are the primary and secondary DNS servers for the server hosting the CA. One of the (based on %LOGINSERVER%) is processing authentication for the login console on the CA host. When I first logged in and loaded the Certificate Templates Console, it connects to DC server in the MPLS cloud on the other side of the country. I CAN home the Certificates Templates Console on one of the local DCs manually, but if I try to go back to "Default Writable Domain Controller" is always homes back on the server out west. To be clear, either way, it works fine. If I am connected to the remote server for template management, I have to wait for (or force) replication for the local CA to be able to actually use the modified certiticate template, but otherwise, it works as expected. My question becomes, what determines "Default Writable Domain Controller"? All the sites are correctly defined. Replication is working as designed. Why would my local server EVER connect to a server on the other side of a "slow" link when there's a DC setting on the same network (presumably zero cost)? I'm moderately concerned that there is something amiss in the configuration that I haven't found, and that this is an innocuous symptom of the problem.