Solved

Domain Controller replication problems

Posted on 2009-07-01
11
322 Views
Last Modified: 2012-05-07
We have two domain controllers at our company. They are nearly identical machines, and running Windows Server 2003. We have a script that runs each morning letting us know user account history information such as last logon, user creation, user deletion and so forth. We received a message this morning stating user smithJ has not logged on ever. This didn't seem correct so I did a net user smithj /domain
The information I received said his last logon was 6/29/2009.
My boss ran it and it said "never" for last logon.
I then ran the same command from our domain controllers. One reported the same information I received, but the other DC reports "Never".
I then went to Active Directory Sites and Services on both DCs and replicated the NTDS settings to no avail.  
What else can I look for or try to get the two DCs communicating properly?
0
Comment
Question by:jrstx
  • 5
  • 5
11 Comments
 
LVL 2

Expert Comment

by:cincytopher
ID: 24754637
The lastLogon attribute isn't replicated between DCs.  If smithJ is always authenticated by DC1 then DC2 will have him as never logged in.  When your boss does a net user it must be querying DC2.  We use a program called dumpsec.exe to get the true last login.
0
 
LVL 6

Expert Comment

by:evan021702
ID: 24754959
Cincy is correct, the LastLogin Timestamp is only replicated in intervals to prevent a lot of AD traffic.  The default interval is 14 days, but it can be longer if there are a lot of login requests or other AD traffic.  You best bet would either to run the script on both domain controllers and compare or look into a third party tool such as dumpsec to do the comparison for you.
0
 

Author Comment

by:jrstx
ID: 24755026
Thanks for the information Cincytopher. Is there a way to tell which user authenticates to which DC? Is it possible to tell DC1 to authenticate a specific user instead of DC2?
0
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

 
LVL 2

Expert Comment

by:cincytopher
ID: 24755516
echo %logonserver% at a command prompt will tell you which server authenticated you.
0
 

Author Comment

by:jrstx
ID: 24756102
One more question... Evan says the default interval is 14 days, but could be longer depending on traffic.
We have 185 users total, and over half are on shift work, so AD traffic shouldn't be too high. Is there any way to find out or adjust the interval?
0
 
LVL 2

Expert Comment

by:cincytopher
ID: 24756154
0
 

Author Comment

by:jrstx
ID: 24762432
Thanks for that last link Cincy.
This data was recorded this morning for the same user:

Last logon                   12/31/2008 3:59 AM (from DC1)
Last logon                   12/29/2008 1:06 AM (from DC2)

This is obviously well past the default of 14 days. I am just wondering if there is something wrong with our domain?
0
 
LVL 2

Expert Comment

by:cincytopher
ID: 24763076
Can you give me more info on your setup?  Do you just have the two DCs?  Are they at the same site?  Has this user logged in since 12-08?
0
 

Author Comment

by:jrstx
ID: 24763114
We only have two DCs, and they are located at the same site. The user has not logged in since 12-08. That is accurate, but why are they reporting 2 days apart?
0
 
LVL 2

Accepted Solution

by:
cincytopher earned 500 total points
ID: 24763557
Your Windows domain must be at Windows 2003 Domain Functional Level for updates to the "lastLogontimeStamp" attribute to occur.  If it is not, it uses the "lastlogon" attribute which does not replicate even after 14 days.  My guess is that you are on windows 2000 functional level.
0
 

Author Comment

by:jrstx
ID: 24763801
Ahhh! Your guess is correct. When we initially setup the domain we left the defaults because we still needed to communicate to our old domain. We never got back to raising the levels. I'll wait to do this Monday as we like to keep it quiet before the weekend. Thanks for all your help Cincy.
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Resolve DNS query failed errors for Exchange
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question