Solved

Domain Controller replication problems

Posted on 2009-07-01
11
320 Views
Last Modified: 2012-05-07
We have two domain controllers at our company. They are nearly identical machines, and running Windows Server 2003. We have a script that runs each morning letting us know user account history information such as last logon, user creation, user deletion and so forth. We received a message this morning stating user smithJ has not logged on ever. This didn't seem correct so I did a net user smithj /domain
The information I received said his last logon was 6/29/2009.
My boss ran it and it said "never" for last logon.
I then ran the same command from our domain controllers. One reported the same information I received, but the other DC reports "Never".
I then went to Active Directory Sites and Services on both DCs and replicated the NTDS settings to no avail.  
What else can I look for or try to get the two DCs communicating properly?
0
Comment
Question by:jrstx
  • 5
  • 5
11 Comments
 
LVL 2

Expert Comment

by:cincytopher
ID: 24754637
The lastLogon attribute isn't replicated between DCs.  If smithJ is always authenticated by DC1 then DC2 will have him as never logged in.  When your boss does a net user it must be querying DC2.  We use a program called dumpsec.exe to get the true last login.
0
 
LVL 6

Expert Comment

by:evan021702
ID: 24754959
Cincy is correct, the LastLogin Timestamp is only replicated in intervals to prevent a lot of AD traffic.  The default interval is 14 days, but it can be longer if there are a lot of login requests or other AD traffic.  You best bet would either to run the script on both domain controllers and compare or look into a third party tool such as dumpsec to do the comparison for you.
0
 

Author Comment

by:jrstx
ID: 24755026
Thanks for the information Cincytopher. Is there a way to tell which user authenticates to which DC? Is it possible to tell DC1 to authenticate a specific user instead of DC2?
0
 
LVL 2

Expert Comment

by:cincytopher
ID: 24755516
echo %logonserver% at a command prompt will tell you which server authenticated you.
0
 

Author Comment

by:jrstx
ID: 24756102
One more question... Evan says the default interval is 14 days, but could be longer depending on traffic.
We have 185 users total, and over half are on shift work, so AD traffic shouldn't be too high. Is there any way to find out or adjust the interval?
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 2

Expert Comment

by:cincytopher
ID: 24756154
0
 

Author Comment

by:jrstx
ID: 24762432
Thanks for that last link Cincy.
This data was recorded this morning for the same user:

Last logon                   12/31/2008 3:59 AM (from DC1)
Last logon                   12/29/2008 1:06 AM (from DC2)

This is obviously well past the default of 14 days. I am just wondering if there is something wrong with our domain?
0
 
LVL 2

Expert Comment

by:cincytopher
ID: 24763076
Can you give me more info on your setup?  Do you just have the two DCs?  Are they at the same site?  Has this user logged in since 12-08?
0
 

Author Comment

by:jrstx
ID: 24763114
We only have two DCs, and they are located at the same site. The user has not logged in since 12-08. That is accurate, but why are they reporting 2 days apart?
0
 
LVL 2

Accepted Solution

by:
cincytopher earned 500 total points
ID: 24763557
Your Windows domain must be at Windows 2003 Domain Functional Level for updates to the "lastLogontimeStamp" attribute to occur.  If it is not, it uses the "lastlogon" attribute which does not replicate even after 14 days.  My guess is that you are on windows 2000 functional level.
0
 

Author Comment

by:jrstx
ID: 24763801
Ahhh! Your guess is correct. When we initially setup the domain we left the defaults because we still needed to communicate to our old domain. We never got back to raising the levels. I'll wait to do this Monday as we like to keep it quiet before the weekend. Thanks for all your help Cincy.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

[b]Ok so now I will show you how to add a user name to the description at login. [/b] First connect to your DC (Domain Controller / Active Directory Server) SET PERMISSIONS FOR SCRIPT TO UPDATE COMPUTER DESCRIPTION TO USERNAME 1. Open Active …
In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

919 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now