Domain Controller replication problems

We have two domain controllers at our company. They are nearly identical machines, and running Windows Server 2003. We have a script that runs each morning letting us know user account history information such as last logon, user creation, user deletion and so forth. We received a message this morning stating user smithJ has not logged on ever. This didn't seem correct so I did a net user smithj /domain
The information I received said his last logon was 6/29/2009.
My boss ran it and it said "never" for last logon.
I then ran the same command from our domain controllers. One reported the same information I received, but the other DC reports "Never".
I then went to Active Directory Sites and Services on both DCs and replicated the NTDS settings to no avail.  
What else can I look for or try to get the two DCs communicating properly?
jrstxAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
cincytopherConnect With a Mentor Commented:
Your Windows domain must be at Windows 2003 Domain Functional Level for updates to the "lastLogontimeStamp" attribute to occur.  If it is not, it uses the "lastlogon" attribute which does not replicate even after 14 days.  My guess is that you are on windows 2000 functional level.
0
 
cincytopherCommented:
The lastLogon attribute isn't replicated between DCs.  If smithJ is always authenticated by DC1 then DC2 will have him as never logged in.  When your boss does a net user it must be querying DC2.  We use a program called dumpsec.exe to get the true last login.
0
 
evan021702Commented:
Cincy is correct, the LastLogin Timestamp is only replicated in intervals to prevent a lot of AD traffic.  The default interval is 14 days, but it can be longer if there are a lot of login requests or other AD traffic.  You best bet would either to run the script on both domain controllers and compare or look into a third party tool such as dumpsec to do the comparison for you.
0
Free tool for managing users' photos in Office 365

Easily upload multiple users’ photos to Office 365. Manage them with an intuitive GUI and use handy built-in cropping and resizing options. Link photos with users based on Azure AD attributes. Free tool!

 
jrstxAuthor Commented:
Thanks for the information Cincytopher. Is there a way to tell which user authenticates to which DC? Is it possible to tell DC1 to authenticate a specific user instead of DC2?
0
 
cincytopherCommented:
echo %logonserver% at a command prompt will tell you which server authenticated you.
0
 
jrstxAuthor Commented:
One more question... Evan says the default interval is 14 days, but could be longer depending on traffic.
We have 185 users total, and over half are on shift work, so AD traffic shouldn't be too high. Is there any way to find out or adjust the interval?
0
 
jrstxAuthor Commented:
Thanks for that last link Cincy.
This data was recorded this morning for the same user:

Last logon                   12/31/2008 3:59 AM (from DC1)
Last logon                   12/29/2008 1:06 AM (from DC2)

This is obviously well past the default of 14 days. I am just wondering if there is something wrong with our domain?
0
 
cincytopherCommented:
Can you give me more info on your setup?  Do you just have the two DCs?  Are they at the same site?  Has this user logged in since 12-08?
0
 
jrstxAuthor Commented:
We only have two DCs, and they are located at the same site. The user has not logged in since 12-08. That is accurate, but why are they reporting 2 days apart?
0
 
jrstxAuthor Commented:
Ahhh! Your guess is correct. When we initially setup the domain we left the defaults because we still needed to communicate to our old domain. We never got back to raising the levels. I'll wait to do this Monday as we like to keep it quiet before the weekend. Thanks for all your help Cincy.
0
All Courses

From novice to tech pro — start learning today.