Domain Controller replication problems

We have two domain controllers at our company. They are nearly identical machines, and running Windows Server 2003. We have a script that runs each morning letting us know user account history information such as last logon, user creation, user deletion and so forth. We received a message this morning stating user smithJ has not logged on ever. This didn't seem correct so I did a net user smithj /domain
The information I received said his last logon was 6/29/2009.
My boss ran it and it said "never" for last logon.
I then ran the same command from our domain controllers. One reported the same information I received, but the other DC reports "Never".
I then went to Active Directory Sites and Services on both DCs and replicated the NTDS settings to no avail.  
What else can I look for or try to get the two DCs communicating properly?
jrstxAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

cincytopherCommented:
The lastLogon attribute isn't replicated between DCs.  If smithJ is always authenticated by DC1 then DC2 will have him as never logged in.  When your boss does a net user it must be querying DC2.  We use a program called dumpsec.exe to get the true last login.
0
evan021702Commented:
Cincy is correct, the LastLogin Timestamp is only replicated in intervals to prevent a lot of AD traffic.  The default interval is 14 days, but it can be longer if there are a lot of login requests or other AD traffic.  You best bet would either to run the script on both domain controllers and compare or look into a third party tool such as dumpsec to do the comparison for you.
0
jrstxAuthor Commented:
Thanks for the information Cincytopher. Is there a way to tell which user authenticates to which DC? Is it possible to tell DC1 to authenticate a specific user instead of DC2?
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

cincytopherCommented:
echo %logonserver% at a command prompt will tell you which server authenticated you.
0
jrstxAuthor Commented:
One more question... Evan says the default interval is 14 days, but could be longer depending on traffic.
We have 185 users total, and over half are on shift work, so AD traffic shouldn't be too high. Is there any way to find out or adjust the interval?
0
jrstxAuthor Commented:
Thanks for that last link Cincy.
This data was recorded this morning for the same user:

Last logon                   12/31/2008 3:59 AM (from DC1)
Last logon                   12/29/2008 1:06 AM (from DC2)

This is obviously well past the default of 14 days. I am just wondering if there is something wrong with our domain?
0
cincytopherCommented:
Can you give me more info on your setup?  Do you just have the two DCs?  Are they at the same site?  Has this user logged in since 12-08?
0
jrstxAuthor Commented:
We only have two DCs, and they are located at the same site. The user has not logged in since 12-08. That is accurate, but why are they reporting 2 days apart?
0
cincytopherCommented:
Your Windows domain must be at Windows 2003 Domain Functional Level for updates to the "lastLogontimeStamp" attribute to occur.  If it is not, it uses the "lastlogon" attribute which does not replicate even after 14 days.  My guess is that you are on windows 2000 functional level.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jrstxAuthor Commented:
Ahhh! Your guess is correct. When we initially setup the domain we left the defaults because we still needed to communicate to our old domain. We never got back to raising the levels. I'll wait to do this Monday as we like to keep it quiet before the weekend. Thanks for all your help Cincy.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.