Solved

Domain Controller replication problems

Posted on 2009-07-01
11
321 Views
Last Modified: 2012-05-07
We have two domain controllers at our company. They are nearly identical machines, and running Windows Server 2003. We have a script that runs each morning letting us know user account history information such as last logon, user creation, user deletion and so forth. We received a message this morning stating user smithJ has not logged on ever. This didn't seem correct so I did a net user smithj /domain
The information I received said his last logon was 6/29/2009.
My boss ran it and it said "never" for last logon.
I then ran the same command from our domain controllers. One reported the same information I received, but the other DC reports "Never".
I then went to Active Directory Sites and Services on both DCs and replicated the NTDS settings to no avail.  
What else can I look for or try to get the two DCs communicating properly?
0
Comment
Question by:jrstx
  • 5
  • 5
11 Comments
 
LVL 2

Expert Comment

by:cincytopher
ID: 24754637
The lastLogon attribute isn't replicated between DCs.  If smithJ is always authenticated by DC1 then DC2 will have him as never logged in.  When your boss does a net user it must be querying DC2.  We use a program called dumpsec.exe to get the true last login.
0
 
LVL 6

Expert Comment

by:evan021702
ID: 24754959
Cincy is correct, the LastLogin Timestamp is only replicated in intervals to prevent a lot of AD traffic.  The default interval is 14 days, but it can be longer if there are a lot of login requests or other AD traffic.  You best bet would either to run the script on both domain controllers and compare or look into a third party tool such as dumpsec to do the comparison for you.
0
 

Author Comment

by:jrstx
ID: 24755026
Thanks for the information Cincytopher. Is there a way to tell which user authenticates to which DC? Is it possible to tell DC1 to authenticate a specific user instead of DC2?
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 2

Expert Comment

by:cincytopher
ID: 24755516
echo %logonserver% at a command prompt will tell you which server authenticated you.
0
 

Author Comment

by:jrstx
ID: 24756102
One more question... Evan says the default interval is 14 days, but could be longer depending on traffic.
We have 185 users total, and over half are on shift work, so AD traffic shouldn't be too high. Is there any way to find out or adjust the interval?
0
 
LVL 2

Expert Comment

by:cincytopher
ID: 24756154
0
 

Author Comment

by:jrstx
ID: 24762432
Thanks for that last link Cincy.
This data was recorded this morning for the same user:

Last logon                   12/31/2008 3:59 AM (from DC1)
Last logon                   12/29/2008 1:06 AM (from DC2)

This is obviously well past the default of 14 days. I am just wondering if there is something wrong with our domain?
0
 
LVL 2

Expert Comment

by:cincytopher
ID: 24763076
Can you give me more info on your setup?  Do you just have the two DCs?  Are they at the same site?  Has this user logged in since 12-08?
0
 

Author Comment

by:jrstx
ID: 24763114
We only have two DCs, and they are located at the same site. The user has not logged in since 12-08. That is accurate, but why are they reporting 2 days apart?
0
 
LVL 2

Accepted Solution

by:
cincytopher earned 500 total points
ID: 24763557
Your Windows domain must be at Windows 2003 Domain Functional Level for updates to the "lastLogontimeStamp" attribute to occur.  If it is not, it uses the "lastlogon" attribute which does not replicate even after 14 days.  My guess is that you are on windows 2000 functional level.
0
 

Author Comment

by:jrstx
ID: 24763801
Ahhh! Your guess is correct. When we initially setup the domain we left the defaults because we still needed to communicate to our old domain. We never got back to raising the levels. I'll wait to do this Monday as we like to keep it quiet before the weekend. Thanks for all your help Cincy.
0

Featured Post

Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
default domain policy exemptions 4 35
Alert on Server memory 2 22
AD user profile  integration 5 23
PowerShell .lastLogonTimestamp off 11 27
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

778 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question