Two domain controllers - Only one logon server

In our office we currently have two servers running Windows Server 2008 R2 that run as Active Directory Domain Controllers.  One is a physical, and one is a Hyper-V virtual server.

I have transferred all the FSMO roles to the physical server, and assumed that server would take care of all the user logons.  However it seems that about half get logged in using physical and half get logged in using the virtual.

I'd prefer if users only could log in through the physical machine.
Is this as easy as stopping the NETLOGON service on the virtual server?
Could this have any negative side effects?

Thanks,
Jamie
jamorlandoAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
Elwin3Connect With a Mentor Commented:
If you stop the logon service it will stop it authenticated. However, it will also stop recplication between the domain controllers, so it will get out of sync and will be no good when you wan to use it as a backup.

the other option is to put it on a seperate subnet and then configure AD Sites and Services to sync between the 2 subnets. This way the computers will not us it to logon to as it is not on the local subnet.
0
 
Elwin3Commented:
Moving the FSMO roles does not stop it authenticating logons. Logons are split between all DCs in the local subnet.
If you don't want the virtual server to handle logons then dcpromo it back down to a member server.

 
0
 
jamorlandoAuthor Commented:
PS--Sorry for accidentally adding this to the MS Sharepoint Zone.  This has nothing to do with Sharepoint.

Could someone kindly answer my question about stopping the NETLOGON service.  I know for a fact that would stop it from authenticated user logins.  Just don't want to screw anything up by doing this.
0
Easily Design & Build Your Next Website

Squarespace’s all-in-one platform gives you everything you need to express yourself creatively online, whether it is with a domain, website, or online store. Get started with your free trial today, and when ready, take 10% off your first purchase with offer code 'EXPERTS'.

 
KCTSCommented:
One of the priciple reasons for having multiple DCs is so that if one fails the other can authenticate users - what you are describing is optimal, not only have you got redunancy but also load balancing- why on earth do you want to change this ?
0
 
jamorlandoAuthor Commented:
@KCTS: Since the physical domain controller has much better specs than the virtual, I wanted all logins to be handled through that, and then if it failed, it would fail over to the virtual.

I think I see your point though about how this isn't a good idea.
0
 
jamorlandoAuthor Commented:
Thanks, this is the answer I wanted!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.