?
Solved

Two domain controllers - Only one logon server

Posted on 2010-08-20
6
Medium Priority
?
561 Views
Last Modified: 2012-05-10
In our office we currently have two servers running Windows Server 2008 R2 that run as Active Directory Domain Controllers.  One is a physical, and one is a Hyper-V virtual server.

I have transferred all the FSMO roles to the physical server, and assumed that server would take care of all the user logons.  However it seems that about half get logged in using physical and half get logged in using the virtual.

I'd prefer if users only could log in through the physical machine.
Is this as easy as stopping the NETLOGON service on the virtual server?
Could this have any negative side effects?

Thanks,
Jamie
0
Comment
Question by:jamorlando
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 6

Expert Comment

by:Elwin3
ID: 33485393
Moving the FSMO roles does not stop it authenticating logons. Logons are split between all DCs in the local subnet.
If you don't want the virtual server to handle logons then dcpromo it back down to a member server.

 
0
 

Author Comment

by:jamorlando
ID: 33485436
PS--Sorry for accidentally adding this to the MS Sharepoint Zone.  This has nothing to do with Sharepoint.

Could someone kindly answer my question about stopping the NETLOGON service.  I know for a fact that would stop it from authenticated user logins.  Just don't want to screw anything up by doing this.
0
 
LVL 70

Expert Comment

by:KCTS
ID: 33485491
One of the priciple reasons for having multiple DCs is so that if one fails the other can authenticate users - what you are describing is optimal, not only have you got redunancy but also load balancing- why on earth do you want to change this ?
0
Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

 

Author Comment

by:jamorlando
ID: 33485518
@KCTS: Since the physical domain controller has much better specs than the virtual, I wanted all logins to be handled through that, and then if it failed, it would fail over to the virtual.

I think I see your point though about how this isn't a good idea.
0
 
LVL 6

Accepted Solution

by:
Elwin3 earned 1000 total points
ID: 33485549
If you stop the logon service it will stop it authenticated. However, it will also stop recplication between the domain controllers, so it will get out of sync and will be no good when you wan to use it as a backup.

the other option is to put it on a seperate subnet and then configure AD Sites and Services to sync between the 2 subnets. This way the computers will not us it to logon to as it is not on the local subnet.
0
 

Author Comment

by:jamorlando
ID: 33485572
Thanks, this is the answer I wanted!
0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses
Course of the Month9 days, 15 hours left to enroll

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question