How do I control what logon server is used when I have multiple domain controllers?

I just installed a Windows 2008 R2 domain controller in a subnet that has a Windows 2003 R2 domain controller in it. The domain controller has been in place now for over a month and I have not seen any problems with it. However, I would like to know if there is a way to control what server the workstations use as their logon server. Currently they seem to just randomly choose one or the other when I check the "LOGONSERVER" field when running the 'set' command at a command prompt. I would like to get them all using the new server as we are eventually going to get rid of the old server. Please let me know if you need any additional information from me on this to help.
LVL 1
Rob SandersAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

chakkoCommented:
I think the logon will be random depending on which DC responds first.  That is normal and there isn't any problem.
If you remove the old DC then there won't be any problem with workstations logging on, then should authenticate to the new (remaining) DC.

You can try this registry key 'hack' if you like.  You can alter the priority of the DC.  

http://technet.microsoft.com/en-us/library/cc957290.aspx
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Rob SandersAuthor Commented:
Thanks for finding that article for me. It might have some value. My concern is that it would cause workstations at other subnets to prefer this domain controller over domain controllers local to their subnet.
0
chakkoCommented:
I have never used that registry hack myself so I can't comment on any consequences.
But, I would guess that if you lower the preference of the outgoing DC then that should have the desired result.  The remaining DC's would have the default priority (0 - highest).
Your AD Sites and subnets should determine which DC the workstations try to authenticate with.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

chakkoCommented:
Also, I don't think you really need to do anything.  When you remove the 2003 DC the workstations will just authenticate to the 2008 DC.
0
Rob SandersAuthor Commented:
ok, I appreciate the suggestions. Does the chosen logon server get cached on the workstation so that it will attempt to first use the last used logon server? If so, is there a way to clear this cache? Being able to do this would be very helpful for troubleshooting this.

In case you are wondering, the reason why I would like to have the workstations use the 2008 R2 logon server right now as opposed to waiting until later is because of the additional group policy functionality that 2008 R2 provides.
0
chakkoCommented:
I think it is random at each logon.

GPO should not be an issue with having the 2003 DC still there.   For example.  I have a 2003 Domain and needed to have policies for Windows 7 clients.  There is information on how to do this.  But one of the steps is to create a Folder inside of SYSVOL/.../Policies area called Policy Definitions.  It has the .admx files in there.  I can create the Windows 7 relevant policies even though the Domain is 2003.

The policy gets created in the Policies folder - I can see the Unique ID folder.

The sysvol should replicate to the 2003DC and the policies should still be applied even if the client authenticates to the 2003DC.   Do you have a problem where the policies don't apply?
0
Krzysztof PytkoSenior Active Directory EngineerCommented:
I'm not sure if you're talking about different Sites, where DCs are located? If so, use Active Directory Sites and Services console, create appropriate amount of Sites (I think in your situation 2 or 3) and create subnets. Links appropriate subnet into Site and create Site links to allow AD data replication between them.

From now, you AD clients will authenticate to the closest DC in their network. However, it's not possible to stricly define which DC must be used for authentication.

A simple MS article about creating Subnets
http://technet.microsoft.com/en-us/library/cc740187%28WS.10%29.aspx

and a little bit more description about Sites, Subntes and Site Links
http://technet.microsoft.com/en-us/library/cc754697.aspx

It is choosen randomly from Site's available DC using Round-Robin mechanism. Check that
http://en.wikipedia.org/wiki/Round-robin_DNS

and a little bit about mask ordering
http://support.microsoft.com/kb/842197

Regards,
Krzysztof
0
Rob SandersAuthor Commented:
Thanks for the info. Yes, I am having some issues in which some GP settings are not applying. Specifically its as if the loopback processsing is not replacing the user settings with the user settings configured for the local workstation. It seems like when it doesn't work, is when the machine is using the old 2003 DC as the logon server. I can't say for sure though. It may or may not be the issue causing this problem.
0
chakkoCommented:
Can you unplug the 2003 DC server? Is it doing anything useful (services) now, or can you disconnect it (unplug LAN cable) and check the logon and policies being applied at the workstation?  That may be an easy way to check.
0
Rob SandersAuthor Commented:
I can't during normal business hours.
0
Rob SandersAuthor Commented:
I will see if I can give that a shot late this evening.
0
dave_itCommented:
Put the 2003 R2 DC into a new site, then create a new subnet definition that will only encompass that DC and assign it to the new site.  Also, de-register DNS record registration on the 2003 R2 DC --> http://support.microsoft.com/kb/306602
0
Rob SandersAuthor Commented:
Unfortunately I was not able to unplug the old DC from the network last night. I will try again either this weekend or one evening this coming week.

I can't move the old DC to another subnet as it is also a file server right now as well that users still need to get to.
0
Rob SandersAuthor Commented:
Also, I am going to post another question concerning the application of Group Policy issue that I am experiencing more specifically. I will post a link to that question shortly.
0
Rob SandersAuthor Commented:
Well, i discovered that the issue isn't related to the give logonserver. One of my workstations is still having the problem even when it happens to choose the newer DC as the logon server. Now I am thinking the issue has something to do with looback processing not working properly or something. I will post another question. Thanks for the help everyone.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.