?
Solved

How do I control what logon server is used when I have multiple domain controllers?

Posted on 2011-10-05
15
Medium Priority
?
2,384 Views
Last Modified: 2012-05-12
I just installed a Windows 2008 R2 domain controller in a subnet that has a Windows 2003 R2 domain controller in it. The domain controller has been in place now for over a month and I have not seen any problems with it. However, I would like to know if there is a way to control what server the workstations use as their logon server. Currently they seem to just randomly choose one or the other when I check the "LOGONSERVER" field when running the 'set' command at a command prompt. I would like to get them all using the new server as we are eventually going to get rid of the old server. Please let me know if you need any additional information from me on this to help.
0
Comment
Question by:Rob Sanders
15 Comments
 
LVL 22

Accepted Solution

by:
chakko earned 2000 total points
ID: 36921759
I think the logon will be random depending on which DC responds first.  That is normal and there isn't any problem.
If you remove the old DC then there won't be any problem with workstations logging on, then should authenticate to the new (remaining) DC.

You can try this registry key 'hack' if you like.  You can alter the priority of the DC.  

http://technet.microsoft.com/en-us/library/cc957290.aspx
0
 
LVL 1

Author Comment

by:Rob Sanders
ID: 36921835
Thanks for finding that article for me. It might have some value. My concern is that it would cause workstations at other subnets to prefer this domain controller over domain controllers local to their subnet.
0
 
LVL 22

Expert Comment

by:chakko
ID: 36921860
I have never used that registry hack myself so I can't comment on any consequences.
But, I would guess that if you lower the preference of the outgoing DC then that should have the desired result.  The remaining DC's would have the default priority (0 - highest).
Your AD Sites and subnets should determine which DC the workstations try to authenticate with.
0
 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

 
LVL 22

Expert Comment

by:chakko
ID: 36921864
Also, I don't think you really need to do anything.  When you remove the 2003 DC the workstations will just authenticate to the 2008 DC.
0
 
LVL 1

Author Comment

by:Rob Sanders
ID: 36922007
ok, I appreciate the suggestions. Does the chosen logon server get cached on the workstation so that it will attempt to first use the last used logon server? If so, is there a way to clear this cache? Being able to do this would be very helpful for troubleshooting this.

In case you are wondering, the reason why I would like to have the workstations use the 2008 R2 logon server right now as opposed to waiting until later is because of the additional group policy functionality that 2008 R2 provides.
0
 
LVL 22

Expert Comment

by:chakko
ID: 36922225
I think it is random at each logon.

GPO should not be an issue with having the 2003 DC still there.   For example.  I have a 2003 Domain and needed to have policies for Windows 7 clients.  There is information on how to do this.  But one of the steps is to create a Folder inside of SYSVOL/.../Policies area called Policy Definitions.  It has the .admx files in there.  I can create the Windows 7 relevant policies even though the Domain is 2003.

The policy gets created in the Policies folder - I can see the Unique ID folder.

The sysvol should replicate to the 2003DC and the policies should still be applied even if the client authenticates to the 2003DC.   Do you have a problem where the policies don't apply?
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36922680
I'm not sure if you're talking about different Sites, where DCs are located? If so, use Active Directory Sites and Services console, create appropriate amount of Sites (I think in your situation 2 or 3) and create subnets. Links appropriate subnet into Site and create Site links to allow AD data replication between them.

From now, you AD clients will authenticate to the closest DC in their network. However, it's not possible to stricly define which DC must be used for authentication.

A simple MS article about creating Subnets
http://technet.microsoft.com/en-us/library/cc740187%28WS.10%29.aspx

and a little bit more description about Sites, Subntes and Site Links
http://technet.microsoft.com/en-us/library/cc754697.aspx

It is choosen randomly from Site's available DC using Round-Robin mechanism. Check that
http://en.wikipedia.org/wiki/Round-robin_DNS

and a little bit about mask ordering
http://support.microsoft.com/kb/842197

Regards,
Krzysztof
0
 
LVL 1

Author Comment

by:Rob Sanders
ID: 36925770
Thanks for the info. Yes, I am having some issues in which some GP settings are not applying. Specifically its as if the loopback processsing is not replacing the user settings with the user settings configured for the local workstation. It seems like when it doesn't work, is when the machine is using the old 2003 DC as the logon server. I can't say for sure though. It may or may not be the issue causing this problem.
0
 
LVL 22

Expert Comment

by:chakko
ID: 36925888
Can you unplug the 2003 DC server? Is it doing anything useful (services) now, or can you disconnect it (unplug LAN cable) and check the logon and policies being applied at the workstation?  That may be an easy way to check.
0
 
LVL 1

Author Comment

by:Rob Sanders
ID: 36925897
I can't during normal business hours.
0
 
LVL 1

Author Comment

by:Rob Sanders
ID: 36925903
I will see if I can give that a shot late this evening.
0
 
LVL 6

Expert Comment

by:dave_it
ID: 36926946
Put the 2003 R2 DC into a new site, then create a new subnet definition that will only encompass that DC and assign it to the new site.  Also, de-register DNS record registration on the 2003 R2 DC --> http://support.microsoft.com/kb/306602
0
 
LVL 1

Author Comment

by:Rob Sanders
ID: 36931932
Unfortunately I was not able to unplug the old DC from the network last night. I will try again either this weekend or one evening this coming week.

I can't move the old DC to another subnet as it is also a file server right now as well that users still need to get to.
0
 
LVL 1

Author Comment

by:Rob Sanders
ID: 36931940
Also, I am going to post another question concerning the application of Group Policy issue that I am experiencing more specifically. I will post a link to that question shortly.
0
 
LVL 1

Author Comment

by:Rob Sanders
ID: 36933296
Well, i discovered that the issue isn't related to the give logonserver. One of my workstations is still having the problem even when it happens to choose the newer DC as the logon server. Now I am thinking the issue has something to do with looback processing not working properly or something. I will post another question. Thanks for the help everyone.
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
Let's recap what we learned from yesterday's Skyport Systems webinar.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Suggested Courses

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question