Application Hardcoded to Specific 2008 R2 DCs

We have an application that is experiencing some authentication issues. It is hardcoded to few specific DCs and uses AD for user lookup. The DCs that is hardcoded are healthy (checked replication..etc). What performance monitoring do you guys recommend to prove that it is their application and not the DC's performance that is causing it. Thanks!
IT_Admin XXXXAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MaheshArchitectCommented:
What kind of authentication issues you are facing with application?

In case of DC, you can validate DC health:
Check if sysvol and netlogon shares are published
Run dcdiag /v and repadmin /showrepl commands to find out any DC configuration / replication issues
Also reboot those DC and verify that event ID 1394 (Directory service logs) and 13516(FRS logs) are generating.

Ensure that event ID 13568 (FRS), 2095, 2042, 1388, 1988 (Directory services) are not present on DC, otherwise it can have serious problems

You may manually run replication check from AD sites and services from connection objects

Also run below commands to validate other configurations:
netdom query fsmo - run on all DCs to verify FSMO output is same on all DCs
nltest /dclist:domain.com
nltest /dsgetdc:domain.com
nltest /sc_query:domain.com
nltest /sc_verify:domain.com - this command would fail if you have FSMO roles on server but get succeeded on other DCs
Replace domain.com with yours.

finally you can enable auditing for account logon and logon events for success so that you will get security logs if users are logging through this DC

Once this is done, you can ask application vendor / owner to check application end for issues

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Will SzymkowskiSenior Solution ArchitectCommented:
A better scenario for this would be to point your application to domain.com rather than individual DC's. However, how is this configured in the application? Sometimes when you configure ldap or active directory configuration to look at the top root "domain.com" depending on the amount of objects in your environment can have an impact on how the applicaiton searches and authenticate users. I have seen pointing to a specific group or OU improve performace for logon/authentication.

Ultimately it comes down to how your application is configured and also how much reosurces these DC's have available to process requests. I can tell you though, if you do not have an issues with any other authentication (workstations, servers etc) you can almost best it is the way the applicaiton is interacting with Active Directory.

Will.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.