sherlock1
asked on
Check to see which users are authenticating against a specific domain controller
Hi Experts,
Is there a way to easily see a list of users that are authenticating against a specific domain controller? (The server is running Windows Server 2012 R2)
The server is a DC and its planned to de-commission the server soon but prior to doing this it would be good to check if there are still users authenticating against the domain controller
Thanks
Is there a way to easily see a list of users that are authenticating against a specific domain controller? (The server is running Windows Server 2012 R2)
The server is a DC and its planned to de-commission the server soon but prior to doing this it would be good to check if there are still users authenticating against the domain controller
Thanks
Look at the security logs on the server. I would expect that you will see events on the DC until you decomission it. AD spreads the load around. Now, if you moved the DC in AD sites and Services to a site that has no users or computers, then it shouldn't get used.
My bigger concern would be is the server being used for DNS, NPS, or DHCP. You can enable DNS logging to see if it is getting any requests.
Personally, I don't retire the IP addresses of DNS servers. I reuse them for the replacement DC. I have too many statically assigned devices, DHCP scopes, and DHCP relays configured to be able to retire one of my main DCs. I build new ones and then give them the IP of the old DC so that everything can continue to use the IP address it is used to.
My bigger concern would be is the server being used for DNS, NPS, or DHCP. You can enable DNS logging to see if it is getting any requests.
Personally, I don't retire the IP addresses of DNS servers. I reuse them for the replacement DC. I have too many statically assigned devices, DHCP scopes, and DHCP relays configured to be able to retire one of my main DCs. I build new ones and then give them the IP of the old DC so that everything can continue to use the IP address it is used to.
ASKER
Thanks for feedback.
Any specif security events I should look for?, any specific DNS events?
The server has the DHCP role installed and has some active IP address leases for one scope
They are mostly reserved IP addresses. The other DHCP scopes do not have any active leases so the usage of DHCP on this server appears to be light.
Also the Network policy server role is installed and has active radius clients.
Mahesh - you said: "If you already pointed all resources to other DCs and isolated this DC by moving FSMO as well" im guessing for resources you mean DHCP / File shares / Network policy server etc?. The server does not hold any of the FSMO roles.
Or did you mean making a change to the service records to change the priority for client computer requests to the domain controller?
In AD sites and services the site the server is in has one other active DC within that same site
I can create a follow up question(s) to any specific area of this if it goes to far of the question if need be
Thanks
Any specif security events I should look for?, any specific DNS events?
The server has the DHCP role installed and has some active IP address leases for one scope
They are mostly reserved IP addresses. The other DHCP scopes do not have any active leases so the usage of DHCP on this server appears to be light.
Also the Network policy server role is installed and has active radius clients.
Mahesh - you said: "If you already pointed all resources to other DCs and isolated this DC by moving FSMO as well" im guessing for resources you mean DHCP / File shares / Network policy server etc?. The server does not hold any of the FSMO roles.
Or did you mean making a change to the service records to change the priority for client computer requests to the domain controller?
In AD sites and services the site the server is in has one other active DC within that same site
I can create a follow up question(s) to any specific area of this if it goes to far of the question if need be
Thanks
Ok
U did not told that server has other roles as well
U can demote dc to member server and keep all roles as is, you can move other roles post dc demotion if wanted to
If anyhow u want to check issues any by shutting down server, u 1st need to move other server roles
What i meant is if server is isolated in terms of dc need to be removed as dns entry from static clients, dhcp scopes, network devices, other servers, ldap binds etc
Simply check logon / logoff events under security events if they originating from other clients, devices because any admin logging on dc also get logged there only as logon events
U did not told that server has other roles as well
U can demote dc to member server and keep all roles as is, you can move other roles post dc demotion if wanted to
If anyhow u want to check issues any by shutting down server, u 1st need to move other server roles
What i meant is if server is isolated in terms of dc need to be removed as dns entry from static clients, dhcp scopes, network devices, other servers, ldap binds etc
Simply check logon / logoff events under security events if they originating from other clients, devices because any admin logging on dc also get logged there only as logon events
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks everyone for your help on this. Some excellent advise
Else if DC is online, it can still authenticate client authentication requests as part of DC SRV locator process
what you can do, you can install monitoring tools such as Wireshark / netmon etc on DC and monitor inbound DC traffic for Kerberos and LDAP (389 and 88) and find out source of requests
Also if you already have enabled auditing on default domain controller policy, you can monitor account logon events, if found, clients are still using it for authentication but most probably it is because of DC SRV locator process, once you shut down it, you will get clear picture