2008R2 DCs not being used to log on
Dracula28
Member Posts: 232
I have an environment with 4 domain controllers. Two are running 2003, and two are running 2008R2. One of the 2K3 DCs hold all FSMO roles. All DCs are GCs. 2K3 servers are placed in the local site with most of the clients, while the 2008R2 ones are placed in the Datacentre. But there is only one site defined in AD (Default-First-Site-Name). So even if the clients are placed in the same site as the 2K3 DCs, they should still not prefer these DCs.
The thing is that none of the 2008R2 DCs are being used to authenticate against the domain. There are no logon or logoff events in the security log of both 2008R2 DCs, while there are plenty of such events in the 2K3 DCs. They all have the same audit policy.
Even when you log on to servers/clients placed in the Datacentre, you will authenticate against the 2K3 DCs. There are no replication related errors. Everything is being replicated back and forth just fine between the DCs, the 2K8 Dcs have registered their SRV records in DNS, and they have the same weight and priority as the 2K3 ones.
In other words, there is no reason why some users/clients shouldn't use the 2K8 DCs to log on, yet none of the users/clients are doing that.
What could be the reason?
The thing is that none of the 2008R2 DCs are being used to authenticate against the domain. There are no logon or logoff events in the security log of both 2008R2 DCs, while there are plenty of such events in the 2K3 DCs. They all have the same audit policy.
Even when you log on to servers/clients placed in the Datacentre, you will authenticate against the 2K3 DCs. There are no replication related errors. Everything is being replicated back and forth just fine between the DCs, the 2K8 Dcs have registered their SRV records in DNS, and they have the same weight and priority as the 2K3 ones.
In other words, there is no reason why some users/clients shouldn't use the 2K8 DCs to log on, yet none of the users/clients are doing that.
What could be the reason?
Current certs: MCP (210) MCSA (270, 290, 291 and 680) MCTS (680, 640)
Comments
-
kj0
Member Posts: 767
If I remember correctly, and it's been a while since going through my MS certs stuff. You will need the FSMO roles on the 2008 DC you require. I think Schema/PDC/Infrastrcuture at the minimum.
(can someone else correct me if I'm wrong. Thanks) -
TechGuy215
Member Posts: 404 ■■■■□□□□□□
First, make sure you have logging turned on and no limit on the size of the security logs on the domain controllers. Also, check to see if there is an autodelete rule set for a certain number of days, that may be blowing out your logs. If this is good move on to below...
Do you have the subnets defined correctly in the "Active Directory Sites and Services" applet? Without the subnets setup the clients will find the closest (based on timing and load) AD controller to use...If this is good see below:
Also, check to make sure your DCs are replicating properly, replmon and dcdiag are two tools you can use.* Currently pursuing: PhD: Information Security and Information Assurance
* Certifications: CISSP, CEH, CHFI, CCNA:Sec, CCNA:R&S, CWNA, ITILv3, VCA-DCV, LPIC-1, A+, Network+, Security+, Linux+, Project+, and many more...
* Degrees: MSc: Cybersecurity and Information Assurance; BSc: Information Technology - Security; AAS: IT Network Systems Administration -
Dracula28
Member Posts: 232
The event logs are set at the default settings, so its not due to events being deleted, as there are several other events present in the Security log. There are just no logon and logoff events. Subnets are defined correctly, but like I said there is only one site that has been defined, so all subnets belong to the same site.
The reason for this is simple, the 2003 DCs will be demoted in a couple of weeks, and totally be replaced with the 2K8R2 DCs. There will be no servers in the local site where most of the clients are located. So even if I have two physical sites, only one of them will have DCs and servers, therefore I don't think there is much need to define more than one site in AD, as there will be no servers advertising services in any other site than the Data center site.
Also, since I am demoting the local 2K3 DCs, that is another reason why I did not define more than one site. I want some of the clients to use the DCs in the Data center, as they will be the only DCs left in a couple of weeks. If I had defined more than one site, the clients would prefer the DCs at their local site.
Btw, as I wrote earlier, even if you log on to servers and clients in the Data center, you will still be authenticating against the DCs in the local site. There are 30 servers and 4 clients at the Data Center site.TechGuy215 wrote: »Without the subnets setup the clients will find the closest (based on timing and load) AD controller to use
Interesting. Isn't the only thing that decides which DC the client uses, the site object in AD? The client checks which site it belongs to, by checking which subnet object in AD belongs to its site. Then it finds DC in its site, and creates an affinity towards it, using it from now to log on to the domain. So if you have 4 servers in the only site in AD, the client might choose anyone of them, as they all belong to the same site as its subnet objet. Or am I mistaken, and there is some other parameters involved here as well?Current certs: MCP (210) MCSA (270, 290, 291 and 680) MCTS (680, 640)