Announcement

Collapse
No announcement yet.

How do I tell from which domain controller the lopgonscript ran?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • How do I tell from which domain controller the lopgonscript ran?

    Dear All,

    We start to deploy RODCs at one of our clients and in the pilot we've discovered, that even though the LOGONSERVER is the local RODC, the general logonscript runs from a remote writeable DC. We can see this on the logonscreen, as the general logonscript shows its status. Now I suspect, that this might be due to the fact that most of our DCs are still Windows 2003 and the forest/domain level is also Windows 2003 (see the Known RODC issues page from Technet) The well-known KB944043 has been deployed on all Windows 2003 domain controllers and XP client PCs. Now we plan to set up a test user that would only have a very basic logonscript to see if that would run from the local RODC. How could we track from which DC this basic logonscript runs? Thanks in advance!

  • #2
    Re: How do I tell from which domain controller the lopgonscript ran?

    put something like echo %logonserver% >C:\script.log
    Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

    Comment


    • #3
      Re: How do I tell from which domain controller the lopgonscript ran?

      Thanks a lot, but the logonserver seems to be the RODC. So it seems that the authentication happens on the RODC, but when it comes to the logonscript it is being pulled from a remote writeable DC.

      Comment


      • #4
        Re: How do I tell from which domain controller the lopgonscript ran?

        Can you confirm the sysvol directory has in fact replicated to the RODC?
        Tom Jones
        MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
        PhD, MSc, FIAP, MIITT
        IT Trainer / Consultant
        Ossian Ltd
        Scotland

        ** Remember to give credit where credit is due and leave reputation points where appropriate **

        Comment


        • #5
          Re: How do I tell from which domain controller the lopgonscript ran?

          Yes, it has, we checked that first
          Btw. I've found the VBScript code that shows the server from which the logonscript runs (quite simple, only 3 lines):

          Code:
          Set objDomain = GetObject("LDAP://rootDSE")
          strDC = objDomain.Get("dnsHostName")
          Wscript.Echo "Authenticating domain controller: " & strDC
          I'll use this in my test as well.

          Comment


          • #6
            Re: How do I tell from which domain controller the lopgonscript ran?

            Test done, now I see what I've feared: though the authentication hapens to the RODC (once the pw is cached there), the logonscript still runs from a remote writeable DC. Checking Microsoft's "Known RODC issues" page I've found following:

            Issue:
            Active Directory Service Interfaces (ADSI) in Windows XP and Windows Server 2003 requests a remote writable domain controller instead of a local RODC.

            Workaround:
            Ensure that these client computers have connectivity to a writable domain controller when they make ADSI calls, even for read-only operations. ADSI calls to the writable domain controller will create additional WAN traffic.

            Now I'm not very keen with scripting, but I think even the few lines that I listed below contain ADSI calls, not to mention our logonscript, that checks group memberships and runs according to that. Did any of you encounter a similar problem? And if yes, then is there a good resolution? This way the RODC function is more or less useless, as the biggest issue was the logontime for us, caused by the logonscript...

            Comment

            Working...
            X