Announcement

Collapse
No announcement yet.

2008R2 DCs not being used to log on

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • 2008R2 DCs not being used to log on

    I have an environment with 4 domain controllers. Two are running 2003, and two are running 2008R2. One of the 2K3 DCs hold all FSMO roles. All DCs are GCs. 2K3 servers are placed in the local site with most of the clients, while the 2008R2 ones are placed in the Datacentre. But there is only one site defined in AD (Default-First-Site-Name). So even if the clients are placed in the same site as the 2K3 DCs, they should still not prefer these DCs.

    The thing is that none of the 2008R2 DCs are being used to authenticate against the domain. There are no logon or logoff events in the security log of both 2008R2 DCs, while there are plenty of such events in the 2K3 DCs. They all have the same audit policy.

    Even when you log on to servers/clients placed in the Datacentre, you will authenticate against the 2K3 DCs. There are no replication related errors. Everything is being replicated back and forth just fine between the DCs, the 2K8 Dcs have registered their SRV records in DNS, and they have the same weight and priority as the 2K3 ones.

    In other words, there is no reason why some users/clients shouldn't use the 2K8 DCs to log on, yet none of the users/clients are doing that.

    What could be the reason?

  • #2
    Re: 2008R2 DCs not being used to log on

    You should setup two sites and configure the subnets appropriately. You shouldn't want users in the office to authenticate against the datacenter DC's and vice versa.
    Regards,
    Jeremy

    Network Consultant/Engineer
    Baltimore - Washington area and beyond
    www.gma-cpa.com

    Comment


    • #3
      Re: 2008R2 DCs not being used to log on

      The DCs outside of the Data Center will be removed in a couple of weeks. The Data Center DCs will then be the only ones users can authenticate against.

      Comment


      • #4
        Re: 2008R2 DCs not being used to log on

        Even if the site doesn't contain DC's you should still setup and configure them.

        I would configure the sites, move the FSMO roles and then decommission as planned. Once you have decommissioned the DCs authentication will move to the ones in the datacenter. Be sure to clean up any old DNS records.
        Regards,
        Jeremy

        Network Consultant/Engineer
        Baltimore - Washington area and beyond
        www.gma-cpa.com

        Comment


        • #5
          Re: 2008R2 DCs not being used to log on

          I was reluctant to decommission the old DCs because I thought the new ones were not being authenticated against. Turned to show, it was my Audit Policy that was the problem. Since this is an environment I have inherited, I have not set up the Audit Policies.

          To make a long story short, it was the "Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" policy setting that was causing the problem.

          http://support.microsoft.com/kb/921468/en-us

          Since it was set as enabled, nothing was being audited, beside Account Management. As soon as I disabled it, I received the correct Audit Policy, and now I can see plenty of Logon and Logoff events.

          auditpol /get /category:* now shows that my Audit Policy is working correctly.
          Last edited by Balthier; 26th December 2013, 20:54.

          Comment


          • #6
            Re: 2008R2 DCs not being used to log on

            Glad to hear. Thanks for posting your solution.
            Regards,
            Jeremy

            Network Consultant/Engineer
            Baltimore - Washington area and beyond
            www.gma-cpa.com

            Comment

            Working...
            X