Why are logon types on Domain Controller and Workstation different

Question

When I logon to a specific machine in an Active Directory domain, the logon type recorded in Event Viewer is 10, but the same event log on the domain controller is 3. Why are the all of logon on the domain controller are logon type 3 while the logon type in the machine is 10?

Answer 1

In short, you'll see an interactive or remote logon type recorded on your workstations or servers. On your domain controllers, you're seeing logon type 3 because the computers are authenticating against the DCs and they are also accessing the DC's SYSVOL share to read GPOs (Group Policy Objects).

On the computer that you are logging onto, you'll see either:

• 02: Interactive - A user logged on to this computer.
• 10: RemoteInteractive - A user logged on to this computer remotely using Terminal Services or Remote Desktop.
• 11: CachedInteractive - A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials.

On your domain controllers, you will see:

• 03: Network - A user or computer logged on to this computer from the network. In this case, your computer and user accounts are accessing the SYSVOL share for GPOs.

If you want to research further details, look for some of these documents:
Microsoft: Administrative tools and logon types
Microsoft: Audit logon events

Answer 2

See: https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4624

Both should be Type 10. Since a lot is going on in a DCs Security log and on any login your account creates Type 3 Events on a DC, the "real" login event coming from your rdp session buildup might go under.

Filter for ID 4624 and look again. There should definitely be an event with Type 10 when connecting to the DC.