2

We have 2 DCs, one main and one backup at another site. we had some issues with our main DC and i believe a lot of people were pushed over to the backup DC. is there a way to see everyone who is using a certain DC as their logon server without looking at each user individually?

user44650
  • 137
  • 4
  • 11

2 Answers2

2

The domain controller a user uses to login against has to do with the Site config. If you haven't done anything about Sites, you have one big one. Users and computers will (within some bounds) pick a random DC in that site to login against. If you do have separate Sites declared in AD, the login process will respect Site boundaries; it will only cross to another Site when all local DCs are not available. Once the local DCs are back up, it will log in to those.

Which is to say, no there isn't a way to see who logged in against a specific Domain Controller short of hitting the Security log. Search for event ID 4624 to get Logon events. There will be a lot of them, as both computer and user logins record that event.

The one area that isn't as clear is where Group Policies are downloaded from. Computers will resolve the domain's DNS to get a list of domain controllers to pull from. That can cross sites, which may lead to slow GPO application times if this is happening. I believe you can weight the DNS entries to discourage use of the distant DC.

sysadmin1138
  • 133,124
  • 18
  • 176
  • 300
  • Windows DNS is smart enough, to my knowledge, to also follow the Sites declaration. – TomTom Aug 02 '10 at 18:34
  • we do have our sites configured in ADUC properly, and things should only failover to the backup DC when the main one is unavailable. due to some errors, i think our primary DC went down, and everyone was pushed over to the backup DC. We've been experiencing a lot of issues today, and I wanted to check if it was related to everyone failing over to the backup DC, but couldn't come up with an easy way to check who was actually logged into which DC without querying each user individually. – user44650 Aug 02 '10 at 19:34
0

None that I know of. That is normally assumed to be non-important information. You may be able to get some info out of th eevent log, but that will reuire correlating all event logs on the DCs and possibly tuning up standard output in the security area.

TomTom
  • 51,649
  • 7
  • 54
  • 136