Wow.. This is complicated stuff! Thanks so much for the info!
Jose :-) -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Friday, April 14, 2006 12:14 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How to verify which DC authenticated a user account? Just be aware that the %Logonserver% value is not updated if the secure channel drifts after logon and does not necessarily mean that the server has always had its secure channel with that machine. This can happen if the machine experiences and error communicating with that logon server. If you run nltest /sc_query:<domain> on the member server where domain is the member servers domain then you can see what DC you currently have your secure channel with and are doing pass-through authentication with. You can then go to that DC and if the accounts are from another domain find out what DC in that account domain he has his secure channel with. You basically need to build the pass-through authentication path which can be quite complex when many domains and servers are involved. This is assuming that you are using NTLM. If you are using Kerberos then the machine that you have your secure channel with and the logonserver variable only tell you a state in time and this can change over time and unless it is doing protocol transition or delegation the client is doing all of the heavy lifting up front to get a ticket. If you think you are having performance issues because you are going to a remote DC and believe you are using NTLM you can turn up netlogon logging with a dbflag of 0x2080ffff for general logging and see how long it is taking as well as if the secure channel is failing or changing. Once you find the DCs involved you could use Server Performance Advisor (Assuming Windows Server 2003) and see what type of authentication load they are handling. I mention this because I have seen cases where group expansion is killing the DCs response time and that will be apparent in the SPA report. Also be aware that if these reporting servers or database server, depending on exactly how it is configured, are doing many NTLM pass-through authentications a second that they could be running into the maxconcurrentapi limitation that is described here: http://support.microsoft.com/kb/326040/en-us and can try bumping it up to see if it helps, this is assuming everything else checks out and is healthy and that you are using NTLM. I assume that these servers pulling reports are doing it on behalf of users and authenticating those users, i.e. a multi-tiered application? Anyway probably more information that you really wanted to know but if you can fill in some of the blanks on what errors you are seeing and the typical access flow for the servers involved we may be able to comment more. Also where on which servers you are seeing the authentication errors will also help. Thanks, -Steve -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Friday, April 14, 2006 1:20 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How to verify which DC authenticated a user account? Hi Brian, Thanks again for the command %Logonserver%, after you sent it, I remembered the command I was looking for is " Set ", I just forgot, and your system variable reminded me. Thanks again. Jose -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Thursday, April 13, 2006 5:57 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How to verify which DC authenticated a user account? Well.. I am not really supposed to list any server names, or mention our OU structure on the list. But, if you're savy, you can verify my email domain name and figure out where I am having the problem at. :-) I am thinking this may be a cost issue for our site, and the Oracle server's are going to the wrong DC for authentication! Thank you so much for the help! Jose -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Thursday, April 13, 2006 5:23 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How to verify which DC authenticated a user account? You work for an imaginary company? :-) You can check the secure channel using nltest, as follows: Nltest /sc_query:<domain> /server:<server_name> e.g Nltest /sc_query:MYDOM /server:MYSRV Tony -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Friday, 14 April 2006 11:53 a.m. To: ActiveDir@mail.activedir.org Subject: [ActiveDir] How to verify which DC authenticated a user account? Greetings, We seem to be having intermittent authentication errors on several servers that are pulling reports from our SQL & Oracle database clusters and the site that I am located in at an imaginary company. I remember using a command in NT 3.51 that told you the PDC or BDC that processed your logon or authenticated you, but forgot it, I tried srvinfo and it only shows you the PDC emulator in the domain, is there a recommended tool for active directory? We don't have USRSTAT,is that it? Is it NETDOM or NLTEST? Also when I run NETDIAG the following errors appear: Kerberos test. . . . . . . . . . . : Failed [FATAL] Kerberos does not have a ticket for " Oracle server name ". LDAP test. . . . . . . . . . . . . : Passed [WARNING] Failed to query SPN registration on DC ' ******" [WARNING] Failed to query SPN registration on DC ' ' ******" [WARNING] Failed to query SPN registration on DC ' ' ******" [WARNING] Failed to query SPN registration on DC ' ' ******" [WARNING] Failed to query SPN registration on DC ' ' ******" Trust relationship test. . . . . . : Failed Secure channel for domain ' USA' is to '\\usa.server.com'. [FATAL] Cannot test secure channel for domain 'USA" to DC ' server06'. [ERRO R_NO_LOGON_SERVERS] ------------------------------------------------------------------------ ---------------------------------------------- Sincerely, Jose Medeiros MCP+I, MCSE, NT4 MCT 408-765-0437 Direct 408-449-6621 Cell List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
