Specifying AD server to authenticate against....

Discussion in 'Active Directory' started by Jef A, Jan 30, 2007.

  1. Jef A

    Jef A Guest

    I am wondering what tools i can use to monitor what server my workstations
    authenticate against. Also what tool can i use to monitor other AD
    activities like this?

    I have been looking in the event log on each of my domain controllers but i
    would like to know if there is a better way.
    Jef A, Jan 30, 2007
    1. Advertisements

  2. Jef A

    Herb Martin Guest

    From a workstation command prompt, you can just type:

    set logonserver

    For collecting it at the DCs, you need to enable Account Logon Auditing.
    What specifically do you want?

    You can buy things to collect and filter these logs more dynamically....
    Herb Martin, Jan 30, 2007
    1. Advertisements

  3. Hello Jef,

    you can use NLTest to verify to which DC a client has a secure channel. You
    can also query the variable Logonserver.

    If you have your site-structure configured in Active Directory and DNS is
    working correctly your clients will usually log onto the domaincontrollers
    within the site they are currently in.

    Gruesse - Sincerely,

    Ulf B. Simon-Weidner

    Profile & Publications:
    Weblog: http://msmvps.org/UlfBSimonWeidner
    Website: http://www.windowsserverfaq.org
    Ulf B. Simon-Weidner [MVP], Jan 30, 2007
  4. There are some diagnostic tools you can use to monitor AD, dcdiag, netdiag
    and repadmin for starters:

    If you don't have the tools installed, install them from your server install

    Run dcdiag, netdiag and repadmin in verbose mode.
    -> DCDIAG /V /C /D /E /s:yourdcname > c:\dcdiag.log
    -> netdiag.exe /v > c:\netdiag.log (On each dc)
    -> repadmin.exe /showrepl dc* /verbose /all /intersite > c:\repl.txt

    If you download a gui script I wrote it should be simple to set and run
    (DCDiag and NetDiag). It also has the option to run individual tests
    without having to learn all the switch options. The details will be output
    in notepad text files that pop up automagically.

    The script is located in the download section on my website at

    Just select both dcdiag and netdiag make sure verbose is set. (Leave the
    default settings for dcdiag as set when selected)

    When complete search for fail, error and warning messages.
    Paul Bergson [MVP-DS], Jan 31, 2007
  5. Jef A

    Herb Martin Guest

    For your consideration:

    Paul, this is just my opinion but noticing that you generally recommend
    /E for DCDiag, I would suggest rethinking this.

    /E can take an (obnoxiously) long time with more than a couple of DCs
    (one guy I helped didn't even have sites setup yet but had 16 sites and
    DCs) and even for those with only 2-Few DCs if they are running this
    there is a good chance the DCs cannot find each other, DNS is hosed,

    Generally, I like to get them to run EACH DCDiag on each DC, saving
    the output separately.

    Another reason, is that since DCDiag produces so much output, for
    newcomers looking through the output of a bunch of DCs all in one
    file can be even more overwhelming.
    Herb Martin, Jan 31, 2007
  6. I would agree that it takes a long time and can put a disclaimer on it but
    when users don't do an enterprise diagnostic they can miss where the problem
    exists. But your point is well taken and of value. I keep certain
    responses stored so I can post as opposed to just pointing them to a web
    Paul Bergson [MVP-DS], Jan 31, 2007
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.