Last user login information differs on Active Directory Servers

G

Guest

Hi,

in our enviroment we have three active directory serves. The replication is
configured and seems to work. With repadmin the replication shos proper time
and value replication.
As far as I know should the user logon inforamtion replicated as well along
the active directory servers, but in our caes this wont happen. When I log on
to the several ad controllers, they all have different information about the
same user.
Has anyone an iddea?

regards tibeat
 
F

Florian Frommherz

Howdie!
As far as I know should the user logon inforamtion replicated as well along
the active directory servers, but in our caes this wont happen. When I log on
to the several ad controllers, they all have different information about the
same user.
Click to expand...

No, the lastLogon - attribute won't replicate across the domain
controllers. Every domain controller holds a seperate "last logon"
timestamp for each object.

cheers,

Florian
 
P

Paul Bergson [MVP-DS]

This attribute is unique for each user. If you want to find out the last
logon across all dc's then you will have to program it or get a hold of a
third party solution. I have a script that will list this out for you.

http://www.pbbergs.com
Select downloads and click on "Account Attributes"

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.
 
R

Richard Mueller

tibeat said:
in our enviroment we have three active directory serves. The replication
is
configured and seems to work. With repadmin the replication shos proper
time
and value replication.
As far as I know should the user logon inforamtion replicated as well
along
the active directory servers, but in our caes this wont happen. When I log
on
to the several ad controllers, they all have different information about
the
same user.
Has anyone an iddea?
Click to expand...

Besides lastLogon, several other attributes are not replicated. badPwdCount,
badPasswordTime, directReports, logonCount, uSNChanged, uSNCreated,
whenChanged, and others. A different value will be saved on each DC.
 
G

Guest

Hi Richard

How then the dc's now when to disable a user account? We have set 5 bad
login attemps till the account get locked. If they contact different dc's can
the users then try 5 times on each dc? Or accumulate the dc's the bad logon
trys.

Thanks for answering

tibeat
 
H

Harj

Hi,

Bad logon attempts have nothing to do with the lastlogon attribute.
When a DC receives logon credentials, it checks with itself to see if
this username and password are correct. If so, the client logs in and
the lastlogon attribute is changed to match the logon time on that DC.

When a DC detects that an authentication attempt did not work and a
condition of STATUS_WRONG_PASSWORD, STATUS_PASSWORD_EXPIRED,
STATUS_PASSWORD_MUST_CHANGE, or STATUS_ACCOUNT_LOCKED_OUT is returned,
the DC forwards the authentication attempt to the primary domain
controller (PDC) emulator operations master. Essentially, the DC
queries the PDC to authoritatively determine if the password is
current. The DC queries the PDC for this information because the domain
controller may not have the most current password for the user but, by
design, the PDC emulator operations master always has the most current
password.

The authentication request is retried by the PDC emulator operations
master to verify that the password is correct. If the PDC emulator
operations master rejects the bad password, the PDC emulator operations
master increments the badPwdCount attribute for that user object.
The failed logon result information is sent by the PDC emulator
operations master to the authenticating DC which in turn also
increments it's copy of the badPwdCount attribute.
As the account policy is within the default domain policy which in turn
is applied to the domain controllers, when this badPwdCount reaches the
threshold of what you set, it locks out the account.

More information can be found at the following link

Account Lockout and Password Concepts
http://technet2.microsoft.com/Windo...b448-4573-af4e-154daa57e8351033.mspx?mfr=true

Good Luck

Harj SIngh
Asset Management done right
www.specopssoft.com
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Active Directory and Replication ??? 2
Windows 2000 Server Replication Problem 3
Active Directory Replication Problem... 0
Integrated Active Directory DNS? 8
Active Directory Replication Oddity 1
logon scripts not replicating 1
logon scripts not replicating 1
Active Directory Integrated Zone 6

Top