How to write a PowerShell script to check if PCs and/or Users are authenticating to the correct domain controller

All replies

• 

  

  0

  Sign in to vote

  To add to Richards excellent comments.  AD login DCs are chosen dynamically. This is usually the closest DC to the workstation but network conditions and DC load can cause a different DC to be used.  Each request to AD can select a new C for the request although once logged in there is generally no need to contact a DC.

  If you are having login performance issues you should just check the performance stats for all DCs to see why they may be slow. All DC diags should be run to determine if the AD network is running correctly.

  ---

  \_(ツ)_/

  Friday, July 21, 2017 2:56 PM
• 

  

  0

  Sign in to vote

  Thanks Richard and JRV. Next week I will try your suggestions.

  Regards,

  Kano

  Friday, July 21, 2017 5:17 PM
• 

  

  0

  Sign in to vote

  My question is, "what does 'correct domain controller' mean?"

  Any domain controller can authenticate a user. As jrv pointed out, the domain controller that authenticates the user should be pretty efficient, if the AD sites are set up correctly and the domain controllers aren't overloaded.

  But this is a directory services design and deployment issue, not a scripting issue.

  ---

  -- Bill Stewart [Bill_Stewart]

  Friday, July 21, 2017 5:58 PM
• 

  

  1

  Sign in to vote

  Bill brings up an important issue.  Many installation I have seen have failed to define sites and subnets.  Sites and subnets help AD work more efficiently.  The hosts will ask for service at the subnet level and never try to poll an AD that is off-subnet unless no DCs are on the subnet.  Sites provide a geographical hint that tells AD that different sites are possible at some distance logically.

  S&S also allows nodes to select the closest resources like printers and message queues.  No need to fiddle with IP network calculations.  Just retrieve the site and location then scan for the resource by location.

  Be sure your subnets and sites are defined and defined correctly.

  ---

  \_(ツ)_/

  Friday, July 21, 2017 6:12 PM
• 

  

  0

  Sign in to vote

  Bill,

  The correct domain controller is the one for each of our branch locations. So the task I was given was to determine if PCs and users were authenticating to the domain controller for their respective location rather than authenticating to a domain controller from a different branch location. Hope this clarifies your question. My job is Desktop Support Level II and scripting is new to me. 

  Thanks,

  Kano

  Monday, July 24, 2017 3:16 PM
• 

  

  0

  Sign in to vote

  The correct domain controller is the one for each of our branch locations.

  The question is whether the idea in your mind of a "correct" domain controller matches how your domain's Active Directory sites and services is actually configured. That is an AD architecture/design question and is not within the scope of this forum.
  

  ---

  -- Bill Stewart [Bill_Stewart]

  
  

  • Edited by Bill_Stewart Monday, July 24, 2017 4:05 PM

  Monday, July 24, 2017 4:03 PM
• 

  

  0

  Sign in to vote

  All the the answers make sense to me. I think the IT Manager was asking for which domain controllers the PCs/users were authenticating to rather than the "correct" domain controllers. At least now I have a framework on where to begin.

  Thanks,

  Kano

  Monday, July 24, 2017 4:51 PM