Im seeing some oddities relating to either authentication events or the logs themselves. My question is do the authentication events or the logs replicate across domain controllers?
Im seeing the same failed login attempt from two different domain controllers (the login attempts are being made by me as part of a test).
Im am attempting to login directly to the smb service on a windows 2003 controller (yes I am well aware its out of date) I am seeing the same event on a 2008 controller.
Any guidance would be appreciated.
Best Answer
It sounds like it's working as expected. When authentication fails at a domain controller other than the PDC emulator, the authentication is retried at the PDC emulator. That would explain the behavior you're seeing. I'm assuming that one of the two DC's in question is the PDCe. See the additional information under the Urgent Replication of Account Lockout Changes section of this article:
https://technet.microsoft.com/en-us/library/cc961787.aspx