Your network has a single Active Directory domain with two domain controllers, both running Windows Server 2003 Service Pack 2. Auditing of successful account logon events is enabled on all computers in the domain. You want to determine the last time a specific user successfully logged on to the domain. Where should you look for this information?

Introduction / Context:
In an Active Directory environment, when a domain user logs on, the authentication is handled by a domain controller. The domain controller records events related to account logon in its Security event log, especially when auditing of successful account logon events is enabled. This question tests your understanding of where to find authoritative information about user logon times in a multi domain controller setup.

Given Data / Assumptions:

• There is a single Active Directory domain.
• The domain has two domain controllers, both running Windows Server 2003 SP2.
• Auditing of successful account logon events is enabled across the domain.
• You want to determine the last successful logon time for a specific domain user.
• User computers may cache some information, but domain controllers handle authentication.

Concept / Approach:
When a user logs on to the domain, the domain controller that processes the logon request writes a Security log event indicating a successful account logon. Because there are two domain controllers, either one may handle a particular logon depending on site, replication, and load. Therefore, you must analyze the Security event logs on both domain controllers to be sure you find the most recent logon event for the user. System or Application logs are not the correct place to look for account logon auditing information.

Step-by-Step Solution:
Step 1: Identify that account logon auditing events are stored in the Security event log on the domain controllers.Step 2: Recognize that either of the two domain controllers may have processed the most recent logon.Step 3: On each domain controller, open Event Viewer and select the Security log.Step 4: Filter or search the Security log for successful logon events associated with the specific user account.Step 5: Compare timestamps from both domain controllers and determine the latest successful logon time.
Verification / Alternative check:
To verify, you can create a test logon with the target user account and then immediately query the Security logs on both domain controllers. You will see a corresponding successful account logon event on the controller that handled the authentication. From this you can confirm the event ID and fields used to track logon time. Repeated logons will generate additional events, and the most recent timestamp will reflect the last successful logon.

Why Other Options Are Wrong:
Option A and B reference the System event logs, which focus on operating system level events such as driver or service failures, not account logon auditing. Option D references the Application log on the user computer, which typically contains application level events but not domain account logon records. Only the Security event logs on the domain controllers contain the audited account logon information needed to answer the question accurately.

Common Pitfalls:
Administrators sometimes look at local security logs on the client machine instead of the domain controller, which may lead to incomplete or misleading information. Another mistake is to check only one domain controller in an environment where multiple domain controllers can authenticate users. To be certain about the last logon time, you must consider all domain controllers that might have serviced the user, especially in larger or multi site environments.

Final Answer:
You should examine the Security event logs on both domain controllers.