?
Solved

Client selection of a domain controller

Posted on 2011-09-28
5
Medium Priority
?
758 Views
Last Modified: 2012-05-12
Hopefully simple question, but information on this specific scenario isn't easy to find based on technet and google searches, so here goes:

Let's say you have 2 sites defined in Active Directory, and each of these sites has a dozen or more subnets defined within them.  What mechanism is used for a client to locate a DC for authentication if it lives on a subnet NOT defined in these two sites?  I know that in theory it should be able to authenticate against any responding DC in the enterprise, but I can't remember what mechanism is used when the client is configured with an IP that is not defined in any site.

At one time, a long time ago, I seemed to remember something about determining the closest DC based on hop count.  Is this true?

I've found lots of info on how sites work in AD, but less on how the exception computers (not in any site) locate a DC and authenticate.
0
Comment
Question by:patriots
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 59

Assisted Solution

by:Darius Ghassem
Darius Ghassem earned 400 total points
ID: 36719435
0
 
LVL 10

Accepted Solution

by:
abhijitwaikar earned 600 total points
ID: 36719472
how the exception computers (not in any site) locate a DC and authenticate.
It all depends on how do you assign the preferred, alternet DNS IP's to workstations.

Every DC publish SRV records in DNS, These SRV records describe the types of services that the DC provides. AD-enabled clients search for the appropriate DNS SRV records. The first time when workstation authenticates to its domain it issues the DNS query to DNS serveice it responds back with available DC with list of SRV records in domain then clients select lowest priority SRV record and request DC to authentication or applications.

SRV records perform important role in Active Directory, AD clients and domain controllers use SRV records to determine the IP addresses of domain controllers.

The choice of the DC to authenticate is made via DC Locator process which provides the nearest DCs and SRV records of DCs which allow to choose which is the privileged DC to choose.

Refer:
http://technet.microsoft.com/en-us/library/cc961830.aspx
http://technet.microsoft.com/en-us/library/cc816890(WS.10).aspx
http://technet.microsoft.com/en-us/library/cc794710(WS.10).aspx



0
 
LVL 13

Expert Comment

by:Govvy
ID: 36719473
"Clients with No Apparent Site
Sometimes the client pings a domain controller and the client IP address cannot be found in the subnet-to-site mapping table. In this case, the domain controller returns a NULL site name, and the client uses the returned domain controller."

As above it is a random DC: http://technet.microsoft.com/en-us/library/cc978016.aspx
0
 

Author Comment

by:patriots
ID: 36719580
nearest DC being whichever one is the closest via hop count I assume right?  What happens if there are two DC's with the same hop count, or same "distance" from the client?

In our situation, there are two DNS servers being handed out to our clients:
Server A is on the LAN, and it is the primary DNS server
Server B is across a high speed WAN link at a DR site, and it is the secondard DNS server
All servers are global catalogs

I'm doing all of this research namely b/c we have some Group Policies that seem to apply rapidly on one computer but not on another.  These computers live on subnets that are not defined in any site, and I'm theorizing that we are getting inconsistent GPO application performance due to clients that live on these subnets not defined in any site.  It seems like these clients could conceivably receive a policy setting from a DC that is not optimally located, thereby causing some "lag" time in applying policies properly.
0
 
LVL 13

Expert Comment

by:Govvy
ID: 36815008
You are correct regarding the inconsistency as DC selection in this case would be random
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
Suggested Courses
Course of the Month7 days, 19 hours left to enroll

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question