Solved

Client selection of a domain controller

Posted on 2011-09-28
5
735 Views
Last Modified: 2012-05-12
Hopefully simple question, but information on this specific scenario isn't easy to find based on technet and google searches, so here goes:

Let's say you have 2 sites defined in Active Directory, and each of these sites has a dozen or more subnets defined within them.  What mechanism is used for a client to locate a DC for authentication if it lives on a subnet NOT defined in these two sites?  I know that in theory it should be able to authenticate against any responding DC in the enterprise, but I can't remember what mechanism is used when the client is configured with an IP that is not defined in any site.

At one time, a long time ago, I seemed to remember something about determining the closest DC based on hop count.  Is this true?

I've found lots of info on how sites work in AD, but less on how the exception computers (not in any site) locate a DC and authenticate.
0
Comment
Question by:patriots
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 59

Assisted Solution

by:Darius Ghassem
Darius Ghassem earned 100 total points
ID: 36719435
0
 
LVL 10

Accepted Solution

by:
abhijitwaikar earned 150 total points
ID: 36719472
how the exception computers (not in any site) locate a DC and authenticate.
It all depends on how do you assign the preferred, alternet DNS IP's to workstations.

Every DC publish SRV records in DNS, These SRV records describe the types of services that the DC provides. AD-enabled clients search for the appropriate DNS SRV records. The first time when workstation authenticates to its domain it issues the DNS query to DNS serveice it responds back with available DC with list of SRV records in domain then clients select lowest priority SRV record and request DC to authentication or applications.

SRV records perform important role in Active Directory, AD clients and domain controllers use SRV records to determine the IP addresses of domain controllers.

The choice of the DC to authenticate is made via DC Locator process which provides the nearest DCs and SRV records of DCs which allow to choose which is the privileged DC to choose.

Refer:
http://technet.microsoft.com/en-us/library/cc961830.aspx
http://technet.microsoft.com/en-us/library/cc816890(WS.10).aspx
http://technet.microsoft.com/en-us/library/cc794710(WS.10).aspx



0
 
LVL 13

Expert Comment

by:Govvy
ID: 36719473
"Clients with No Apparent Site
Sometimes the client pings a domain controller and the client IP address cannot be found in the subnet-to-site mapping table. In this case, the domain controller returns a NULL site name, and the client uses the returned domain controller."

As above it is a random DC: http://technet.microsoft.com/en-us/library/cc978016.aspx
0
 

Author Comment

by:patriots
ID: 36719580
nearest DC being whichever one is the closest via hop count I assume right?  What happens if there are two DC's with the same hop count, or same "distance" from the client?

In our situation, there are two DNS servers being handed out to our clients:
Server A is on the LAN, and it is the primary DNS server
Server B is across a high speed WAN link at a DR site, and it is the secondard DNS server
All servers are global catalogs

I'm doing all of this research namely b/c we have some Group Policies that seem to apply rapidly on one computer but not on another.  These computers live on subnets that are not defined in any site, and I'm theorizing that we are getting inconsistent GPO application performance due to clients that live on these subnets not defined in any site.  It seems like these clients could conceivably receive a policy setting from a DC that is not optimally located, thereby causing some "lag" time in applying policies properly.
0
 
LVL 13

Expert Comment

by:Govvy
ID: 36815008
You are correct regarding the inconsistency as DC selection in this case would be random
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article runs through the process of deploying a single EXE application selectively to a group of user.
This article outlines the process to identify and resolve account lockout in an Active Directory environment.
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question