Solved

Client selection of a domain controller

Posted on 2011-09-28
5
708 Views
Last Modified: 2012-05-12
Hopefully simple question, but information on this specific scenario isn't easy to find based on technet and google searches, so here goes:

Let's say you have 2 sites defined in Active Directory, and each of these sites has a dozen or more subnets defined within them.  What mechanism is used for a client to locate a DC for authentication if it lives on a subnet NOT defined in these two sites?  I know that in theory it should be able to authenticate against any responding DC in the enterprise, but I can't remember what mechanism is used when the client is configured with an IP that is not defined in any site.

At one time, a long time ago, I seemed to remember something about determining the closest DC based on hop count.  Is this true?

I've found lots of info on how sites work in AD, but less on how the exception computers (not in any site) locate a DC and authenticate.
0
Comment
Question by:patriots
5 Comments
 
LVL 59

Assisted Solution

by:Darius Ghassem
Darius Ghassem earned 100 total points
ID: 36719435
0
 
LVL 10

Accepted Solution

by:
abhijitwaikar earned 150 total points
ID: 36719472
how the exception computers (not in any site) locate a DC and authenticate.
It all depends on how do you assign the preferred, alternet DNS IP's to workstations.

Every DC publish SRV records in DNS, These SRV records describe the types of services that the DC provides. AD-enabled clients search for the appropriate DNS SRV records. The first time when workstation authenticates to its domain it issues the DNS query to DNS serveice it responds back with available DC with list of SRV records in domain then clients select lowest priority SRV record and request DC to authentication or applications.

SRV records perform important role in Active Directory, AD clients and domain controllers use SRV records to determine the IP addresses of domain controllers.

The choice of the DC to authenticate is made via DC Locator process which provides the nearest DCs and SRV records of DCs which allow to choose which is the privileged DC to choose.

Refer:
http://technet.microsoft.com/en-us/library/cc961830.aspx
http://technet.microsoft.com/en-us/library/cc816890(WS.10).aspx
http://technet.microsoft.com/en-us/library/cc794710(WS.10).aspx



0
 
LVL 13

Expert Comment

by:Govvy
ID: 36719473
"Clients with No Apparent Site
Sometimes the client pings a domain controller and the client IP address cannot be found in the subnet-to-site mapping table. In this case, the domain controller returns a NULL site name, and the client uses the returned domain controller."

As above it is a random DC: http://technet.microsoft.com/en-us/library/cc978016.aspx
0
 

Author Comment

by:patriots
ID: 36719580
nearest DC being whichever one is the closest via hop count I assume right?  What happens if there are two DC's with the same hop count, or same "distance" from the client?

In our situation, there are two DNS servers being handed out to our clients:
Server A is on the LAN, and it is the primary DNS server
Server B is across a high speed WAN link at a DR site, and it is the secondard DNS server
All servers are global catalogs

I'm doing all of this research namely b/c we have some Group Policies that seem to apply rapidly on one computer but not on another.  These computers live on subnets that are not defined in any site, and I'm theorizing that we are getting inconsistent GPO application performance due to clients that live on these subnets not defined in any site.  It seems like these clients could conceivably receive a policy setting from a DC that is not optimally located, thereby causing some "lag" time in applying policies properly.
0
 
LVL 13

Expert Comment

by:Govvy
ID: 36815008
You are correct regarding the inconsistency as DC selection in this case would be random
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article shows how to deploy dynamic backgrounds to computers depending on the aspect ratio of display
Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html) provided 218 attendees with a step-by-step guide for identifying Acti…
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…

816 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now